HIPAA Accountability in Stimulus Bill
On page 379 of the current stimulus bill, there’s a bit about establishing a website of companies that lost patient information:
(4) POSTING ON HHS PUBLIC WEBSITE—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
I’m not sure if this passage survived the final bill, but it will be interesting if it is now law.
Chris • February 18, 2009 1:13 PM
This is something that various researchers and policy wonks have been asking for for some time. I don’t know the legislative history on this, but perhaps Obama’s Regulatory Czar (Cass Sunstein) had something to do with this transparency initiative, as it is consistent with his general approach.
A few states require central reporting of breaches related to non-public personal information. Sometimes, states make breach reports available on government web sites, even where central reporting is not mandated.
As part of a project to make this type of information easily and widely available, the folks at the Open Security Foundation have set up a pretty spiffy web site which your readers might find useful:
http://datalossdb.org/
There’s a sizable (and growing) section devoted to the actual notifcation letters and other documents associated with various breaches as weil:
http://datalossdb.org/primary_sources/