How to Avoid the HHS Breach Portal (Wall of Shame)

Breach Portal

Known to some as the “Wall of Shame” or the HHS Breach Portal, the Health and Human Services page featuring failures to protect Protected Health Information (PHI and ePHI) in a HIPAA-compliant manner is one kind of web publicity no health care provider or organization wants.

1500 HHS Breach Portal Reports (And Counting)

As of the end of April 2016, there were more than 1,500 reports. There are 20 from April 2016 alone.

The HITECH Act requires breaches of unsecured protected health information affecting 500 or more individuals to be posted. Types of breaches include:

  • Hacking/IT Incident
  • Improper Disposal
  • Loss
  • Theft
  • Unauthorized Access/Disclosure

The most common causes of a breach so serious it requires notification to HHS include:

  • Theft of desktop computers or network servers
  • Theft or loss of laptops or portable electronic devices
  • Hacking incidents

Those are the sorts of electronic and device issues you might expect, but there can be non-electronic problems as well (think dumpster-diving as a result of “improper disposal”):

  • Failing to properly secure or destroy paper printouts
  • Failure to secure or destroy films (x-rays, etc)

Actions To Take To Stay OFF the HHS Breach Portal

This Basic Security Checklist for the Small Healthcare Practice can provide sound advice on how to prevent problems. Many of the “best practices” are obvious (use strong passwords and change them often, use anti-virus protection, use a firewall…) but others involve relatively new issues, and foremost among those is the need to protect mobile devices that either contain ePHI or provide a means of accessing a server or EMR. Laptops are easy to lose, smartphones even more so. 

The My Docs Online HIPAA page tells you what we do to protect ePHI, and includes guidelines for the correct use of My Docs Online by medical professionals.

Remember, the HIPAA Security Rule is not just about computers and networks. The rule specifies a series of administrative, and physical, as well as technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.


Try My Docs Online Free Today. No Credit Card Required.

Securely Share Electronic PHI Without an EMR


Electronic Protected Health Information (ePHI) refers to any Protected Health Information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations. ePHI is simply PHI which is produced, saved, transferred or received in an electronic form.

Sharing PHI Outside of an EMR

Despite rising use of Electronic Medical Records (EMR) technology within many medical practices, medical providers nonetheless have the need to be able to securely share documents that contain Protected Health Information with recipients that are outside their EMR.

A doctor or other medical professional might need to include PHI in a document sent for purposes of a referral. A doctor might be providing a second opinion, or sending the results of a specialist’s exam.

Some providers also routinely communicate with insurance companies or lawyers as part of accident or workers compensation cases.

PHI Recipients Hard to Predict in Advance

It’s hard to predict in advance who you will need to share PHI-containing documents with. Such sharing of PHI with a recipient might happen infrequently. You might only need to share documents with a particular recipient (more…)