By: Agne Krutules
Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities and their business associates have duties under the Privacy Rule and the Security Rule to protect patient health information. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) regional offices are required to investigate all reported breaches involving the protected health information (PHI) of 500 or more individuals. With regard to smaller breaches, however, OCR has discretion whether to conduct an investigation.
From 2003 through May 31, 2016, OCR received more than 134,246 HIPAA-related complaints and investigated and resolved more than 24,241 cases. The vast majority of these investigations involved larger breaches of unsecured PHI affecting 500 or more individuals. That is typically what most people have grown to expect—more attention to large-scale breaches, with smaller breaches under 500 individuals typically not receiving as much scrutiny. However, these traditional expectations are about to change due to a recent announcement from OCR about its plans to increase efforts to investigate smaller breaches more frequently.
Through an August 18, 2016 email, OCR announced that it is launching an initiative “to more widely investigate the root causes” of HIPAA breaches affecting fewer than 500 individuals. According to the announcement, OCR’s regional offices have ramped up their efforts to identify and obtain corrective action to address “entity and systemic noncompliance” related to these smaller scale breaches. While not every HIPAA breach will be the subject of investigation due to limitations on resources, OCR says that the following factors will be considered in determining whether to pursue such investigations:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature, and sensitivity of the PHI involved; and
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
OCR’s announcement also states that “Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.” This is the first time OCR has ever specifically announced that it would consider the factor of underreporting when determining whether to investigate a data breach. Thus, covered entities and business associates should use this message to focus on their breach investigation techniques and breach reporting processes.
Although the investigations of the smaller scale breaches will remain discretionary, more investigations affecting less than 500 individuals are certain. Accordingly, covered entities and business associates should not become complacent when dealing with smaller or “routine” incidents, and they should take proactive steps to review their HIPAA compliance obligations and update safeguards to protect against breaches. Becoming an object of an OCR investigation can be time-consuming and expensive, even without considering the potential costs of civil monetary penalties if HIPAA non-compliance is uncovered.