The HHS Office for Civil Rights (“OCR“) recently announced an initiative to more widely investigate HIPAA privacy breaches affecting fewer than 500 individuals. Generally, all reported breaches involving 500 or more individuals are automatically investigated by OCR. Breaches involving less than 500 individuals will not automatically be investigated, but Regional Offices will increase efforts to investigate smaller breaches based on (1) the size of the breach, (2) theft or improper disposal of unencrypted protected health information (“PHI“), (3) breaches involving hacking, (4) the sensitive nature of the PHI involved, and (5) where numerous breach reports from the same entity raise similar issues.

View additional information on OCR’s enforcement of HIPAA.