Skip to content Skip to navigation

OCR Announces Initiative to Focus Investigations on Smaller Data Breaches

August 22, 2016
by Heather Landi
| Reprints
Click To View Gallery

While large data breaches typically get media headlines, healthcare organizations of all sizes are impacted by data theft, ransomware and privacy violations. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to devote more resources to investigating smaller breaches.

OCR announced an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals beginning this month. According to an OCR announcement, its regional offices will still retain the discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

While OCR’s regional offices investigate all reported breaches involving the PHI of 500 or more individuals, the regional offices also investigate reports of smaller breaches, or those involving the protected health information (PHI) of 500 or fewer individuals, as resources permit.

In the past few years, OCR has announced settlements with healthcare organizations in cases where the agency investigated smaller breach reports. This past July, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled with OCR over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and will pay $650,000 as part of the settlement. The potential violations stemmed from a data breach due to the theft of a CHCS mobile device which compromised the PHI of 412 nursing home residents.

Other settlements involving breach reports impacting 500 or fewer individuals include Triple-S, St. Elizabeth’s Medical Center and QCA Health Plan, Inc.

In January 2013, HHS announced its first HIPAA breach settlement involving less than 500 patients when Hospice of North Idaho agreed to pay $50,000 to settle potential HIPAA violations stemming from a breach of ePHI due to a stolen unencrypted laptop.

According to the OCR announcement, the factors that its regional offices will consider when investigating smaller breaches include the size of the breach, theft of or improper disposal of unencrypted PHI, breaches that involve unwanted intrusions to IT systems, such as hacking, and the amount, nature and sensitivity of the PHI involved. OCR regional offices also will consider instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

“Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates,” the OCR announcement stated.





CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.