HHS Wall of Shame
A breach, as defined by the U.S. Department of Health & Human Services, is the “impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy protected health information.” A risk assessment can be performed to determine the risks involved that would determine a breach. Covered entities and business associates are required to report on the occurrence of a breach.
The HHS “Wall of Shame” serves the purpose of creating awareness around the detrimental importance of covered entities and business associates to adhere to the HIPAA Breach of Notification Rule. The record offers examples that were the results of oversights under the Rule and reminds those entities of the crucial responsibility to keep protected health information safeguarded at all costs.
The organizations that are listed on the Wall of Shame are listed by the Secretary of HHS. Under the HITECH Act, the secretary is designated to post an updated list of breaches affecting 500 individuals or more. This list discloses the name and location of the covered entity that suffered the breach, entity type, number of individuals affected, date and type of breach, as well as the location of the breached information.
Avoid finding your organization on the Wall of Shame by:
- Having a full “comprehensive” risk management program
- Having completed policies and procedures, documented and followed
- Implementing proper training for all employees of privacy, security, and organizational documentation
- Ensuring that all business associates and third parties are covered by the proper agreements
- Reviewing all documentation regularly
- Implementing contingency planning that is documented and tested
- Verifying disaster recovery is documented and tested
- Confirming proper cybersecurity controls have been evaluated and implemented