The Office for Civil Rights (OCR) recently announced that it is increasing its efforts to investigate breaches of unsecured protected health information that affect less than 500 individuals. OCR enforces the Health Insurance Portability and Accountability Act, and generally opens compliance reviews into entities that suffer breaches affecting 500 or more individuals. With this new initiative, OCR indicated its eight regional offices, which historically take the lead in investigating such breaches, have discretion in choosing which smaller breaches to investigate. OCR noted the regional offices would consider factors including the number of individuals affected; the nature and sensitivity of personal health information exposed; and whether the breach involved the theft of or improper disposal of unencrypted personal health information or an intrusion into an entity’s IT system.
According to OCR, additional consideration may be given to entities that have submitted numerous breach reports, as well as those that have submitted less reports than other like-situated entities. That is, OCR could opt to investigate an entity for submitting too few breach reports affecting under 500 individuals if it seems like other entities of its size and operation are submitting far more.
TIP: OCR has already pursued some enforcement actions related to breaches affecting less than 500 individuals. With the agency officially announcing that it is prioritizing investigations of smaller breaches, businesses subject to HIPAA should be prepared for increased regulatory scrutiny of their small-scale breaches.