HRCAlerts082416_OCR

Breaches of protected health information (PHI) affecting fewer than 500 individuals are the next focus for the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), the organization recently announced. OCR's regional offices already investigate all reports of breaches involving the PHI of 500 or more individuals; they will now conduct investigations on smaller breaches "as resources permit." Regional offices will have the option to prioritize which of the smaller breaches they investigate, OCR said, but all offices will increase their efforts to identify breaches and address what type of noncompliance was involved. Among the factors used to identify which breaches will be investigated are the size of the breach, whether theft or improper disposal of unencrypted PHI was involved, whether the breach involved unwanted intrusions to information technology (IT) systems (such as hacking), and whether the same entity or business associate had filed numerous breach reports. Recent cases that have settled following OCR investigations of smaller breach reports include a $650,000 settlement with a Philadelphia area health network (see the July 13, 2016, HRC Alerts) and several other notable cases, including a case in Puerto Rico in which a $3.5 million settlement was reached, a Massachusetts medical center with a $200,000 settlement, a pair of cases involving laptops with settlements that added up to almost $2 million, and a small breach at an Idaho hospice that resulted in a $50,000 settlement. "The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA's [Health Insurance Portability and Accountability Act] regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity's compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly," OCR said. More information about how OCR investigates breaches is available at its website.

HRC Recommends: OCR's vigorous enforcement efforts and sizable penalties and settlements require rigorous compliance efforts by HIPAA-covered entities. HIPAA privacy and security compliance requires effective collaboration among risk management, corporate compliance, legal counsel, IT, health information management, HIPAA privacy and security officers, the medical staff, human resources, and staff education leadership, as well as the cooperation of the entire workforce.

Topics and Metadata

Topics

Laws, Regulations, Standards; Health Information Privacy

Caresetting

Clinical Specialty

Roles

Healthcare Executive; Legal Affairs; Risk Manager

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published August 24, 2016

Who Should Read This

Corporate compliance, HIPAA privacy officer, HIPAA security officer, Information technology, Legal counsel Risk manager

Areas of Focus

Featured Memberships & Services

OCR Launching Initiative to Investigate Small Breaches of PHI