From 2003 through May 31, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) received more than 134,246 HIPAA-related complaints and investigated and resolved more than 24,241 cases. The vast majority of those cases involved breaches of unsecured protected health information affecting 500 or more individuals. Yesterday, however, the OCR announced that beginning this month, its regional offices will begin to more widely investigate the root causes of breaches affecting fewer than 500 individuals.
According to OCR, the regional offices will continue to have discretion to prioritize which smaller breaches they choose to investigate. Nevertheless, the OCR offices will purposefully increase their efforts to identify and obtain corrective action to address entity and systematic noncompliance related to the smaller breaches. Among the factors that the regional offices will consider in making a determination as to whether further investigate breaches affecting fewer than 500 individuals are:
- the size of the breach;
- the theft or improper disposal of unencrypted PHI;
- breaches that involve unwanted intrusions to IT systems;
- the amount, nature and sensitivity of the PHI involved; and
- instances where numerous breach reports from a particular covered entity (CE) or business associate (BA) raise similar issues.
The OCR has also instructed that regional offices may consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific CE or BA to like-situated CEs or BAs.
Over the past few years, there have been only a handful of publicized settlements in cases where OCR investigated smaller breach reports and fined the breaching CE or BA. Those include Catholic Health Care Services (monetary payment of $650,000 for breach affecting 412 patients); St. Elizabeth’s Medical Center (monetary payment of $218,400 for breach affecting 595 individuals); QCA Health Plans (monetary payment of $250,000 for breach of ePHI affecting 148 individuals); and Hospice of North Idaho (monetary payment of $50,000 for breach affecting 441 patients).
Given the initiative announced by OCR yesterday, however, we will most certainly see more investigations going forward for breaches affecting less than 500 individuals. Therefore, it is critical that CEs and BAs take proactive steps to review their HIPAA compliance and institute safeguards to protect against breaches.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.