The OCR Wall of Shame refers to the HHS Breach Portal, a public database managed by the HHS Office for Civil Rights (OCR). It lists breaches of protected health information (PHI) that affect 500 or more individuals, as required by the HIPAA Breach Notification Rule and the HITECH Act.
Why Does the Wall of Shame Exist?
The OCR Wall of Shame promotes transparency, informs the public, and supports regulatory enforcement. It contains a searchable log of reported breaches submitted by covered entities and business associates.
It fulfills several specific regulatory purposes, including:
- Alerting the public to potential breaches of unsecured protected health information (PHI)
- Holding covered entities and business associates publicly accountable for data security
- Enabling the Office for Civil Rights (OCR) to track breach trends and identify repeat offenders
- Supporting enforcement actions, including investigations and penalties
The legal basis for the portal is the HIPAA Breach Notification Rule (45 CFR §§164.400–414). This rule requires covered entities and business associates to notify affected individuals, the Secretary of HHS, and the media when a breach affects more than 500 individuals.
What Information Is On the Wall of Shame?
The HHS Breach Portal displays breach data with structured fields that make the nature and scope of each breach publicly visible.
Below is a breakdown of each field and what it represents:
- Name of Covered Entity: The legal name of the healthcare provider, health plan, or business associate that reported the breach.
- State: The U.S. state or territory where the covered entity is located.
- Covered Entity Type: Classification of the reporting organization (e.g., healthcare provider, health plan, business associate).
- Individuals Affected: The total number of individuals with protected health information (PHI) exposed by the breach.
- Breach Submission Date: The date the Office for Civil Rights (OCR) received the breach report.
- Type of Breach: The general cause of the breach (e.g., hacking/IT incident, unauthorized access, loss, theft, improper disposal).
- Location of Breached Information: Where the PHI was stored or accessed at the time of the breach (e.g., email, network server, paper records, portable device).
All of this information is publicly available and indexed by search engines. Once listed, a breach remains in the database indefinitely.
What Constitutes a HIPAA Data Breach?
Under the HIPAA Breach Notification Rule, HHS defines a data breach as, “The acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E which compromises the security or privacy of the PHI.”
This applies to both paper and electronic PHI. Common examples of reportable HIPAA breaches include:
A lost or stolen laptop, tablet, or USB drive that contains unencrypted PHI. For example, the University of Texas MD Anderson Cancer Center faced a $4,348,000 settlement after the theft of an unencrypted laptop and 2 USB drives breached the ePHI of 33,500+ individuals.
Improper disposal of paper records containing patient data without shredding or secure destruction. For example, when Parkview Health System staff left 71 cardboard boxes of 5,000-8,000 medical records in a doctor’s driveway, they faced an $800,000 settlement.
A phishing attack that results in unauthorized access to employee email accounts with PHI. For example, a Solara Medical Supplies email incident led to a $3 million settlement for a data breach impacting 114,007 individuals.
A breach is presumed to have occurred unless the covered entity or business associate can demonstrate, through a four-factor risk assessment, that there is a low probability the PHI was compromised:
- The nature and extent of the PHI involved, including the type of identifiers and the likelihood the data could be misused
- The identity of the unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed, or if it was only exposed
- The extent to which the risk has been mitigated, such as through secure deletion or recipient verification
The entity must document and retain this risk assessment as part of its compliance records.
HIPAA Breach Reporting Requirements
HIPAA requires covered entities and business associates to follow specific timelines and notification procedures when a breach of protected health information (PHI) occurs. The process depends on how many individuals the breach impacted.
For breaches affecting 500 or more individuals, federal law mandates immediate and transparent reporting. The report must include a detailed account of the incident, the data involved, mitigation efforts, and contact information.
Organizations must:
- Notify the U.S. Department of Health and Human Services (HHS) via the OCR breach portal within 60 calendar days of discovering the breach
- Notify all affected individuals without unreasonable delay, typically through first-class mail or secure electronic communication
- Post a notice on the organization’s website if contact information for ten or more individuals is outdated or unavailable
- Notify local or regional media outlets if the breach affects more than 500 residents of a single state or jurisdiction, as outlined in 45 CFR §164.406
Failure to meet these deadlines can result in separate HIPAA violations and civil monetary penalties.
For breaches affecting fewer than 500 individuals, organizations must maintain a log of each breach incident throughout the year and submit a consolidated report to HHS within 60 days after the end of the calendar year.
These smaller breaches are not on the OCR Wall of Shame, but they’re still subject to review and enforcement.
Financial Risk of HIPAA Violations
OCR imposes civil penalties using a four-tier structure based on the organization’s level of culpability.
Originally, fines ranged from a minimum of $100 per violation for lack of awareness to $50,000 per violation for willful neglect. The maximum penalty for a single violation category was $1.5 million per calendar year.
Since 2016, OCR has adjusted these fines for inflation. As of December 2024, the maximum adjusted financial penalties are:
No Knowledge (Tier 1): The entity was unaware of the violation and could not have reasonably avoided it.
- Minimum Penalty: $141
- Maximum Penalty (per violation): $35,581
- Annual Cap (per tier): $35,581
Reasonable Cause (Tier 2): The violation was due to reasonable cause and not willful neglect.
- Minimum Penalty: $1,424
- Maximum Penalty (per violation): $71,162
- Annual Cap (per tier): $142,355
Corrected Willful Neglect (Tier 3): The violation was due to willful neglect but was corrected within 30 days.
- Minimum Penalty: $14,232
- Maximum Penalty (per violation): $71,162
- Annual Cap (per tier): $355,808
Uncorrected Willful Neglect (Tier 4): The violation was due to willful neglect and was not corrected in a timely manner.
- Minimum Penalty: $71,162
- Maximum Penalty (per violation): $2,134,831
- Annual Cap (per tier): $2,134,831
According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a healthcare breach reached $9.77 million. Healthcare remains the most expensive industry for data breaches since 2011.
How to Stay Off the Wall of Shame
Avoiding a HIPAA breach requires structured safeguards, documented workflows, and continuous monitoring. ChartRequest helps healthcare organizations meet these standards and reduce the risk of reportable incidents.
Features that prevent breaches and enhance accountability include:
Strict Access Controls
Limit access to data and system features based on each user’s job role. ChartRequest helps enforce the minimum necessary standard and records all changes to access levels.
End-to-End Encryption
Protect PHI in transit and at rest using full 256-bit SSL encryption and 2048-bit private keys and AES multi-layered encryption for all documents and data.
Automated Audit Logging
Track every request, download, and disclosure. ChartRequest logs all activity, helping your team detect unusual behavior and respond quickly to potential incidents.
