Although all breaches should be reported to OCR, generally only breaches affecting 500 or more individuals are investigated by OCR’s regional offices, while small breaches—breaches affecting fewer than 500 individuals—are investigated only as resources permit.
OCR has already started taking action against entities involved in smaller breaches, such as its $650,000 June settlement with Catholic Health Care Services of the Archdiocese of Philadelphia for a breach affecting 412 individuals.
Starting this month, OCR will instruct its regional offices to step up investigations of smaller breaches and identify the root causes. Identifying common root causes will help the agency better measure HIPAA compliance throughout the industry and address industrywide compliance gaps, OCR said. Regional offices may obtain corrective actions if an investigation of a smaller breach reveals noncompliance.
Regional offices are instructed to take several factors into consideration when investigating smaller breaches and determining corrective action. These are:
•The size of the breach
•Whether a single entity reports multiple small breaches with a similar root cause
•Whether the breach involves theft or improper disposal of protected health information or hacking
CEs and BAs should review HHS’ HIPAA enforcement process, breach reporting requirements for smaller breaches, and case examples of HIPAA violation corrective actions.