The Office of Civil Rights (OCR) is the U.S. Department of Health and Human Services’ investigation arm into violations of HIPAA for breaches of protected health information (PHI). Until now, OCR has focused squarely on Covered Entities and HIPAA breaches that affect large numbers of individuals. Nevertheless, this all may change soon since OCR has announced an initiative to more widely investigate HIPAA breaches affecting fewer than 500 individuals.
The regional offices of OCR are responsible for the investigating all reported breaches by Covered Entities or Business Associates affecting more than 500 individuals.. While OCR will not be required to investigate all breaches affecting 500 or less individuals, it will be will ramping up its efforts to identify breaches and obtain corrective actions to address noncompliance with HIPAA. In furtherance of this effort, OCR has developed and non-exhaustive list of factors that it will consider when deciding whether to investigate:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking); The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
- The lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.
As seen from the enormous settlements paid out recently by Covered Entities investigated by OCR for HIPAA breaches, the OCR does not take these investigations lightly. If your business is dealing with PHI, you must take the necessary steps to protect this information, or you could end up paying significant fines. With OCR’s new initiative, businesses can no longer count on a small breach going unnoticed or hidden amongst the larger breaches of HIPAA.