Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities with breaches affecting fewer than 500 individuals. Previously, OCR’s Regional Offices focused their attention on investigating all reported breaches involving the PHI of 500 or more individuals.
The announcement states that while Regional Offices retain discretion to determine which smaller breaches to investigate, there are several factors that will help them determine which smaller breaches to pursue:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
OCR hopes that this initiative will further its goals of identifying entity-wide and industry-wide noncompliance with HIPAA’s regulations, evaluating entities’ compliance programs, obtaining correction of any deficiencies, and better understanding compliance issues in HIPAA-regulated entities more broadly.