On August 18, 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced its intention (via its email list-serv) to “more broadly investigate” breaches of protected health information (“PHI”) affecting fewer than 500 individuals. Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) and subsequent implementation of the HIPAA Breach Notification Rule in 2013, OCR has prioritized the investigation of reported breaches of PHI, particularly those that involve large numbers of affected individuals. Currently, all of OCR’s Regional Offices investigate every reported breach affecting 500 or more individuals.

Beginning this month, however, OCR, through its Regional Offices, has implemented an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. Determining the root cause of a breach (even a small one) may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.

Although Regional Offices will retain discretion to prioritize which smaller breaches to investigate, they will now implement a set of factors in determining which investigations to take on:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature, and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

Regional Offices may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific entity or business associate to similarly-situated covered entities and business associates.

Covered entities and business associates should bear in mind that this new initiative by OCR does not affect reporting requirements under the Breach Notification Rule. Pertinently, providers must still notify the OCR annually of breaches affecting fewer than 500 individuals.

The attorneys at Chilivis Grubman assist healthcare entities of all types and sizes with HIPAA-related issues, including audits, assessments, and OCR investigations.  For any questions, or if we can assist you in connection with such a matter, please contact us at (404) 262-6505 or sgrubman@cglawfirm.com.