GAO Seeks Feedback on Healthcare Data Breach Reporting

February 02, 2022 - UPDATE 2/7/22 - GAO extended the survey deadline to February 11.

The Government Accountability Office (GAO) is asking HIPAA-covered entities for feedback on the healthcare data breach reporting process. The rapid response survey is available via SurveyMonkey and responses will be collected until 4 pm ET on Friday, February 4.

GAO enlisted the help of the American Hospital Association (AHA), Health-ISAC, and the Health Sector Coordinating Council (HSCC) to distribute the survey.

The survey stems from Congress’ request that GAO review the number of data breaches that covered entities have reported to HHS since 2015.

“In part, GAO is seeking to answer what challenges related to HHS’s data breach reporting requirements, if any, have covered entities reported and what efforts has HHS taken to address them,” the survey introduction stated.

GAO is requesting only one survey submission from each covered entity or business associate. Email addresses will be the only individually identifiable information requested if participants choose to share that information.

The HIPAA Breach Notification Rule requires covered entities and business associates to notify HHS of a data breach of unsecured protected health information (PHI). If the breach impacted more than 500 individuals, the covered entity must notify HHS no later than 60 days following the breach. If it impacted less than 500 individuals, covered entities may report breaches on an annual basis.

All breaches impacting more than 500 people are listed on the Office for Civil Rights (OCR) data breach portal.

Covered entities and business associates are also required to notify impacted individuals no later than 60 days after the breach. If the entity cannot find contact information for more than 10 impacted individuals, they must post a notice on their website for at least 90 days. In addition, breaches impacting more than 500 people must be reported to local media outlets.

GAO is seeking information about whether respondents have been in contact with HHC OCR on matters relating to data breach reporting in the past and how efficient and effective the process was. The survey also asks covered entities about their experiences with HHS regarding security program assessments and implementation since the amendment of the HITECH Act.

Respondents will also be asked on a scale of “not at all helpful” to “extremely helpful” how effective OCR’s outreach efforts and training materials for small covered entities were.

“This is an important opportunity to inform the work of the GAO and help identify the benefits of, along with the many issues of concern expressed over the years by hospitals and health system victims of cyberattacks, regarding the ensuing HHS Office for Civil Rights audit and investigation process,” John Riggi, AHA national advisor for cybersecurity and risk, said in an AHA press release regarding the survey.

GAO assured respondents that survey results will be stored in SurveyMonkey’s SOC 2 accredited data centers and transmitted over a secure HTTPS connection.