Most health care privacy and security compliance officials are familiar with the so-called “wall of shame,” and if they’ve been unlucky, their organizations might appear on the website run by the HHS Office for Civil Rights (OCR). Entries on the website, or portal as it is also known, are self-reported breaches that have affected 500 or more individuals.

By law, covered entities (CEs) and business associates (BAs) must submit details on breaches of this size to OCR, which uploads them to the portal. And, also by law, OCR is required to send to Congress an annual accounting on all breach reports it receives and actions taken in response, but the agency hasn’t submitted one to Congress since 2016. That document covered 2013-2014 (see http://bit.ly/2U4g3xW).

HIPAA officers likely base their knowledge of breaches on summary data OCR officials sometimes offer at conferences and meetings, but compliance officials likely haven’t had the time to study the portal entries themselves the way researchers might—the way, for example, that two pairs of university-based researchers recently did.

Their papers were in journals published by the American Medical Association, appearing within two months of each other; both dove into OCR’s portal to divine insights to the nature of breaches. Because these journals are highly read by physicians, the findings presented may reach an audience that is probably a bit HIPAA-fatigued and less receptive to the ongoing messages blasted out to them by their own medical groups or affiliated facilities.

Interestingly, all four authors are from backgrounds that might seem unlikely to generate interest in HIPAA. The newest paper, “Evaluation of Causes of Protected Health Information Breaches,” appeared in the Nov. 19 issue of JAMA Internal Medicine. In addition to their academic positions, both authors are CPAs.