e-mail Print Share

Office for Civil Rights expands investigations of breaches

August 24, 2016 Washington — The U.S. Department of Health and Human Services Office for Civil Rights announced Aug. 18 that it has begun an initiative to investigate the root causes of reported breaches affecting fewer than 500 individuals.  

Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act Breach Notification Rule, OCR said it has prioritized investigating reported protected health information (PHI) breaches. The agency added that because "the root causes of breaches may indicate entitywide and industrywide noncompliance with HIPAA's regulations," these investigations provide OCR with an opportunity to evaluate an entity's compliance programs, obtain correction of any deficiencies and better understand compliance issues in HIPAA-regulated entities.

According to OCR, regional offices will still decide which smaller breaches to investigate. Among the factors regional offices will consider include:
  • The size of the breach.
  • Theft of or improper disposal of unencrypted PHI.
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking).
  • The amount, nature and sensitivity of the PHI involved.
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.  
OCR added that regional offices may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates. Recent settlements of cases where OCR has investigated smaller breach reports include Catholic Health Care Services, Triple-S, and St. Elizabeth's Medical Center and Hospice of North Idaho.

Information about OCR's compliance and enforcement work with regard to breaches, and with regard to the many other incidents that OCR investigates, is available on the HHS website here.
ADA HIPAA resources can be found online in the Center for Professional Success or the ADA Catalog.