In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit.
While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed. According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)." That's a mere 2% of all breaches that have OCR's full attention. The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.