The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But no more. The agency announced yesterday that beginning this month, it will more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.
OCR investigates all reported breaches involving the PHI of 500 or more individuals. However, it has not ignored smaller breaches. For example, following an investigation concerning a breach affecting 441 individuals in 2013, OCR reached a settlement with the covered entity for $50,000. The plan to look at more smaller breaches makes some sense from an enforcement perspective as the extent of an entity’s noncompliance does not necessarily correlate with the number of individuals affected by a breach. For example, it would seem more likely that a covered entity that suffered five breaches during a year, each affecting 200 individuals, would have more significant gaps in its HIPAA compliance than an organization with one breach during the year affecting 1,000 individuals.
OCR is not saying it will be investigating all smaller breaches. As noted above, Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, and it will apply that discretion considering the following factors:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
This is just one more reason covered entities and business associates need to achieve and maintain compliance with the HIPAA privacy and security rules. Now small breaches are more likely to lead to an OCR investigation that could find substantial and systemic compliance violations. In a year when millions of dollars in penalties and settlements have been paid to OCR, it is clear that HIPAA enforcement is on the rise.