[BreachExchange] HHS is considering changes to OCR’s 'wall of shame'—and experts are divided on the impact

[Destry Winant]

http://www.fiercehealthcare.com/regulatory/hhs-ocr-wall-shame-breach-portal-data-breach-cybersecurity-hitech-act

The Department of Health and Human Services is exploring potential
changes to the agency’s “wall of shame,” a legislatively mandated
website that tracks healthcare data breaches dating back to 2009.

During a hearing addressing cybersecurity concerns in healthcare last
week, Leo Scanlon, deputy chief information security officer at HHS,
told Rep. Michael Burgess (R-Texas) that Secretary Tom Price is
reassessing the website overseen by the Office for Civil Rights.
Burgess criticized the portal—commonly known as the “wall of
shame”—during an April subcommittee, arguing the website was
unnecessarily punitive.

“We heard you loud and clear at that hearing and we took that matter
back to the Secretary,” Scanlon said, noting that any modifications
could be addressed within the agency. “He has taken it very seriously
and is working on an effort to address the concerns you raised.”

Burgess is worried the public display is unfair to providers and
payers that are attacked through no fault of their own. He also
questioned whether the website and the looming threat of an OCR
investigation impede threat sharing, an issue HHS plans to address
through its new Healthcare Cybersecurity Communications Integration
Center (HCCIC).

“I am supportive of efforts to protect patient information,” Burgess
said in a statement to FierceHealthcare. “However, I remain concerned
by OCR’s usage of the Breach Portal and the public exposure of
victims. I am interested in pursuing solutions that hold hospital
systems accountable for maintaining patient privacy without defaming
systems that may fall victim to large-scale ransomware attacks, such
as WannaCry.”

However, HHS is limited in the changes it can make to the portal
without help from Congress. Under the 2009 HITECH Act, the agency is
required to post healthcare data breaches to a website accessible to
the public.

But HHS has some leeway in how it manages the breach portal.
Modifications to the portal could place limits on the amount of time
an entity is listed on the website—one of the few changes the agency
could make without congressional intervention.

“They could make it six months if they wanted to,” said Marcy Wilder,
a partner at Hogan Lovells in the District of Columbia and the former
deputy counsel at HHS. “I think the agency has significant discretion
on what they post and for how long.”

A spokesperson for OCR declined to answer specific questions about
what changes it's considering or whether the agency will put time
limits on the website, but a statement by OCR Director Roger Severino
acknowledged the agency is evaluating its options.

“The website provides an important source of information to the
public, but we recognize that the format has become stale and can and
should be improved,” Severino said. “OCR will continue to evaluate the
best options for communicating this information as we meet statutory
obligations, educate the regulated community (and the public) on
lessons learned, and highlight actions taken in response.”

Privacy attorneys are split on what impact changes might have. Wilder
argued she “doesn’t see the value of providing information going back
to 2009,” adding that the agency needs to balance compliance and
enforcement with threat sharing.

Among healthcare organizations, there is a fear that sharing
information about cyberthreats will lead to an investigation and
potential fines from OCR, according to Leslie Krigstein, vice
president of congressional affairs at the College of Healthcare
Information Management Executives (CHIME).

“Ultimately, you’re potentially sharing this information with the
department that regulates you,” she said.

But Lucia Savage, chief privacy and regulatory officer at Omada
Health, a digital therapeutics company that focuses on chronic
disease, and the former chief privacy officer at the Office of the
National Coordinator for Health IT, said HHS is “extremely cognizant”
that threat reporting doesn’t trigger subsequent investigations. She
added that she wasn’t aware of an instance in which an entity reported
a cyberthreat to HHS and was audited by OCR as a result.

In guidance issued last year, the OCR indicated the government
considers ransomware a data breach, which would require the entity to
notify patients, the HHS secretary and the news media. However, a
checklist (PDF) issued earlier this month specified that OCR doesn’t
receive reports of cyberthreat indicators from HHS.

“My experience [is that people at HHS] are extremely conscious about
that,” she said.

Leon Rodriguez, a partner at Seyfarth Shaw LLP who served as the OCR’s
director from 2011 to 2014, acknowledged it wouldn’t be “a disaster”
to limit the length of time an entity is listed on the breach portal
website, but he questioned whether changes would undermine the
portal’s objectives—to inform the public and understand why a data
breach occurred.

“I don’t see where the world’s come to an end because of the way it’s
been done so far,” he said.