The Office for Civil Rights (OCR) HIPAA enforcement efforts are continuing to increase. This year, the OCR has already announced 10 HIPAA enforcement actions involving fines, which is a 67 percent increase from last year and has also started HIPAA compliance audits. According to OCR’s latest announcement, OCR will increase its investigations of HIPAA breaches of unsecured protected health information (PHI) involving 500 or fewer individuals to further its HIPAA enforcement efforts. It has been a practice of the OCR’s Regional Offices to investigate breaches of PHI of 500 or more individuals, but the smaller breaches of fewer than 500 individuals have been previously investigated on a limited basis.
According to the OCR announcement on Aug. 18, 2016, Regional Offices will have discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.” In deciding which of the smaller breaches to investigate, the Regional Offices will consider the following factors:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
It is important to note that the OCR publication also made it clear that the Regional Offices will now “consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”
The OCR announcement and the increased HIPAA enforcement should serve as a reminder that each organization subject to HIPAA compliance must ensure that the organization has a strong HIPAA compliance program in place, that the organization implements and follows the safeguards to prevent unauthorized use or disclosure of PHI and that any breach incidents are appropriately identified, investigated, reported and addressed consistent with HIPAA requirements.