The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care executives everywhere. Data breaches have been occurring with disturbingly high frequency in the health care industry. If a covered entity experiences a data breach involving more than 500 affected individuals, a regulatory investigation by the OCR is virtually guaranteed.

On August 18, 2016, the OCR announced that it was increasing efforts to investigate smaller breaches, such as those involving fewer than 500 individuals. While the OCR has always had the authority to investigate smaller breaches, it has traditionally done so only when it had resources to spare. This new initiative announced by the OCR represents a concerted effort to investigate the root causes of breaches affecting fewer than 500 individuals.

Even with this new initiative, the OCR is unlikely to investigate every breach; there are simply too many to handle. Instead, each regional office will prioritize its investigations based on:

  • The size of the breach;
  • Whether it involves the theft of or improper disposal of unencrypted PHI;
  • Whether it involves unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

The key takeaway from this announcement by the OCR is to treat every breach as if it will result in an OCR investigation. Do not become complacent, especially when dealing with smaller or routine incidents, because you never know when the OCR will come knocking.