The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced its newly improved HIPAA Breach Reporting Tool (HBRT) to much fanfare.
The new HBRT features enhanced search and navigation functions, but its main purpose is much the same as its predecessor — namely, public access to information about HIPAA breaches affecting 500 or more individuals. Its enhanced functions allow HBRT users to filter through the most recent types of breaches, where the breaches occurred, and the number of impacted individuals. The HBRT does not cover every detail leading up to an investigation, but it provides enough information about the type, source and scope of the breach to potentially impact the breaching party’s reputation as a provider or vendor.
While much of the promise of the HBRT involves improving patient-consumer awareness of HIPAA breaches and providing an easy-to-access repository of information about recent breaches for covered entities and their business associates (the same goals touted when the tool was first rolled out in 2009), perhaps the more valuable feature of the new tool is its nudge towards HIPAA compliance. Patients using the tool will be able to review breach information more easily before selecting a health care provider, and may be more inclined to trust a provider that is not on the “Current Investigations” page than one that is listed. Similarly, a potential partner/acquirer/target can now more easily discover breach information when assessing whether a provider is a good match for its strategic development or brand.
Although we are all swimming in data related to HIPAA breaches and settlements, it is important to sift through the available information and use it to enhance HIPAA compliance. The HBRT provides an up-to-date picture of HIPAA compliance for the entire health care industry, and a lot of good can come from this heightened level of transparency. The information available on the HBRT can be very useful when structuring your own HIPAA risk assessments and proactively putting up a strong offense to new types of HIPAA threats.
If you have any questions about how to use the HBRT or about HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team or Information, Privacy, Security and Governance Team.