OCR sets rules for sharing HIPAA breach information

The HHS Office for Civil Rights, which is responsible for enforcing HIPAA privacy regulations, has detailed six new "routine uses" for reports of breaches of protected health information.

In a notice published Tuesday in the Federal Register, OCR spells out ways in which it will use information reported via a computer system called the Program Information Management System. The American Recovery and Reinvestment Act tightens HIPAA regulations to require healthcare organization to report breaches that may cause direct harm to the affected patients.

OCR says it will:

  • Post information online of any breaches involving at least 500 individuals;
  • Make an annual report to Congress about the number and type of reported breaches, and the agency's response to each;
  • Disclose data to help with technical assistance, training and guidance for HIPAA compliance;
  • Share information with other federal agencies and contractors in the course of responding to breaches;
  • Disclose information to third parties to investigate breaches and to conduct compliance reviews; and
  • Publicly report the results of investigations and compliance reviews.

In each case, OCR would disclose only the "minimum personal data necessary" for each purpose and would have to determine that a disclosure would not violate the privacy of any individual.

For more details:
- have a look at this Health Data Management story
- read the OCR notice in the Federal Register