On August 18, 2016, the Office for Civil Rights (OCR) announced that, while it intends to continue to investigate all instances of reported breaches of protected health information (PHI) involving 500 or more individuals, it will more widely investigate smaller PHI breaches. OCR explains that its regional offices will increase efforts to identify noncompliance related to “small” breaches and to obtain corrective action to address such noncompliance. Regional offices have discretion over which “small” breaches to investigate, but OCR lists factors that will impact this decision, including whether the covered entity or business associate reports numerous breaches involving similar issues; the type of breach; the amount, nature and sensitivity of the PHI involved; and the size of the breach.
Interestingly, OCR also states that its regional offices may consider the lack of breach reports impacting less than 500 individuals for one covered entity or business associate when compared with similarly situated covered entities or business associates. This implies that it is not only breach reports that may trigger an investigation, but, likely for large systems or organizations, the lack thereof as compared to peer entities.
Two examples OCR gives of “small” HIPAA breaches that were investigated and that resulted in settlements are St. Elizabeth’s Medical Center and QCA Health Plan, Inc. Further information about St. Elizabeth’s settlement can be found here and information regarding QCA’s settlement can be found here.