HHS needs to improve the effectiveness of its HIPAA breach reporting process and should establish a feedback mechanism to improve it, a report from the U.S. Government Accountability Office (GAO) concluded. In response, HHS said it would take two steps to facilitate better communications between the Office for Civil Rights (OCR) and HIPAA-covered organizations reporting breaches.
“OCR is charged with implementing and enforcing the HIPAA Privacy, Security and Breach Notification Rules, including the development and management of the breach reporting process,” said the GAO report, issued June 27. “However, OCR does not have a method for covered entities to provide feedback on the breach reporting process, nor did the office indicate that it had plans to develop one.”
Without a clear mechanism to provide feedback to OCR, covered entities and business associates can face challenges during the breach reporting process, the report said. In addition, soliciting feedback “could help OCR improve aspects of the process,” according to the report.