Home > Insights > Blogs > Health Law Checkup > OCR: No privacy breach is too small
HIPAA folder

OCR: No privacy breach is too small

Milada Goturi September 1, 2016

Links

Contributors

Contributors

Raquel Boton

Raquel Boton

Catherine Feorene

Catherine Feorene

Jim Fogle

Jim Fogle

Suzanne Galvin

Suzanne Galvin

Evan Raskas Goldfarb

Evan Raskas Goldfarb

A. Jay Goldstein

A. Jay Goldstein

Milada Goturi

Milada Goturi

Ed Harvey

Ed Harvey

Joy Harris Hennessy

Joy Harris Hennessy

Nicole Jobe

Nicole Jobe

Kevin Kifer

Kevin Kifer

April Kirkley

April Kirkley

Bryan Gray Looney

Bryan Gray Looney

Jan Paul Miller

Jan Paul Miller

Tonya Oliver Rose

Tonya Oliver Rose

Claire Schenk

Claire Schenk

Mackenzie Wallace

Mackenzie Wallace

The Office for Civil Rights (OCR) HIPAA enforcement efforts are continuing to increase. This year, the OCR has already announced 10 HIPAA enforcement actions involving fines, which is a 67 percent increase from last year, and has also started HIPAA compliance audits. According to OCR’s latest announcement, OCR will increase its investigations of HIPAA breaches of unsecured protected health information (PHI) involving 500 or fewer individuals to further its HIPAA enforcement efforts. It has been a practice of the OCR’s Regional Offices to investigate breaches of PHI of 500 or more individuals, but the smaller breaches of fewer than 500 individuals have been previously investigated on a limited basis.

According to the OCR announcement on Aug. 18, 2016, Regional Offices will have discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.” In deciding which of the smaller breaches to investigate, the Regional Offices will consider the following factors:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

It is important to note that the OCR publication also made it clear that the Regional Offices will now “consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

The OCR announcement and the increased HIPAA enforcement should serve as a reminder that each organization subject to HIPAA compliance must ensure that the organization has a strong HIPAA compliance program in place, that the organization implements and follows the safeguards to prevent unauthorized use or disclosure of PHI and that any breach incidents are appropriately identified, investigated, reported and addressed consistent with HIPAA requirements.