This article by partner Joanna Bergmann and associates Christine Moundas and Jamie Liebert was originally published in Law360 on September 27, 2016.
Flexing yet more enforcement muscle under the Health Insurance Portability and Accountability Act, on Aug. 18, 2016, the U.S. Department of Health and Human Services Office for Civil Rights announced that it will more widely investigate breaches of protected health information (PHI) affecting fewer than 500 individuals, termed “small breaches.”1
Despite statutory authority to investigate all PHI breaches, to date OCR has focused primarily on large-scale breaches and entered into only a handful of settlement agreements with entities affected by small breaches.2 By this, its most recent enforcement initiative, each of OCR’s regional offices has been instructed to “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to … [small] breaches.”3
As a result, health care providers and other covered entities and their business associates should expect an uptick in the volume of enforcement actions triggered by, and OCR settlements reached in connection with, small-scale PHI breaches. In preparation, entities should ensure that their responses to small breaches are just as thoughtful and methodical as their responses to large breaches.
Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the HIPAA breach notification rule, OCR’s regional offices have investigated all reported breaches involving the PHI of 500 or more individuals, and have exercised discretion over whether to investigate reports of smaller breaches.4 In practice, entities are identified for investigation based on mandatory breach reports made to OCR as well as submissions made pursuant to state-level notification requirements. In response, OCR has imposed fines, penalties and, with increasing frequency, corrective action plans (CAPs) on the entities responsible for and affected by such breaches.5
More recently, OCR has expanded its enforcement arsenal to include proactive measures. OCR has imposed higher fines, steeper penalties and more onerous CAPs on entities that fail to put the necessary preventative framework into place by, for example, conducting adequate risk analyses, implementing reasonable electronic safeguards to protect PHI, and entering into required business associate agreements (BAAs).6
OCR’s record-breaking settlement with Advocate Health Care Network earlier this year, under which Advocate must pay $5.55 million and enter into a two-year CAP subject to independent third-party oversight, illustrates the mounting financial impact OCR HIPAA investigations can have on affected entities.7 The Advocate settlement also marks the 10th OCR enforcement action in the first eight months of 2016 — compared to OCR’s previous one-year high of seven settlements.8
Since January 2013, OCR has entered into only a small handful of settlements with entities affected by small breaches; i.e., breaches of PHI affecting fewer than 500 individuals. These include settlements with Catholic Health Care Services, Triple-S, St. Elizabeth’s Medical Center, QCA Health Plan Inc., and Hospice of North Idaho. OCR’s new initiative, which will increase the number of investigations into these types of small-scale PHI breaches, fits within the agency’s overarching trend of more expansive and aggressive HIPAA enforcement.
New Initiative Guidelines
Going forward, OCR regional offices will increase investigatory and enforcement efforts with respect to small breaches, on the theory that investigating “[t]he root causes of [such] breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and … provide OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies and better understand compliance issues in HIPAA-regulated entities more broadly.”9
Although regional offices will retain discretion to prioritize which small breaches to investigate, OCR has directed that the following factors be considered in determining whether to launch an investigation:
- The size of the breach;
- The amount, nature and sensitivity of the PHI involved;
- Theft or improper disposal of unencrypted PHI;
- Breaches involving unwanted intrusions (i.e., hacking) into information technology systems; and
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues, or, in contrast, instances where a lack of breach reports for small breaches are reported by a specific covered entity or business associate relative to the amount of small breaches reported by “like-situated covered entities and business associates.”10
These factors, in particular the last, illuminate the ever-expanding scope of OCR HIPAA investigations. By directing regional offices to investigate HIPAA-covered entities and business associates for both an excess and a dearth of breach reports, OCR appears focused on all entities not achieving the Goldilocks of breach reporting.
Implications for Health Care Entities
Given the current enforcement environment, all HIPAA-regulated entities should redouble efforts to ensure that they are diligently adhering to best practices with respect to the full scope of their HIPAA obligations. OCR’s increased investigatory and enforcement activities with respect to small breaches demonstrate that each and every security incident and breach must be addressed with one eye on the specific incident and the other on the entity’s HIPAA compliance program more generally.
In particular, during an investigation triggered by a small breach, OCR may request information specifically pertaining to the breach, including the:
- Steps taken to investigate the breach, including any forensic reports;
- Methods used to determine the number of individuals affected by a breach;
- Manner in which breach notification was provided to individuals;
- Actions taken to mitigate, to the extent practicable, any harmful effects of the breach;
- Actions taken to ensure that the breach does not recur;
- Sanctions imposed on the person(s) responsible for the breach; and
- Enhancements made to the HIPAA training program as a result of the breach.
Here, OCR will be interested in confirming that the incident was handled in compliance with the HIPAA breach notification rule. Accordingly, the covered entity or business associate, as appropriate, must ensure that its documentation regarding the investigation and response is carefully and comprehensively compiled and maintained. OCR may also probe why certain incidents were reported and others not. HIPAA-covered entities and business associates should, therefore, ensure that every security incident is timely and sufficiently documented, including, for those incidents not reported, the supporting rationale.
During an investigation triggered by a small breach, OCR may also ask questions designed to shed light on the root causes of the breach, such as any:
- Existing HIPAA privacy and security rule policies or procedures implicated by the breach, as well as any revisions implemented as a result of the breach;
- Administrative, technical and physical safeguards that may have failed or been absent during the breach, such as encryption or access controls;
- BAA oversight procedures (including with business associates and their subcontractors);
- HIPAA risk analyses performed prior to the breach; and
- Risk management and remediation plans in place prior to the breach.
Notably, to investigate whether systemic vulnerabilities contributed to the breach, OCR may request documentation going back six years. In this manner, OCR has been converting discrete breach investigations into more comprehensive HIPAA compliance reviews. The very broad scope of these requests shows that a small breach can now lead to a far-reaching and potentially consequential investigation.
In sum, even after a small breach, HIPAA covered entities and business associates must not only satisfy their obligations under the HIPAA breach notification rule, but also undertake to assess the root causes of the breach and remediate any deficiencies detected in their HIPAA compliance program in a holistic and timely manner.
Republished with permission from Law360.