February 11, 2022: Deadline for GAO Quick Response Survey on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) just introduced a quick response survey involving healthcare providers and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) to get responses about their experiences in sending data breach reports to the Secretary of the Department of Health and Human Services (HHS). The set of questions was at first due to stay available until 4 p.m. EST on Friday, February 4, 2022., however, the deadline is prolonged by one week until February 11, 2022. The survey is being done using Survey Monkey and is accessible on this link https://www.surveymonkey.com/r/GBFQGTP.

Congress asked the GAO to examine the volume of data breach reports submitted to the HHS starting 2015, and the survey wishes to determine the problems if any, encountered by covered entities and business associates while complying with the requirements of the data breach reporting to the HHS. The GAO will additionally find out what the HHS has done to deal with any breach reporting problems and enhance the process of data breach reporting.

Health-ISAC, the American Hospital Association (AHA), and the Health Sector Coordinating Council (HSCC) are distributing the survey on behalf of the GAO. Survey responses will be aggregated before giving them to GAO.

GAO has asked for just one survey to be filled up by every covered entity and business associate. GAO mentioned it won’t attribute particular responses to certain individuals and/or companies when it generates the report, and there is just one individually identifiable information that will be handed to GAO, which is the email address given in the survey together with any individually identifiable information given by the respondents voluntarily in answering open-ended questions.

According to John Riggi, the national advisor for cybersecurity and risk of the AHA, this quick survey is necessary for GAO to do its work and help determine the positive aspects of the HHS Office for Civil Rights audit and investigation procedure, along with the numerous matters of concern stated through the years by victims of cyberattacks on hospitals and health system.