Under HIPAA’s HITECH Act, the Secretary for the U.S. Health and Human Services ( HHS) must post a list of data breaches that affect 500 or more individuals. Officials and covered entities (CEs) commonly call this list the Wall of Shame. Its official name is the Breach Notification Portal. HIPAA, the Health Insurance Portability and Accountability Act of 1996, introduced standards to healthcare that protect the rights and privacy of patients and their protected health information (PHI).
RELATED: What is HIPAA? Or is it HIPAA?
CEs and their business associates (BAs) must follow HIPAA to reduce the risk of a breach and avoid HHS' Wall of Shame.
HIPAA and breach notifications
HIPAA is U.S. legislation created to improve healthcare and health coverage standards. The HHS Office for Civil Rights ( OCR) regulates and enforces the act, which consists of five sections (or titles). Most commonly associated with the act is Title II. This section establishes the security required to protect PHI, whether in paper or electronic ( ePHI) form. This includes guidelines on avoiding a breach, what happens when a breach or HIPAA violation occurs, and what happens afterward.
RELATED: What to Do After You Violate HIPAA
Since 1996, HHS has added several amendments. This includes two in 2009 that played a role in OCR’s creation of the Wall of Shame: the Breach Notification Rule and the HITECH (Health Information Technology for Economic and Clinical Health) Act. The Breach Notification Rule requires CEs to report breaches to applicable authorities, affected individuals, and HHS. CEs must report both intentional and unintentional breaches. And how you tell HHS hinges on the extent of the breach. A breach that affects fewer than 500 patients means logging the incident with HHS within 60 days of the year’s end. A breach affecting more than 500 patients means that HHS must be notified immediately. The HITECH Act promotes the adoption and meaningful use of technology as it pertains to health information and includes revisions to both violation and penalty categories. The amendment also calls for OCR to publish a summary of breaches reported by CEs and their BAs. This is what became the Wall of Shame.
What is HHS’ Wall of Shame?
The Wall of Shame started in October 2009 on OCR’s website; the agency overhauled it in 2017 for greater access and transparency. The OCR portal includes all reported CE/BA breaches from the last 24 months that affected 500 individuals or more. Those earlier are archived but still accessible through the same portal. The HITECH Act did not specify the period to post, but OCR wanted to keep everything visible. Searchable information includes the name of the organization, state of residence, CE type (healthcare plan, healthcare clearinghouse, healthcare provider, or BA), number of affected individuals, breach submission date, type of breach, and location of the breach. Additionally, the latter two are broken down into several categories:
|Type of Breach categories||Location of Breach categories|
|Hacking/IT Incident||Desktop Computer|
|Improper Disposal||Electronic Medical Record|
|Unauthorized Access/Disclosure||Network Server|
|Unknown||Other Portable Electronic Device|
It took five years (2009-2014) for the breach list to reach 1,000 CEs. Unfortunately, the portal lists 531 CEs from 2020 alone, with over 22 million affected individuals. And for 2021 thus far, 54 CEs with over 6 million affected individuals are on the Wall of Shame.
Why the Wall of Shame?
While not without controversy (i.e., the idea of publicly shaming breached CEs), the portal is necessary because the information can be used to combat data breaches. For example, Paubox publishes a HIPAA Breach Report that summarizes and analyzes the previous month’s listed breaches (e.g., February’s report) from the Wall of Shame.
RELATED: 2019 HIPAA Breach Report: A Year in Review
In other words, the data is valuable to researchers. It demonstrates whether more breaches occur due to internal errors/accidents or outside threats for example. A preponderance of insider mistakes could indicate the need for more employee awareness training, while outside threats could mean strengthening technological and access controls. Moreover, the public data demonstrates cybersecurity shortcomings within the healthcare industry and where change and updates are necessary. Finally, it can provide more evidence about threat actors and what threat vectors they commonly use to breach organizations, giving IT officials information about how to combat attacks.
Use Paubox to stay off the Wall of Shame
Email phishing became the dominant attack vector for ransomware in Q4 2020. That is why employing a HIPAA compliant email solution with inbound email security is so important. Paubox Email Suite Premium provides needed protections without the use of extra logins, passwords, or portals. In fact, our solution requires no change in email behavior. With our HITRUST CSF certified solution, all emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace). Paubox Email Suite Premium also comes with ExecProtect, which was built to combat display name spoofing emails. It also includes email data loss prevention (DLP) which blocks employees from transmitting sensitive data outside of your corporate network. Our solution provides a necessary brick wall between users and phishing emails before such attacks become a HIPAA breach worthy of the Wall of Shame.