OCR will step up investigations of smaller breaches

HHS’ Office of Civil Rights (OCR) has announced it will make a concerted effort to investigate more data breaches affecting fewer than 500 people through its regional offices.

In its announcement, OCR said this is a change from the current policy of investigating all breaches affecting more than 500 people, while the smaller breaches are looked at “as resources permit.” Those investigations have resulted in settlements, such as a $650,000 payment by Catholic Health Services of the Archdiocese of Philadelphia or a $250,000 payment by QCA Health Plan of Arkansas.

“Beginning this month, OCR, through the continuing hard work of its regional offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals,” the agency said. “Regional offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

In deciding which of these smaller breaches to investigate, regional offices are to consider factors like how many patients are affected, the sensitivity of the protected health information, and the nature of the breach, such as hacking or improper disposal of unencrypted data.

While these breaches aren’t required to be investigated, the same notification standards have always applied, requiring covered entities to report breaches individuals no later than 60 days after it was discovered. Breaches affecting 500 or fewer people have to be reported to the HHS Secretary on an annual basis.

OCR has been tackling bigger breaches with several multi-million dollar settlements over the past few months. Earlier in August, it agreed to its largest settlement for HIPAA violations for a single entity, with Illinois-based Advocate Healthcare set to pay $5.5 million for multiple breaches that affected 4 million health records.  

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”