Office for Civil Rights expands investigations of breaches
August 24, 2016
Washington — The U.S. Department of Health and Human Services Office for Civil Rights announced Aug. 18 that it has begun an initiative to investigate the root causes of reported breaches affecting fewer than 500 individuals.
Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act Breach Notification Rule,
OCR said it has prioritized investigating reported protected health information (PHI) breaches. The agency added that because "the root causes of breaches may indicate entitywide and industrywide noncompliance with HIPAA's regulations," these investigations provide OCR with an opportunity to evaluate an entity's compliance programs, obtain correction of any deficiencies and better understand compliance issues in HIPAA-regulated entities.
According to OCR, regional offices will still decide which smaller breaches to investigate. Among the factors regional offices will consider include:
- The size of the breach.
- Theft of or improper disposal of unencrypted PHI.
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking).
- The amount, nature and sensitivity of the PHI involved.
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
OCR added that regional offices may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates. Recent settlements of cases where OCR has investigated smaller breach reports include
Catholic Health Care Services,
Triple-S, and
St. Elizabeth's Medical Center and
Hospice of North Idaho.
Information about OCR's compliance and enforcement work with regard to breaches, and with regard to the many other incidents that OCR investigates, is available on the HHS website
here.
ADA HIPAA resources can be found online in the
Center for Professional Success or the
ADA Catalog.