GAO Data Breach Reporting Survey

In response to a congressional request, the Government Accountability Office (GAO) launched a survey of health care entities and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) focusing on the Department of Health and Human Services’ (HHS’s) data breach reporting requirements. The survey was reportedly designed to obtain information as to the number of breaches reported to the HHS Office for Civil Rights since 2015, any challenges these covered entities experienced meeting reporting requirements, and what efforts HHS has taken to address them to improve the data breach reporting process.

The Health Information Sharing and Analysis Center (H-ISAC), Health Sector Coordinating Council (HSCC), and American Hospital Association (AHA) agreed to distribute the survey on GAO’s behalf.  GAO stated that responses would be aggregated and they would not attribute comments to specific individuals and/or organizations in its report. The only individually identifiable information about respondents would be the respondent’s email address if they voluntarily chose to share it or any identifiable information provided in response to open-ended questions. In addition, responses would be securely stored in accredited data centers that adhere to security and technical best practices. 

GAO extended the original survey response deadline to February 11, 2021. There is no indication as to when the results will be reported.

For more information on this blog topic, contact Richard Kusserow ([email protected])

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.