The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed it will be increasing the amount of investigations of small PHI breaches with immediate effect. violations impacting less than 500 individuals will now be subjected to tighter scrutiny, with the responsibility for reviewing those breaches falling to the OCR’s Regional Offices.
OCR currently reviews all PHI violations that impact more than 500 individuals, although reviews of small PHI breaches – those that affect fewer than 500 people – have only been carried as resources permit. The responsibility for investigating small breaches lies with the OCRs Regional Offices, but due to limited resources, reviews of small breaches have been limited until this time.
However, a new project has been launched that will see Regional Offices review small PHI breaches much more widely, although OCR will continue to place high importance on investigations of large-scale breaches of protected health information.
According to a recent media report, each of the OCRs Regional Offices has been told to increase efforts to review breaches impacting fewer than 500 people. The aim is to ensure that corrective action is taken by covered entities to address non-compliance with HIPAA Rules that has led to the exposure of PHI, regardless of the number of people affected.
When reviewing breach reports, the Regional Offices will look into a number of different factors before initiating a breach review. These include how many people have been impacted by a violation, the types of data that have been exposed or illegally obtained, whether data has been seen or obtained by an unauthorized individual, whether a system that is to storing PHI has been accessed by a hacker, and the number of breach reports that have previously been filed by the covered entity.
If multiple breach reports are filed by a covered entity that raise similar issues, a review is more likely to begin. OCR has also stated that a lack of breach reports affecting fewer than 500 people – compared to other bodies – may also be used as a criterion when considering whether or not to launch a breach review.
OCR may not financially penalizing covered bodies for small data violations that have resulted from non-compliance with HIPAA, but compliance issues will be identified and corrective action will have to be taken.
OCR has previously tried to resolve non-compliance through voluntary actions by the covered body. Technical assistance has been given in many cases to help the covered body bring privacy and security standards up to the level required by HIPAA. However, OCR is not against financially penalizing organizations that have encountered small data breaches if those breaches have arisen from serious HIPAA failures.
In January 2013, OCR revealed that a $50,000 settlement had been agreed with the Hospice of North Idaho following a review into a PHI breach affecting 441 individuals. This was the first time that a financial settlement had been agreed with a covered body for HIPAA violations found after a breach of fewer than 500 records. The privacy breach involved the theft of an unencrypted laptop computer.
12 months later, OCR revealed a settlement had been reached with QCA Health Plan, Inc. A corrective action plan was put in place to address HIPAA violations that were found following a breach of just 148 records. QCA Health Plan Inc., also had to make payment of OCR $250,000 to settle the case. Similarly, this violation involved the theft of an unencrypted laptop computer.
In June 2016, OCR revealed it reached a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) following a review into a PHI breach that impacted 412 people. CHCS agreed to pay $650,000 to settle the case. The investigation was also begun after a portable device containing PHI was stolen.
The official announcement should serve as a warning to covered bodies: Even small data breaches may trigger HIPAA reviews. If OCR finds HIPAA Rules have not been adhered to, financial penalties are likely to be inflicted. As we have already seen in 2016, those financial penalties can be substantial.
