When an organization experiences a data breach impacting 500 or more individuals in the healthcare sector, it appears on the HHS Wall of Shame.
This public exposure is not only a regulatory consequence but can carry reputational implications for healthcare organizations.
What is the wall of shame?
The Wall of Shame, officially designated as the Breach Notification Portal by the U.S. Health and Human Services (HHS) Office for Civil Rights (OCR), is a public database established as a result of the HITECH Act, an amendment to HIPAA.
It was launched in response to the Breach Notification Rule, which mandates covered entities and their business associates to report significant breaches to relevant authorities, affected individuals, and HHS.
The Wall of Shame lists detailed information about breaches, including the name of the affected organization, the number of individuals impacted, the type and location of the breach, and other relevant details.
The portal aims to promote transparency, encourage compliance with HIPAA regulations, and serve as a tool for researchers, industry stakeholders, and the public to understand, analyze, and learn from breach trends and vulnerabilities.
See also: What is HHS’ Wall of Shame?
Impact of being listed on the Wall of Shame
Ongoing oversight and reporting obligations: Organizations listed on the Wall of Shame might be subject to ongoing reporting requirements and increased oversight from regulatory bodies, adding administrative burdens and costs.
Impact on business relationships: Partners, collaborators, and other entities might reconsider their association with an organization listed on the Wall of Shame, impacting future business.
Increased regulatory scrutiny: Being on the Wall of Shame can trigger increased regulatory scrutiny, leading to more frequent audits and assessments, which require additional resources to maintain compliance in the future.
The next steps
Appearing on the HIPAA Wall of Shame necessitates a comprehensive response encompassing legal, technical, regulatory, and communication strategies to address the breach, mitigate its effects, and prevent future occurrences.
Notification and communication: Notifying affected individuals by using a secure communication method (such as HIPAA compliant email) is a necessary step. The organization must inform them about the breach, the potentially compromised information, and the steps they can take to protect themselves.
The Breach Notification Rule: The organization must comply with HIPAA's breach notification requirements. This involves reporting the breach to the HHS OCR and other relevant authorities within the designated timeframe.
Public relations and rebuilding trust: Engaging in reputation management efforts to restore trust among patients, partners, and stakeholders by showcasing concrete actions to address the breach and prevent future occurrences.
Risk assessment and future prevention: Conduct a comprehensive risk assessment to understand the weaknesses in current security measures and develop a robust strategy to prevent future breaches. This may involve increased training, technological enhancements, and policy revisions.
Operational adjustment and business impact: Evaluating the financial and operational effects on the organization, including potential changes in business partnerships, relationships, and the allocation of resources to cover breach-related costs.
See more: HIPAA's Breach Notification Rule
Kirsten Peremore
