OCR Investigating Smaller Breaches
Steve Spearman
Share:
In late August, the Office for Civil Rights of the Department of Health and Human Services announced via its listserv service that it was ramping up its enforcement efforts for smaller breaches of less than 500 records.
The breach notification rules have different requirements for covered entities and business associates based on the number of records that were compromised. All breaches must be reported to DHHS at least annually, even the breach of a single-record, but breaches of more than 500 records require additional procedures that must be followed, such as: Reporting to the local media, and notifying the OCR of the breach within 60 days, rather than annually. Breaches greater than 500 records will be posted on OCR’s "wall of shame" website.
OCR plans to release its latest bi-annual report to Congress on smaller breaches in the coming weeks. The report will cover breaches reported to OCR in 2013 and 2014. Because of the 500 record demarcation, it has been suggested that enforcement actions were unlikely for small breaches. Until recently, the only notable enforcement action and settlement for a breach of less than 500 was the Hospice of Northern Idaho (HONI) incident. HONI was fined $50,000 in 2012 as a result of a stolen laptop containing the medical records of 441 patients.
However, last year in September, 2015, the DHHS' Office of Inspector General issued a recommendation that the OCR ramp up investigations of smaller health breaches and standardize how they are investigated. Iliana Peters, OCR's senior adviser for HIPAA Compliance and enforcement, suggested that regional offices would be adding staff to support the effort.
Under the HIPAA Breach Notification Rule that went into effect in 2009, OCR regional offices investigate all breaches of protected health information affecting 500 or more individuals. Prior to this announcement, OCR's regional offices generally only investigated smaller breaches affecting fewer than 500 individuals sporadically. However, regional offices are now being given additional resources to more widely investigate the root causes of smaller breaches and to standardize OCR's approach to investigating those incidents.
According to Peters, the new initiative will not necessarily lead to an uptick in investigations for all regions. Some regions had already developed guidelines on the response to these smaller breaches and were involved in enforcement actions. One of the objectives of the initiative is to increase awareness of the notification requirements of smaller breaches. In addition, Peter’s emphasized the need for covered entities to properly document breaches and to investigate compliance practices and improve them.
For example, Peters suggested that OCR will be on the lookout for organizations that have multiple smaller breaches stemming from the same causes, such as misdirected mail. OCR will be taking a closer look at entities with multiple breaches of the same type or cause, which could lead to investigation and enforcement actions. Organizations should not only properly document breaches but its procedures should include Root Cause analysis and correction of procedures that are inadequate to protect the privacy of PHI.
Peters suggested that covered entities should expect increased scrutiny of smaller breaches in the future and an increase in the number of investigations related to smaller breaches. Peters also suggested that when criminal incidents are uncovered, such as data theft or ransomware events, OCR will refer the cases to the U.S. Department of Justice.
In 2016, OCR has announced 10 enforcement actions, including a recent record $5.55 million settlement with Chicago-based Advocate Health Care in the wake of an investigation into three 2013 breaches. OCR's 10 settlements this year raised about $20.5 million, more than in any previous year.
Questions or Comments?