From 2003 through May 31, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) received more than 134,246 HIPAA-related complaints and investigated and resolved more than 24,241 cases. The vast majority of those cases involved breaches of unsecured protected health information affecting 500 or more individuals. Yesterday, however, the OCR announced that beginning this month, its regional offices will begin to more widely investigate the root causes of breaches affecting fewer than 500 individuals.
According to OCR, the regional offices will continue to have discretion to prioritize which smaller breaches they choose to investigate. Nevertheless, the OCR offices will purposefully increase their efforts to identify and obtain corrective action to address entity and systematic noncompliance related to the smaller breaches. Among the factors that the regional offices will consider in making a determination as to whether further investigate breaches affecting fewer than 500 individuals are:
- the size of the breach;
- the theft or improper disposal of unencrypted PHI;
- breaches that involve unwanted intrusions to IT systems;
- the amount, nature and sensitivity of the PHI involved; and
- instances where numerous breach reports from a particular covered entity (CE) or business associate (BA) raise similar issues.
The OCR has also instructed that regional offices may consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific CE or BA to like-situated CEs or BAs.
Over the past few years, there have been only a handful of publicized settlements in cases where OCR investigated smaller breach reports and fined the breaching CE or BA. Those include Catholic Health Care Services (monetary payment of $650,000 for breach affecting 412 patients); St. Elizabeth’s Medical Center (monetary payment of $218,400 for breach affecting 595 individuals); QCA Health Plans (monetary payment of $250,000 for breach of ePHI affecting 148 individuals); and Hospice of North Idaho (monetary payment of $50,000 for breach affecting 441 patients).
Given the initiative announced by OCR yesterday, however, we will most certainly see more investigations going forward for breaches affecting less than 500 individuals. Therefore, it is critical that CEs and BAs take proactive steps to review their HIPAA compliance and institute safeguards to protect against breaches.