On August 18, 2016, the Department of Health and Human Services - Office for Civil Rights ("OCR"), the office that enforces the Health Insurance Portability and Accountability Act ("HIPAA"), sent out an email detailing a new investigative initiative. OCR currently investigates all reported breaches of protected health information ("PHI") affecting more than 500 individuals, and will soon begin investigating more broadly certain types of breaches affecting fewer than 500 individuals. Further details on breach reporting obligations under HIPAA and an outline of OCR's approach are provided below.

Breach Reporting Requirements

Under the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400-414), “covered entities” (certain heath care providers, health plans, and health care clearinghouses) are required to notify affected individuals and the Secretary of Health and Human Services in the event of a breach of unsecured PHI. In certain circumstances, covered entities must also notify the media. The Breach Notification Rule sets out different requirements based on the number of individuals impacted by a breach. For breaches affecting more than 500 individuals, a covered entity generally must notify the Secretary of a breach at the same time as it notifies affected individuals (both within 60 calendar days of discovery). For breaches affecting fewer than 500 individuals, a covered entity must maintain a log or other documentation of such breaches and notify the Secretary within 60 calendar days after the end of the calendar year in which the breaches occurred. For example, breaches affecting fewer than 500 individuals that occurred in 2016 must be reported within the first 60 calendar days of 2017. OCR maintains a website providing guidance on the manner in which notification should be provided to the Secretary, available here.

OCR’s New Investigative Initiative

While OCR stated in its announcement that it currently investigates breaches affecting fewer than 500 individuals "as resources permit," beginning in August 2016, it will be more widely investigating the root causes of such breaches. Although OCR will retain discretion on which of these smaller breaches to investigate, it will be increasing its efforts to obtain corrective actions addressing potential non-compliance related to these breaches (e.g., revisions to policies and procedures, staff training). OCR’s announcement noted that it will consider factors including:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; and
  • Instances where numerous breach reports from a particular organization subject to HIPAA raise similar issues.

In addition to the above, OCR noted that it may also consider the lack of breach reports affecting fewer than 500 individuals received from an organization when compared to similar organizations. For example, an absence of reports from a large health system that treats thousands of patients may suggest that the system is not documenting or reporting these smaller breaches as required.

This new initiative underscores the need for organizations to not only ensure that they attempt to mitigate breaches promptly and solve their root causes, but to confirm that they are preparing for potential follow-up investigations by OCR even when reporting smaller breaches.