The Department of Health & Human Services (DHHS) Office of Civil Rights (OCR) recently announced it will devote more resources to investigate smaller HIPAA breaches. Before this announcement, OCR typically opened investigations for HIPAA breaches affecting more than 500 individuals.

The new approach of looking at smaller breaches follows a 2015 recommendation by the DHHS Office of Inspector General to post smaller breaches on the OCR website as well as larger breaches.  OCR also noted in its announcement that it recently had pursued enforcement action in at least five smaller cases, which included settlements relating to: Catholic Healthcare Services of the Archdiocese of Philadelphia ($650,000 on June 29, 2016), Triple-S Management Corp. ($3.5 million on Nov. 30, 2015), and St. Elizabeth’s Medical Center in Brighton, Mass. ($218,400 on July 10, 2015).

On a more concerning note, recent press reports speculate that OCR may consider outsourcing HIPAA breach investigations to third party contractors, much like the RAC program for recovery of billed amounts that has expanded in recent years.  If pursued by OCR, that approach could significantly expand the scope of enforcement activity.

HIPAA Breaches & OCR – The Basics

What Constitutes a Breach?

Any impermissible use or disclosure that compromises protected health information (PHI) qualifies as a breach under the Privacy Rule. DHHS recognizes three exceptions to the “breach” definition:

  • Unintentional acquisition, access, or use of PHI by a workforce member or other person acting under authority of a covered entity, if acquisition, access, or use was “made in good faith and within the scope of authority”,
  • Inadvertent disclosure of PHI by a covered entity’s authorized person to  another covered entity’s authorized person, and
  • Good faith belief of covered entity that unauthorized person was not able to retain PHI.

For additional information, reference DHHS Health Information Privacy.

Notification Requirements for Covered Entities

Following a breach, entities must notify affected individuals and the DHHS Secretary.  Entities must provide written notice by first-class mail or by email, if the individual has agreed to electronic notifications. Notification must be provided no later than 60 days following discovery of the breach. If the entity has out-of-date information for more than ten individuals, the notice must also be placed on the entity’s home page for a minimum of 90 days.  Notice must include a toll-free number active for at least 90 days for individuals to call for information.

Business associates are also required to notify entities if a breach occurs at/by the business associate. Notification must be given without delay with no later than 60 days following discovery of the breach. If possible, the business associate must provide the identification of each affected individual and any other available information.

If more than 500 individuals are affected by the breach, entities must notify prominent State or jurisdiction media outlets. The press release must be given to media no later than 60 days after discovery of the breach.

Additional OCR Considerations to Open Investigation

Along with size of the breach, OCR will evaluate other factors when determining whether or not to open an investigation in the event of a HIPAA breach. The National Law Review reports additional factors are:

  • Whether PHI was stolen or improperly disposed of,
  • Whether a single entity reports multiple breaches,
  • Whether numerous entities are reporting similar breaches, and
  • Whether the breach involved unauthorized access to an information technology (IT) system

OCR analyzes trends revealed by annual breach reports covering entities that must submit to OCR. Using this trend data, OCR will also look into a lack of breach reports as a sign of under reporting.