OCR to Expand Compliance Reviews of Small Healthcare Breaches

The Health and Human Services (HHS) Office for Civil Rights (OCR) announced in August, that it has launched a new initiative to more widely investigate HIPAA breaches of protected health information (PHI) affecting fewer than 500 individuals.

There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.

Beginning this month, OCR regional offices have increased their efforts to identify and obtain corrective action to address “entity and systemic noncompliance” related to these smaller breaches.

Our partner, David Holtzman from CynergisTek recently wrote about this change. David sited that OCR will initially look at specific factors, including:

• The size of the breach
• Theft or improper disposal of devices or media containing unencrypted protected health information (PHI)
• Breaches that involve unwanted intrusion to IT systems (e.g. hacking)
• The amount, nature and sensitivity of the PHI involved
• Instances where numerous breach reports from a particular covered entity or business associate raises similar issues

Healthcare organizations and third party vendors/business associates should use this announcement to refocus their breach prevention efforts and to analyze their breach reporting processes. What additional safeguards could be implemented to reduce the likelihood of improper PHI disposal or unwanted IT system intrusions?

Please read the full article from CynergisTek to learn about the recent OCR focus of small healthcare breaches.