March 29, 2017

March 29, 2017

Subscribe to Latest Legal News and Analysis

March 28, 2017

Subscribe to Latest Legal News and Analysis

March 27, 2017

Subscribe to Latest Legal News and Analysis

Office for Civil Rights to Increase Investigations of Smaller HIPAA Breaches

HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.

Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections.

According to OCR,

Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.

Some factors Regional Offices will consider when deciding which breaches investigate include

  • theft and improper disposal of unencrypted PHI,

  • breaches caused by IT system intrusions like hacking, and

  • situations where a covered entity or business associate has numerous reports raising similar issues – indicating a failure to correct systemic problems.

Notably, OCR said Regions can also consider whether a specific entity simply has fewer small breach reports than similar covered entities and business associates.

OCR highlighted recent settlements from investigations into breaches affecting fewer than 500 individuals. Four of these six settlements involved stolen laptops or other mobile devices with unencrypted data, and another seven-figure settlement resulted from a breach affecting two individuals.

OCR recognizes that very small breaches can be indicators of very large compliance problems. Accordingly, HIPAA covered entities should never assume that they will avoid scrutiny for reporting a breach affecting fewer than 500 individuals.”

This initiative does not change reporting obligations for covered entities – who must still notify the Secretary annually of breaches affecting fewer than 500 individuals. But we can expect OCR’s active enforcement of HIPAA breaches to continue unabated, and covered entities and business associates should continue to assess and test their HIPAA compliance proactively, with the goal of avoiding breaches of all sizes.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Rachel Irving Pitts, Mergers Attorney, Mintz Levin, Compliance Review Lawyer
Associate

Rachel's practice primarily involves transactional and regulatory matters, including mergers and acquisitions, regulatory compliance review, telemedicine issues, and provider and service contracting matters for various health care providers, administrative organizations, payors, and health systems. Rachel has worked on over 20 transactions valuing more than $200 million since starting at Mintz Levin. She works with hospital systems, dialysis, long-term care, and retail providers, individual providers and practice groups, management companies, independent practice associations, and third-...

617.348.4454