HHS Updates HIPAA Data Breach Reporting Portal
The second round of HIPAA compliance audits – originally penciled for October 2014 – were delayed due to the implementation of the new web portal. The update signals that the Office for Civil Rights is making good progress, and that it will soon be in a position to start sending pre-audit surveys and commence Phase 2 of its HIPAA compliance audit program.
HIPAA Breach Report Portal Changes
The previous web portal consisted of a single page for filing reports, while the new Java-based wizard takes the user through a multi-step complaint/breach reporting process. Each step must be completed before progressing to the next section. The new wizard makes it more straightforward to file reports, although initially it may prove to be more time consuming for users to file reports.
When filing breach reports or making HIPAA Privacy complaints, the user is routed through a series of specific questions with the answer to each determining the next step in the reporting process. Each step of the way the user will be prompted to supply the information the OCR requires.
The new system gives the OCR more flexibility to ask the questions it wants answered, and allows it to highly tailor the information it collects on each organization. Business Associates, for example, can be asked different questions to healthcare providers and different types of breaches will be able to be treated separately.
The previous breach reporting system contained a number of mandatory and optional fields, and these have been changed in the new web portal. More emphasis has been placed on the actions taken after the breach, with less detail required on the privacy and security controls in place when the breach occurred.
It is now mandatory to stipulate a breach end date and breach discovery end date when submitting a breach report, except in cases such as lost or stolen devices containing unencrypted PHI, where there may not be an end date.
With the 2014 breach reporting deadline looming, all covered entities yet to submit their breach reports for 2014 should take a few minutes to familiarize themselves with the new wizard and should become acquainted with the changes that have been introduced (as detailed below).
Breach reporting procedures should also be updated to take the new level of detail into account, to ensure all the required information is contained in HIPAA data breach logs.
Safeguards in Place Prior to the Breach
Previously, users were required to report the security measures in place prior to a security breach in detail. The options were technical in nature and included Firewalls, Router-Based Packet Filtering, Encrypted Wireless, Anti-Virus Software, Physical Security, Secure Browsers, Strong Authentication and Intrusion Detection measures.
The new system only required general information to be provided. The new options for “Safeguards in place prior to the breach” are Privacy Rule Safeguards (Training, Policies and Procedures, etc.), Security Rule Administrative Safeguards (Risk Analysis, Risk Management, etc.), Security Rule Physical Safeguards (Facility Access Controls, Workstation Security, etc.), Security Rule Technical Safeguards (Access Controls, Transmission Security, etc.) or None. Should a breach raise a flag and trigger a desk audit or site visit, the actions taken prior to a breach to secure Protected Health Data would be assessed in greater detail by OCR staff.
Actions Taken in Response to Breach
The reverse is the case for “Actions taken in response to breach”, which previously required answers of a more general nature, and have now been made more specific. The OCR wants to know that all appropriate measures have been taken following a security breach and risks have been effectively managed.
Instead of general options such as Security and/or Privacy Safeguards, Mitigation, Sanctions and Policies and Procedures, the breach report has 15 different options to choose from:
- Adopted encryption technologies
- Changed password / strengthened password requirements
- Created a new/updated Security Rule Risk Management Plan
- Implemented new technical safeguards
- Implemented periodic technical and nontechnical evaluations
- Improved physical security
- Performed a new/updated Security Rule Risk Analysis
- Provided business associate with additional training on HIPAA requirements
- Provided individuals with free credit monitoring
- Revised business associate contracts
- Revised policies and procedures
- Sanctioned workforce members involved (including termination)
- Took steps to mitigate harm
- Trained or retrained workforce members
- Other (which, if selected, requires additional narrative explanation)
This suggests that the OCR is gearing up to take much closer interest in small scale breaches in the near future. The additional details obtained on data breaches will allow the OCR to assess whether the necessary physical, technical and administrative safeguards have been put in place to prevent further breaches. It will also make it easier for it to select organizations for full compliance audits.
What the New System Means For HIPAA-Covered Organizations
The administrative burden at the OCR is considerable; both in assessing complaints made via its portal and collecting and analyzing documents for its compliance audits. By streamlining data collection, the OCR will be able to investigate potential HIPAA violations much more rapidly and identify the organizations most in need of further investigation.
As with any organization operating under budget constraints, the OCR is limited by the resources it has available. This inevitably has an impact on the number of audits it can conduct and the speed at which it can respond to privacy complaints.
The 2016 budget proposal earmarks more funding for the OCR to help it fund its permanent audit program. That funding is far from guaranteed, so by improving efficiency at dealing with complaints and responding to breach reports, it will be able to do more with the resources it has available. As the OCR improves efficiency and more resources are freed, budget increases or not, the OCR is likely to be able to conduct more frequent and detailed audits.