In 2009, HIPAA was amended by the HITECH Act. The HITECH Act requires the Secretary of the Department of Health and Human Services to post, on its website, a list of breaches of unsecured protected health information affecting 500 or more individuals. The website is known as the Office for Civil Rights (OCR) portal. The breach list has an unwelcome nickname in the healthcare compliance industry: The HIPAA Wall of Shame.

What Information is Put on the HIPAA Wall of Shame?

When a breach that has affected 500 individuals or more is reported to OCR, OCR documents the incident and places the details of the breach on the HIPAA Wall of Shame. The HIPAA Wall of Shame displays all breaches currently under investigation within the last 24 months. This means that any breach that is submitted, will remain on the HIPAA Wall of Shame for two whole years.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

The HIPAA Wall of Shame lists breaches by date of submission. For each breach, the following information is provided:

• The name and type of the covered entity (i.e., healthcare provider or business associate);
• The covered entity or business associate’s state (e.g., New York, California);
• How many individuals were affected by the breach;
• When the breach was reported;
• The type of breach (i.e., hacking, theft, etc.); and
• The location of the breached information (e.g., email, paper, network server)

Older breaches – those not currently under investigation within the last 24 months – are archived and can be publicly viewed. The archive includes breach reports older than 24 months old, as well as all breaches reported since 2009 for which investigations have been resolved. Between the “current” listing and the archive, the database includes all data breaches reported since 2009. 

Using the “Show Advanced Options” link on the homepage, a user can search the HIPAA Wall of Shame database by submission date; type of breach; location of breach; type of covered entity; state; and name of the covered entity or business associate.

Why is There a HIPAA Wall of Shame?

The reason behind the publication of breach information is to inform the public of data breaches and to provide some detail on what took place. The HITECH Act simply requires the information to be published; it does not require that a covered entity remain on the list for a specific amount of time. HHS has chosen the period of 24 months, and may increase or decrease that period. 

Any decision to stop publishing breach summaries on the website would require assistance from Congress. The HIPAA Wall of Shame has proven controversial. Some members of Congress believe the HIPAA Wall of Shame merely brings organizations long-term embarrassment, while ignoring corrective, good-faith efforts these organizations make to improve their cybersecurity after the breach. Some privacy advocates believe the HIPAA Wall of Shame does not contain enough detail about breaches, and that breaches should stay on the HIPAA Wall of Shame for longer than 24 months.