Dive Brief:
- HHS’ Office for Civil Rights has directed its regional offices to step up investigations of smaller breaches involving personal health information.
- According to an HHS alert, regional offices “will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”
- OCR routinely investigates breaches involving the PHI of 500 or more individuals. Investigations of smaller breaches, however, have tied to availability of resources.
Dive Insight:
By increasing the scope of its investigations into data privacy breaches, OCR hopes to “better understand compliance issues in HIPAA-regulated entities more broadly.” Identifying the root causes of breaches could reveal entity-wide or even industry-wide lapses in HIPAA compliance, not to mention vulnerabilities that put networks at risk of cyber and ransomware attacks.
OCR said it would devote more resources to the support the initiative.
In determining which smaller breaches to pursue, offices should consider the size of the breach, whether unencrypted PHI was stolen or improperly disposed of, whether hacking was involved and whether the organization has reported previous breaches, OCR says.
The office cites several recent settlements involving smaller breaches. Catholic Health Care Services settled for $650,000 after the theft of an iPhone put 412 nursing home residents’ protected health information (PHI) at risk. In another case, Puerto Rico-based insurance holding company Triple-S Management settled for $3.5 million for multiple breaches involving failure to properly secure PHI.