Note: The title and substance of this blog entry has been substantially amended in response to a helpful comment by an anonymous fellow blogger. I am grateful that others are reading our blog posts and have sufficient interest in the topic to comment. To assist readers, the highly appreciated comment is set forth in full as follows:

I read your blog post, "MISSING FROM THE PARADE OF LARGE PHI SECURITY BREACHES - REASONABLY PROMPT POSTING BY THE SECRETARY OF HHS ON THE HHS WEBSITE," and wanted to let you know:

You've been looking at the wrong url. The HHS breach list has been updated frequently since June, but they moved the breach report url to here in July.

HHS never put a forward, redirect, or notice on the old url, and I've seen a number of sites, like yours, misled by the unannounced move and I've tried to let fellow bloggers know.

When you go to the new page, note that there are also csv and xml formats. Those files may, in some cases, be a bit more current than the list you see when you go to the web site.

Hope this helps.

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), relating to public disclosure of security breaches of Protected Health Information (“PHI”), has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated healthcare providers and insurers (generally, “covered entities”).

The HITECH Act requires covered entities to notify, among others, Kathleen Sibelius, Secretary (the “Secretary”), of the U.S. Department of Health and Human Services (“HHS”), respecting a PHI breach involving 500 or more individuals. The notification to the Secretary is to be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of PHI. . . .”

What is supposed to happen, however, when the Secretary receives the report of a PHI breach involving 500 or more individuals? The Website “HIPAA Survival Guide” quotes Section 13402(e)(4) of HITECH as follows:

(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach . . . in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Unfortunately, the original URL address (the “Old URL”) for the HHS list relative to breach notification (the "List") was changed by HHS with no apparent notice in July 2010 and has not been updated since that time. From late June 2010 until the original posting of this blog entry, I was visiting the Old URL on at least a weekly basis on the assumption that HHS had simply not been updating the List on a timely basis.

A fellow blogger advised me that HHS changed the Old URL to a new URL (the “New URL”) but never put a forward, redirect or notice on the Old URL as to the change. It would seem reasonable and relatively easy for the Secretary at a minimum to do one or more of the following to assist those who may mistakenly visit the obsolete Old URL:

  1. keep the Old URL, while prominently placing on the old URL information about the change to the New URL;
  2. close the Old URL and automatically redirect visitors to the New URL; and/or
  3. issue a press release or notice about the change from the Old URL to the New URL and post it prominently on the general HHS Website.

It is not too late for the Secretary to correct any further misunderstandings by appropriate action. If HHS is serious about encouranging compliance by covered entities, HHS should lead by example and act reasonably with respect to its own statutorily-mandated HITECH responsibilities.