Summary
Reference page for the HHS Office for Civil Rights HIPAA Breach Portal — the federal database where HIPAA-covered entities must report breaches of unsecured protected health information affecting 500 or more individuals. The raw file contains only the portal’s introductory explanation of OCR’s review and response process, not any specific breach data.
Key Points
- When OCR receives a breach report, it reviews to determine legal authority to investigate.
- Regulated entities that must report: HIPAA covered entities, business associates, Part 2 programs (substance use disorder records), and qualified service organizations.
- OCR may: provide technical assistance, refer to another agency, investigate, or close without further investigation.
- This portal is the public accountability mechanism for large health data breaches in the US.
Newsletter Angles
- The portal’s existence — and the frequency of entries — is itself a data point: HIPAA breaches are common enough to require a standing public database. The scale of health data insecurity in the US health system is structural, not exceptional.
- Useful context for BetterHelp story: BetterHelp’s conduct was not a HIPAA violation (it’s not a HIPAA-covered entity in the traditional sense), which is why the FTC rather than HHS OCR took action. The gap between what HIPAA covers and what commercial health apps do is the regulatory hole.
Entities Mentioned
- HHS — Department of Health and Human Services; administers the portal
- BetterHelp — relevant context: BetterHelp’s data sharing was regulated by FTC, not HHS/HIPAA
Concepts Mentioned
- Data Privacy Weaponization — health data breach infrastructure
- HIPAA — the regulatory framework for health data protection
Quotes
“OCR may act on a breach report if a regulated entity… experienced a breach of unsecured protected health information.”
Notes
Very thin raw file — only the portal’s procedural description, no breach data. Primary value is as a reference point for the regulatory gap story (HIPAA vs. commercial health apps). The BetterHelp FTC action was specifically notable because BetterHelp is not a HIPAA covered entity, which is why HHS/OCR couldn’t act — the FTC had to use its Section 5 deceptive practices authority instead.