To report or not to report health care data breaches.

Abstract

The study's objectives were to explore the impact of personal/organizational knowledge, prior breach status of organizations, and framed scenarios on the choices made by privacy officers regarding the decision to report a breach. A survey was completed of 123 privacy officers who are members of the American Health Information Management Association (AHIMA). The study used primary data collection through a survey. Individuals listed as privacy officers within the AHIMA were the target audience for the survey. Descriptive statistics, logistic regression, and predicted probabilities were used to analyze the data collected. The percentage of privacy officers who chose to report a breach to the Office for Civil Rights varied by scenario: scenario 1 (general with little information), 39%; scenario 2 (4-factor risk assessment, paper records), 73.2%; scenario 3 (4-factor risk assessment, ransomware case), 91.9%. Several factors affected the response to each scenario. In scenario 1, privacy officers with a Certified in Healthcare Privacy and Security (CHPS) credential were less likely to report; those who previously reported a prior breach were more likely to report. In scenario 2, privacy officers with a bachelor's degree or graduate education were less likely to report; those who held the CHPS or coding credential were less likely to report. Study findings show there are gray areas where privacy officers make their own decisions, and there is a difference in the types of decisions they are making on a day-to-day basis. Future guidance and policies need to address these gaps and can use the insight provided by the results of this study.