A new breach reporting tool should be useful for HIPAA compliance, partly because it can help providers stay on top of what is currently trending in cyberattacks and other types of breaches.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched the revised web tool, saying it puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how the breaches are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease of use for organizations reporting incidents.

The tool also educates on the types of breaches that are occurring, industrywide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR. The tool is available online at: http://bit.ly/1FrWfKp.

HHS Secretary Tom Price, MD, said HHS heard from the public that it needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to the breaches. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers,” he said.

HHS OCR originally released the HBRT in 2009, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. It features public information that HIPAA covered entities report to OCR when they are involved in breaches of unsecured protected health information of 500 or more individuals. The tool includes the name of the entity, the state in which the entity is located, the number of individuals affected by the breach, the date of the breach, type of breach (such as a hacking/IT incident, theft, loss, unauthorized access/disclosure), and location of the breached information (such as a laptop, paper records, or desktop computer).

New features of the HBRT include enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months; a new archive that includes all older breaches and information about how breaches were resolved; and improved navigation to additional breach information.

HHS said it plans to expand and improve the site over time to add functionality and features based on feedback.

HIPAA compliance leaders should find the improved tool useful, says Jennifer R. Breuer, JD, partner with the law firm Drinker Biddle in Chicago.

“OCR has always posted the wall of shame, the list of people with breaches — so it is the same tool we’ve had before, but more useful. The tool makes it easier to find the same information that was there before if you really took the time to dig through it,” Breuer says. “You’re able now to use the search capabilities and better understand why breaches have happened.”

The most useful part of the tool might be the ability to monitor trends in HIPAA breaches, Breuer says. An individual case may not be so instructive, but a pattern could be, she says.

“It’s not so important to know that hospital A did something silly and now they’re publicly scolded, but it is important that you get a sense of how breaches are happening, the way in which your counterparts are falling prey to this problem that you’re all trying to avoid,” she says.

Seeing that one provider had trouble when an employee took a laptop home might not mean that much, but if you see that several providers had breaches in the same way over a similar period of time, you might decide it is wise to take a look at your laptop policy, she says.

“You can see how people are actually accessing data inappropriately, and though some will be ways we all know about, some of the ways are evolving over time. You can get a better sense of the phishing and other attempts from external sources who are trying to access protected data,” Breuer says. “You want to know what the risks are today, because they are changing over time.”

Breuer’s study of the data in the tool suggests there are plenty of the known human error-type breach causes, but there appear to be more phishing attempts and other outside attacks.

“It’s a good reminder that both are still a threat and that you need to educate your people on the whole range of things that can result in data breaches,” Breuer says. “There can be a tendency to think that this is a well-known issue among healthcare professionals and they know about all the standard ways you can have a data breach, so you only need to talk about cyberattacks. Or it can go the other way, but the truth is revealed when the data show that both still should be subject of your education efforts.”


  • Jennifer R. Breuer, JD, Partner, Drinker Biddle, Chicago. Telephone: (312) 569-1256.