OCR announces new plan to investigate HIPAA breaches affecting fewer than 500 individuals
The Health and Human Services (HHS) Office for Civil Rights (OCR) announced on August 18, 2016, that it has launched a new initiative to more widely investigate HIPAA breaches of protected health information (PHI) affecting fewer than 500 individuals. Beginning this month, OCR regional offices have increased their efforts to identify and obtain corrective action to address “entity and systemic noncompliance” related to these smaller breaches.
The OCR announcement notes that OCR has always prioritized its investigation of reported breaches. OCR regional offices are required to investigate all reported breaches involving the PHI of 500 or more individuals, while they have discretion as to whether they will investigate breaches involving the PHI of fewer than 500 individuals. Under this new nationwide initiative, however, the regional offices will investigate more of the smaller breaches, and this will likely result in an increase in corrective actions against covered entities.
The regional offices will maintain their discretion as to which smaller breaches they will investigate. The OCR announcement includes the following five factors that will be considered in determining which breaches to investigate:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; and
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
These factors appear to be based upon OCR’s stated goals of uncovering entity-wide and industry-wide noncompliance and “better understand[ing] compliance issues related to HIPAA-regulated entities more broadly.
One of the most interesting statements from the post states that OCR will also be more likely to investigate covered entities and business associates that may be underreporting breaches. The announcement states: “Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.” This is the first time OCR has ever stated, in writing, that it would consider underreporting when determining whether to investigate a reported breach.
Covered entities and business associates should use this announcement to refocus their breach prevention efforts and to analyze their breach reporting processes. What additional safeguards could be implemented to reduce the likelihood of improper PHI disposal or unwanted IT system intrusions?
If the organization has reported numerous breaches of the same type, what changes to existing procedures could be made to reduce the likelihood of these breaches occurring again in the future? And finally, if the organization reports very few small breaches or none at all, do workforce members fully understand their reporting obligations, and does the organization properly analyze reported incidents? All efforts that are taken to improve compliance should be thoroughly documented in writing.