HHS Office for Civil Rights to Increase Investigation of Small HIPAA Breaches

The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) recently announced that it has increased its review of breaches of protected health information affecting fewer than 500 individuals. This increased scrutiny is likely to result in increased enforcement actions, fines, and other penalties for both covered entities and business associates.


The HIPAA Privacy Rule applies to covered entities and their business associates, and it limits access, use and disclosure of individuals’ protected health information (PHI) by these entities. When PHI is accessed, acquired, used, or disclosed in a way not permitted under HIPAA, the presumption under the HIPAA Breach Notification Rule is that a breach has occurred unless it can be shown that there is a low probability that PHI has been compromised based on a breach risk assessment that complies with HIPAA requirements. If the incident is a breach, covered entities are required to report it to OCR, in addition to other obligations. All breaches must be reported to OCR; however, the timing of that notice depends on the number of individuals affected by the breach. For a breach requiring notice to 500 or more individuals, OCR must be notified contemporaneously with notice to affected individuals. For breaches affecting fewer than 500 individuals, notice to OCR is not required until the first 60 days of the following calendar year. These “smaller” breaches traditionally have received less scrutiny from OCR.

Increase in Small Breach Investigations

Investigations of reported breaches are conducted by the OCR Regional Offices. The Regional Offices have historically investigated all breaches involving the PHI of 500 or more individuals, and have investigated smaller breaches at their discretion (and less often). However, OCR’s announcement makes clear that both covered entities and business associates should expect to see increased activity around reviews of smaller breaches. OCR calls this increase an “initiative” and indicates that the investigations will attempt to identify and assess “root causes” of these smaller breaches.

Regional Offices will not be required to investigate all reported small breaches, but OCR stated that “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.” OCR also provided a list of factors that Regional Offices will consider in determining which small breaches to investigate, including:

  • The size of the breach;
  • The amount, nature and sensitivity of the PHI involved;
  • Whether there was theft of or improper disposal of unencrypted PHI; and
  • Whether the breach involved unwanted intrusions to IT systems (for example, by hacking).

OCR added that Regional Offices may also consider “[i]nstances where numerous breach reports from a particular covered entity or business associate raise similar issues . . . [or] the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

OCR’s announcement cites several small breach settlements as examples, with the earliest dating back to January 2, 2013—the first ever HIPAA breach settlement involving unsecured electronic PHI of fewer than 500 individuals. The most recent of the cited examples was announced in June of this year. The financial components of the settlements range from a low of $50,000 for the first-ever such settlement, to a high of $3.5 million for a settlement in November 2015.

Risks of Investigation & Steps to Take Now

Risks from an OCR breach investigation include an increased likelihood of a full audit by OCR, a potential resolution agreement with stringent terms, and possible civil monetary penalties. All of these sanctions may be imposed against both covered entities and business associates. Civil monetary penalties under HIPAA are tiered and can vary from $100 to $50,000 per violation, with a cap of $1.5 million per calendar year for identical violations. Separate violations may be separately subject to the cap.

Accordingly, covered entities and business associates should take steps to ensure that they are compliant with HIPAA’s requirements generally, and, specifically, in relation to any reported breaches. HIPAA provides a six-year timeframe from the date of the violation for HHS to commence an action in response, so the following steps are important both retrospectively for already-reported breaches and prospectively for breaches that may be reported in the future:

  • Ensure that documentation of the breach assessment and mitigation steps is created and retained.
  • Ensure that corrective actions identified as part of the breach assessment have been implemented.
  • Ensure that policies related to breach analysis and response are up to date and are being implemented and enforced.
  • Review ongoing HIPAA compliance efforts because an OCR breach investigation may extend beyond the facts of the particular breach(es) being investigated to all aspects of HIPAA compliance.

Should you have any questions about lessening the risk of a HIPAA breach, evaluating whether a breach has occurred, or responding properly to an identified breach, please feel free to contact Sherman CohenKevin Coy or Madison Pool on AGG’s Healthcare Information Technology Team.

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: