Covered entities and business associates can expect increased scrutiny for breaches of unsecured protected health information affecting fewer than 500 individuals. Starting August 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) began more widely investigating these small breaches under the Health Insurance Portability and Accountability Act (HIPAA), according to an August 18th OCR email.
Historically, OCR investigated or provided technical assistance on all breaches affecting 500 or more individuals. Each OCR regional office had discretion regarding whether to take action on small breaches (those affecting fewer than 500 individuals). We are not aware of OCR releasing information about what percentage of small breaches it actually investigated or otherwise took action on. Between September 2009 and June 2016, though, OCR has received more than 230,000 small breach reports (compared to about 1,600 large breach reports).
OCR’s e-mail indicates that it has expanded its investigation of small breaches. HHS’ regional offices will continue to have discretion over which small breaches to investigate and will determine whether to examine a given breach based on the following factors:
- The size of the breach;
- Whether the breach involved the theft or improper disposal of unencrypted PHI;
- Whether the breach involved unwanted intrusions to IT systems (g. hacking);
- The amount, nature, and sensitivity of the PHI involved;
- Instances where several breach reports from a covered entity or business associate raise similar issues; and
- The lack of small breach reports when comparing a given covered entity or business associate to similarly-situated entities.
OCR’s initiative is part of its ongoing effort to determine the root causes of breaches of unsecured PHI, which may indicate entity- or industry-wide HIPAA noncompliance, and to better understand HIPAA compliance issues more broadly. Because the HIPAA Breach Notification Rule permits a covered entity to report all small breaches to OCR following the end of the calendar year, a regional office’s review of a particular small breach may begin sometime after the breach actually occurred.
Covered entities and business associates should continue to report small breaches as they had done so before, but with the understanding that there is now an increased risk that these reports will result in investigations. To demonstrate appropriate responses to breaches, entities should verify that they have documented all breaches, as well as privacy or security events that may not rise to the level of a reportable breach, and documented corrective action in response to the breaches (and other events). Additionally, covered entities and business associates should have a recent risk analysis and risk management plan. Ironically, entities who are not reporting any small breaches should be cognizant that OCR may take notice and should be prepared to support that they have good systems in place to detect breaches but nevertheless have not discovered any small breaches.