While large data breaches typically get media headlines, healthcare organizations of all sizes are impacted by data theft, ransomware and privacy violations. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to devote more resources to investigating smaller breaches.
OCR announced an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals beginning this month. According to an OCR announcement, its regional offices will still retain the discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”
While OCR’s regional offices investigate all reported breaches involving the PHI of 500 or more individuals, the regional offices also investigate reports of smaller breaches, or those involving the protected health information (PHI) of 500 or fewer individuals, as resources permit.
In the past few years, OCR has announced settlements with healthcare organizations in cases where the agency investigated smaller breach reports. This past July, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled with OCR over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and will pay $650,000 as part of the settlement. The potential violations stemmed from a data breach due to the theft of a CHCS mobile device which compromised the PHI of 412 nursing home residents.
Other settlements involving breach reports impacting 500 or fewer individuals include Triple-S, St. Elizabeth’s Medical Center and QCA Health Plan, Inc.
In January 2013, HHS announced its first HIPAA breach settlement involving less than 500 patients when Hospice of North Idaho agreed to pay $50,000 to settle potential HIPAA violations stemming from a breach of ePHI due to a stolen unencrypted laptop.
According to the OCR announcement, the factors that its regional offices will consider when investigating smaller breaches include the size of the breach, theft of or improper disposal of unencrypted PHI, breaches that involve unwanted intrusions to IT systems, such as hacking, and the amount, nature and sensitivity of the PHI involved. OCR regional offices also will consider instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
“Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates,” the OCR announcement stated.