OCR Announces Initiative to Focus Investigations on Smaller Data Breaches

Aug. 22, 2016
As healthcare organizations of all sizes are impacted by data theft, ransomware and privacy violations, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to devote more resources to investigating smaller breaches.

While large data breaches typically get media headlines, healthcare organizations of all sizes are impacted by data theft, ransomware and privacy violations. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to devote more resources to investigating smaller breaches.

OCR announced an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals beginning this month. According to an OCR announcement, its regional offices will still retain the discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

While OCR’s regional offices investigate all reported breaches involving the PHI of 500 or more individuals, the regional offices also investigate reports of smaller breaches, or those involving the protected health information (PHI) of 500 or fewer individuals, as resources permit.

In the past few years, OCR has announced settlements with healthcare organizations in cases where the agency investigated smaller breach reports. This past July, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled with OCR over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and will pay $650,000 as part of the settlement. The potential violations stemmed from a data breach due to the theft of a CHCS mobile device which compromised the PHI of 412 nursing home residents.

Other settlements involving breach reports impacting 500 or fewer individuals include Triple-S, St. Elizabeth’s Medical Center and QCA Health Plan, Inc.

In January 2013, HHS announced its first HIPAA breach settlement involving less than 500 patients when Hospice of North Idaho agreed to pay $50,000 to settle potential HIPAA violations stemming from a breach of ePHI due to a stolen unencrypted laptop.

According to the OCR announcement, the factors that its regional offices will consider when investigating smaller breaches include the size of the breach, theft of or improper disposal of unencrypted PHI, breaches that involve unwanted intrusions to IT systems, such as hacking, and the amount, nature and sensitivity of the PHI involved. OCR regional offices also will consider instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

“Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates,” the OCR announcement stated.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?