OCR will step up investigations of smaller breaches

HHS’ Office of Civil Rights (OCR) has announced it will make a concerted effort to investigate more data breaches affecting fewer than 500 people through its regional offices.

In its announcement, OCR said this is a change from the current policy of investigating all breaches affecting more than 500 people, while the smaller breaches are looked at “as resources permit.” Those investigations have resulted in settlements, such as a $650,000 payment by Catholic Health Services of the Archdiocese of Philadelphia or a $250,000 payment by QCA Health Plan of Arkansas.

“Beginning this month, OCR, through the continuing hard work of its regional offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals,” the agency said. “Regional offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

In deciding which of these smaller breaches to investigate, regional offices are to consider factors like how many patients are affected, the sensitivity of the protected health information, and the nature of the breach, such as hacking or improper disposal of unencrypted data.

While these breaches aren’t required to be investigated, the same notification standards have always applied, requiring covered entities to report breaches individuals no later than 60 days after it was discovered. Breaches affecting 500 or fewer people have to be reported to the HHS Secretary on an annual basis.

OCR has been tackling bigger breaches with several multi-million dollar settlements over the past few months. Earlier in August, it agreed to its largest settlement for HIPAA violations for a single entity, with Illinois-based Advocate Healthcare set to pay $5.5 million for multiple breaches that affected 4 million health records.  

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.