The Office of Civil Rights (OCR), the division of Health and Human Services (HHS) responsible for enforcing and investigating HIPAA violations announced they will begin an initiative to investigate breaches affecting less than 500 individuals.
Since the passage of the HITECH Act 2009 and the subsequent implementation of the HIPAA Breach Notification Rule, the OCR has made it a priority to investigate HIPAA violations of PHI. Most of the cases that the OCR has investigated are large system-wide violations. These investigations and consequent fines have allowed the OCR to analyze and understand healthcare entities HIPAA compliance issues more broadly. However, the Regional Offices of the OCR is now pushing an initiative to investigate breaches that involve 500 individuals or less as resources permit. Regional Offices will have full discretion to prioritize which smaller scale breaches to investigate. The factors that the Regional Offices will consider include:
- The size of the breach
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking); The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
The Regional Offices will also take into account lack of breach reports affecting fewer than 500 individuals when comparing a specific cover entity or business associate to similar situated covered entities and business associate. With this announcement it puts more pressure on smaller healthcare organization to take a hard look at their HIPAA compliance policies and procedures. It will no longer be valid to say that the OCR does not investigate smaller entities, it is now only a matter of time before smaller entities get audited.
About Paubox: Paubox is a provider of seamless HIPAA compliant encrypted email.