OCR to more actively investigate smaller data breaches
As data theft, ransomware, network attacks and accidental privacy violations continue to plague healthcare organizations of all sizes, HHS Office for Civil Rights has announced plans to devote more resources to investigating smaller breaches.
As OCR works to "obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly," it has long directed its regional offices to investigate all reported breaches involving the protected health information of 500 or more individuals. These offices do also look into smaller breaches, but only as resources permit.
But whether it's simply noncompliance with HIPAA regulations or victimization at the hands of shadowy cyber crooks, providers, payers and business associates – irrespective of size – are all vulnerable to breaches. So starting in August, OCR has told its regional offices to more broadly investigate the root causes of incidents affecting fewer than 500 people.
Officials "will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches," according to an HHS alert published this past week.
The office will prioritize according to the size of the breach; whether any unencrypted PHI was stolen or improperly disposed of; any breaches involving "unwanted intrusions to IT systems" (hacking, malware, phishing), and the nature and sensitivity of the data involved.
OCR will also home in on any incidents at organizations where "numerous breach reports from a particular covered entity or business associate raise similar issues."
The office points to settlements following small breaches at organizations such as St. Elizabeth’s Medical Center, a tertiary care hospital in Boston that used a web-based document sharing app to manage the information of at least 498 patients, and – earlier this summer – Catholic Health Care Services, which settled for $650,000 after a stolen iPhone compromised the PHI of 412 nursing home residents.
“This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information," said former Director Leon Rodriguez back in 2013, when the agency assessed its first HIPAA breach settlement – $50,000 from the Hospice of North Idaho after an unencrypted laptop was stolen – involving less than 500 patients.
With this new broader investigative mandate, it seems a safe guess there will be more settlements to come.