OCR Announces Increased Investigation of Small HIPAA Breaches

October 14, 2016 | Privacy, Data & Cyber Law

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) recently announced a new initiative to investigate the causes of “small breaches” under the Health Insurance Portability and Accountability Act (“HIPAA”) that involve the protected health information (“PHI”) of fewer than 500 individuals. OCR has discretion in deciding which breaches to investigate and, in the past, it has almost exclusively focused its efforts on breaches that affected 500 or more individuals. OCR hopes that broadening its investigation efforts will help identify common compliance issues and repeated breaches among covered entities and business associates.

In order to prioritize which small breaches to investigate, OCR will consider the following factors:

  1. The size of the breach;
  2. Whether the breach involves theft or improper disposal of unencrypted PHI;
  3. Whether the breach involves unwanted intrusions to IT systems (ie., hacking);
  4. The amount, nature and sensitivity of PHI involved; and
  5. Whether numerous breach reports from a particular covered entity or business associate raised similar compliance issues.

Covered entities and business associates are encouraged to review their compliance efforts with the HIPAA Breach Notification Rule. Under the rule, covered entities and business associates are required to maintain a record of HIPAA breaches that they discover affecting less than 500 individuals and to submit the record to HHS within 60 days after the end of each calendar year. Failure to properly document and report such small breaches may raise suspicion and increase the likelihood of an OCR investigation under the new initiative.

Related Publications


Legal updates and news delivered to your inbox