This month the HHS Office for Civil Rights (OCR) has launched an initiative "to more widely investigate the root causes" of HIPAA breaches affecting fewer than 500 individuals, according to an August 18, 2016 OCR email announcement. While Regional Offices will retain discretion to prioritize investigation of smaller breaches, each office is directed to "increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches." Factors to be considered in prioritizing such investigations include: the size of the breach; theft of or improper disposal of unencrypted personal health information (PHI); breaches that involve unwanted intrusions to information technology systems; the amount, nature and sensitivity of the PHI involved; or cases of numerous breach reports from a particular covered entity or business associate raising similar issues. According to the announcement, Regional Offices also may consider the lack of breach reports affecting fewer than 500 individuals when comparing a covered entities and business associates. Additional information about OCR HIPAA breach enforcement efforts is available on the OCR website.
This article is presented for informational purposes only and is not intended to constitute legal advice.