OCR Announces Initiative to Focus Investigations on Smaller Data Breaches | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Announces Initiative to Focus Investigations on Smaller Data Breaches

August 22, 2016
by Heather Landi
| Reprints
Click To View Gallery

While large data breaches typically get media headlines, healthcare organizations of all sizes are impacted by data theft, ransomware and privacy violations. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to devote more resources to investigating smaller breaches.

OCR announced an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals beginning this month. According to an OCR announcement, its regional offices will still retain the discretion to prioritize which smaller breaches to investigate, but “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

While OCR’s regional offices investigate all reported breaches involving the PHI of 500 or more individuals, the regional offices also investigate reports of smaller breaches, or those involving the protected health information (PHI) of 500 or fewer individuals, as resources permit.

In the past few years, OCR has announced settlements with healthcare organizations in cases where the agency investigated smaller breach reports. This past July, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled with OCR over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and will pay $650,000 as part of the settlement. The potential violations stemmed from a data breach due to the theft of a CHCS mobile device which compromised the PHI of 412 nursing home residents.

Other settlements involving breach reports impacting 500 or fewer individuals include Triple-S, St. Elizabeth’s Medical Center and QCA Health Plan, Inc.

In January 2013, HHS announced its first HIPAA breach settlement involving less than 500 patients when Hospice of North Idaho agreed to pay $50,000 to settle potential HIPAA violations stemming from a breach of ePHI due to a stolen unencrypted laptop.

According to the OCR announcement, the factors that its regional offices will consider when investigating smaller breaches include the size of the breach, theft of or improper disposal of unencrypted PHI, breaches that involve unwanted intrusions to IT systems, such as hacking, and the amount, nature and sensitivity of the PHI involved. OCR regional offices also will consider instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

“Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates,” the OCR announcement stated.



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.

Sequoia Project Exec Appointed to HITAC’s Interoperability Task Force

The Sequoia Project’s CIO/CTO, Eric Heflin, has been appointed to the Health Information Technology Advisory Committee’s (HITAC) U.S. Core Data for Interoperability Task Force (USCDI).

Healthcare Orgs Report Improvements in Quality, Cost Using Data and Analytics

In 2017, nearly three dozen organizations ranging in size from small community hospitals to some of the nation’s largest integrated delivery systems documented 125 improvements in quality, cost and efficiency using technology and improvement processes.

Consortium to Promote Implementation of a FHIR Genomics Platform

At this week’s HL7 Genomics Conference in Washington, D.C., a new group was introduced to promote implementation of a FHIR Genomics platform.

Cedars-Sinai Collaborates on Organs-on-Chip Precision Medicine Project

Scientists at Los Angeles-based Cedars-Sinai, in partnership with biotechnology startup Emulate, are pioneering a Patient-on-a-Chip program to help predict which disease treatments would be most effective based on a patient's genetic makeup and disease variant.