OCR Announces Initiative to Focus Investigations on Smaller Data Breaches | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Announces Initiative to Focus Investigations on Smaller Data Breaches

August 22, 2016
by Heather Landi
| Reprints
Click To View Gallery

While large data breaches typically get media headlines, healthcare organizations of all sizes are impacted by data theft, ransomware and privacy violations. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to devote more resources to investigating smaller breaches.

OCR announced an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals beginning this month. According to an OCR announcement, its regional offices will still retain the discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

While OCR’s regional offices investigate all reported breaches involving the PHI of 500 or more individuals, the regional offices also investigate reports of smaller breaches, or those involving the protected health information (PHI) of 500 or fewer individuals, as resources permit.

In the past few years, OCR has announced settlements with healthcare organizations in cases where the agency investigated smaller breach reports. This past July, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled with OCR over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and will pay $650,000 as part of the settlement. The potential violations stemmed from a data breach due to the theft of a CHCS mobile device which compromised the PHI of 412 nursing home residents.

Other settlements involving breach reports impacting 500 or fewer individuals include Triple-S, St. Elizabeth’s Medical Center and QCA Health Plan, Inc.

In January 2013, HHS announced its first HIPAA breach settlement involving less than 500 patients when Hospice of North Idaho agreed to pay $50,000 to settle potential HIPAA violations stemming from a breach of ePHI due to a stolen unencrypted laptop.

According to the OCR announcement, the factors that its regional offices will consider when investigating smaller breaches include the size of the breach, theft of or improper disposal of unencrypted PHI, breaches that involve unwanted intrusions to IT systems, such as hacking, and the amount, nature and sensitivity of the PHI involved. OCR regional offices also will consider instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

“Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates,” the OCR announcement stated.



Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



NewYork-Presbyterian, Walgreens Partner on Telemedicine Initiative

NewYork-Presbyterian and Walgreens are collaborating to bring expanded access to NewYork-Presbyterian’s healthcare through new telemedicine services, the two organizations announced this week.

ONC Releases Patient Demographic Data Quality Framework

The Office of the National Coordinator for Health IT (ONC) developed a framework to help health systems, large practices, health information exchanges and payers to improve their patient demographic data quality.

AMIA, Pew Urge Congress to Ensure ONC has Funding to Implement Cures Provisions

The Pew Charitable Trusts and the American Medical Informatics Association (AMIA) have sent a letter to congressional appropriators urging them to ensure that ONC has adequate funding to implement certain 21st Century Cures Act provisions.

Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.