February 4, 2022: Last Day for Sending GAO the Reviews on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) has conducted a rapid response survey of healthcare providers and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) to get responses on their experiences submitting data breach reports to the Secretary of the Department of Health and Human Services (HHS). The questionnaire will be open on or before 4 p.m. EST on February 4, 2022. Survey Monkey is conducting the survey that is accessible here.

Congress asked the GAO to evaluate the number of data breach reports submitted to the HHS starting 2015, and the survey seeks to find out a few of the difficulties, if any, experienced by covered entities and business associates in satisfying the data breach reporting demands of the HHS. The GAO will additionally figure out what the HHS has done to deal with any breach reporting problems and enhance the process of data breach reporting.

The Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) are distributing the survey on behalf of the GAO, and the aggregated responses will be presented to GAO.

GAO has required just one survey to be accomplished by an individual covered entity and business associate. GAO stated it will not attribute certain feedback to specific individuals and/or companies when it generates the report, and the only individually identifiable information that will be sent to GAO is the email address used in the survey together with any individually identifiable data voluntarily given by the respondents in the open-ended questions.

This is a crucial opportunity to notify the work of the GAO and help determine the advantages of, together with the various concerns over the years by cyberattack victims of hospitals and health systems, concerning the ensuing HHS Office for Civil Rights audit and investigation process, according to John Riggi, who is the AHA national advisor for cybersecurity and risk.