Share this article on:
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it will be stepping up investigations of small PHI breaches with immediate effect. Breaches impacting fewer than 500 individuals will now be subjected to closer scrutiny, with the responsibility for investigating those breaches falling to the OCR’s Regional Offices.
OCR currently investigates all PHI breaches that impact more than 500 individuals, although investigations of small PHI breaches – those that affect fewer than 500 individuals – have only been performed as resources permit. The responsibility for investigating small breaches has fallen to the OCRs Regional Offices, but due to limited resources, investigations of small breaches have been limited up until now.
However, a new initiative has now been launched that will see Regional Offices investigate small PHI breaches much more widely, although OCR will continue to prioritize investigations of large-scale breaches of protected health information.
According to a recent news release, each of the OCRs Regional Offices has been instructed to increase efforts to investigate breaches impacting fewer than 500 individuals. The aim is to ensure that action is taken by covered entities to address non-compliance with HIPAA Rules that has led to the exposure or theft of PHI, regardless of the number of individuals affected.
When assessing breach reports, the Regional Offices will consider a number of different factors before initiating a breach investigation. These include how many individuals have been impacted by a breach, the types of data that have been exposed or stolen, whether data has been viewed or obtained by an unauthorized individual, whether a system used to store PHI has been infiltrated by a hacker, and the number of breach reports that have previously been submitted by the covered entity.
If multiple breach reports are submitted by a covered entity that raise similar issues, an investigation is more likely to be initiated. OCR has also said that a lack of breach reports affecting fewer than 500 individuals – compared to other entities – may also be used as a criterion when deciding whether or not to launch a breach investigation.
OCR will not necessarily be financially penalizing covered entities for small data breaches that have resulted from non-compliance with HIPAA, but compliance issues will be identified and corrective action will be necessary.
OCR has previously opted to resolve non-compliance through voluntary actions by the covered entity. Technical assistance has been provided in many cases to help the covered entity bring privacy and security standards up to the level required by HIPAA. However, OCR is not averse to financially penalizing organizations that have experienced small data breaches if those breaches have resulted from serious HIPAA failures.
In January 2013, OCR announced that a $50,000 settlement had been reached with the Hospice of North Idaho following an investigation into a PHI breach affecting 441 individuals. This was the first time that a financial settlement had been reached with a covered entity for HIPAA violations discovered after a breach of fewer than 500 records. The breach involved the theft of an unencrypted laptop computer.
A year later, OCR announced a settlement had been reached with QCA Health Plan, Inc. A corrective action plan was adopted to address HIPAA violations that were discovered following a breach of just 148 records. QCA Health Plan Inc., also had to pay OCR $250,000 to settle the case. Similarly, this breach involved the theft of an unencrypted laptop computer.
Most recently, in June 2016, OCR announced it reached a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) following an investigation into a PHI breach that impacted 412 individuals. CHCS agreed to pay $650,000 to resolve the case. The investigation was also triggered after a portable device containing PHI was stolen.
The announcement should serve as a warning to covered entities: Even small data breaches may trigger HIPAA investigations. If OCR discovers HIPAA Rules have been violated, financial penalties are likely to be appropriate. As we have already seen in 2016, those financial penalties can be substantial.