OCR will step up investigations of smaller breaches
HHS’ Office of Civil Rights (OCR) has announced it will make a concerted effort to investigate more data breaches affecting fewer than 500 people through its regional offices.
In its announcement, OCR said this is a change from the current policy of investigating all breaches affecting more than 500 people, while the smaller breaches are looked at “as resources permit.” Those investigations have resulted in settlements, such as a $650,000 payment by Catholic Health Services of the Archdiocese of Philadelphia or a $250,000 payment by QCA Health Plan of Arkansas.
“Beginning this month, OCR, through the continuing hard work of its regional offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals,” the agency said. “Regional offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”
In deciding which of these smaller breaches to investigate, regional offices are to consider factors like how many patients are affected, the sensitivity of the protected health information, and the nature of the breach, such as hacking or improper disposal of unencrypted data.
While these breaches aren’t required to be investigated, the same notification standards have always applied, requiring covered entities to report breaches individuals no later than 60 days after it was discovered. Breaches affecting 500 or fewer people have to be reported to the HHS Secretary on an annual basis.
OCR has been tackling bigger breaches with several multi-million dollar settlements over the past few months. Earlier in August, it agreed to its largest settlement for HIPAA violations for a single entity, with Illinois-based Advocate Healthcare set to pay $5.5 million for multiple breaches that affected 4 million health records.