ARTICLE
25 August 2016

OCR To Increase Efforts To Investigate Breaches Affecting Fewer Than 500 Individuals

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore
The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under HIPAA.
United States Privacy
Photo of Scott Koller
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care executives everywhere. Data breaches have been occurring with disturbingly high frequency in the health care industry. If a covered entity experiences a data breach involving more than 500 affected individuals, a regulatory investigation by the OCR is virtually guaranteed.

On August 18, 2016, the OCR announced that it was increasing efforts to investigate smaller breaches, such as those involving fewer than 500 individuals. While the OCR has always had the authority to investigate smaller breaches, it has traditionally done so only when it had resources to spare. This new initiative announced by the OCR represents a concerted effort to investigate the root causes of breaches affecting fewer than 500 individuals.

Even with this new initiative, the OCR is unlikely to investigate every breach; there are simply too many to handle. Instead, each regional office will prioritize its investigations based on:

  • The size of the breach;
  • Whether it involves the theft of or improper disposal of unencrypted PHI;
  • Whether it involves unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

The key takeaway from this announcement by the OCR is to treat every breach as if it will result in an OCR investigation. Do not become complacent, especially when dealing with smaller or routine incidents, because you never know when the OCR will come knocking.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of Scott Koller
Scott Koller
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More