Sign in

OCR is stepping up its investigations of smaller breaches

By: Lisa Marlin

August 24, 2016

It’s no small news that smaller breaches will now take up a bigger part of the OCR’s attention. The Department of Health and Human Services’ Office for Civil Rights (OCR) announced this month it has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.

According to the news release, each of the OCR’s Regional Offices has been instructed to increase efforts to investigate these smaller breaches. This will help ensure that action is taken by covered entities to address non-compliance with HIPAA Rules that has led to the exposure or theft of protected health information (PHI), regardless of how many individuals are affected.

Some of the factors Regional Offices will consider when determining whether to investigate a smaller breach are:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

A recent article in HIPAA Journal reported that the OCR will not necessarily be financially penalizing covered entities for small data breaches that have resulted from non-compliance with HIPAA, but compliance issues will be identified and corrective action will be necessary.

However, and this is a big however, even before the stepped up efforts, the OCR has issued substantial fines to organizations that have experienced small data breaches when those breaches have resulted from serious HIPAA failures. Take for instance, in June 2016 when the OCR announced it reached a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) following an investigation into a PHI breach that impacted 412 individuals. CHCS agreed to pay $650,000 to resolve the case. The investigation was triggered after a portable device containing PHI was stolen.

No matter the size of your organization, it’s cost effective to keep your eyes on your portable devices and, in particular, on your compliance with all HIPAA rules. The OCR certainly is.

It’s a big task. Let us help. PrivaPlan Associates, Inc. is the authority in HIPAA Privacy and Security Rule Compliance. Offering in a wide array of products and services including guidance on: HIPAA Privacy and HIPAA Security, HIPAA Training, Meaningful Use Consultation, Security Risk Assessments and much more.

Contact our HIPAA experts at info@privaplan.com or call 877-218-7707.