The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

OCR’s announcement listed several factors that will influence whether a small breach is investigated:

  • the size of the breach;
  • whether theft of or improper disposal of unencrypted Protected Health Information (“PHI”) occurred;
  • whether unwanted intrusions to IT systems (for example, by hacking) occurred;
  • the amount, nature and sensitivity of the PHI involved; or
  • cases where an entity has numerous breaches involving similar issues.

OCR also notes that investigation decisions may be influenced by the lack of breach reports by an entity compared to similarly situated entities.  This signifies that OCR is closely analyzing the trends revealed by annual breach reports that covered entities and business associates must submit to OCR.

For more information about steps covered entities and business associates can take to improve compliance efforts, contact the authors or your regular Crowell & Moring contact.