The Health and Human Services Department will use information it collects about health data breaches to let the public know about major privacy and security violations and in their investigations of such incidents.
The Office of Civil Rights, the HHS agency that oversees health privacy, has already begun posting on its Web site a list of healthcare providers and plans that experienced large data breaches.
The HITECH Act added breach notification to privacy protections already established under HIPAA. OCR said it collects and stores information from providers and health plans about data breaches of unsecured personal health data. It must be careful how it uses that information in order to protect personal health data from unnecessary disclosure.
Besides notifying the individuals whose information was involved in a breach, providers and plans must quickly report incidents affecting more than 500 individuals to HHS. Otherwise, entities covered by the Health Insurance Portability and Accountability Act have to report data breaches yearly.
OCR may share information about breaches with another agency or federal contractor that is responding to a breach incident or with other public and private organizations that perform compliance reviews or investigate incidents, according to an announcement.
HHS also provides an annual accounting of data breaches to Congress.
OCR manages and stores the data breach and other compliance information in its Program Information Management System, which includes records containing individual names, Social Security numbers and tax identification numbers.
OCR explained how it intends to use the data breach information in an announcement April 13 in the Federal Register. That notification is required under federal privacy laws whenever an agency uses personal information.
OCR said it "discloses the minimum personal data necessary" to manage the breach reporting, and it takes "precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other individual rights," according to the announcement.
