The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.
Investigations into the root cause of small breaches can identify an entity’s wide spread or systemic noncompliance with the privacy and security rules. A review into a single stolen laptop that held e-PHI of 100 individuals may uncover an organization’s failure to encrypt any of the data it creates or maintains. And just as easily as a large breach, a small breach can reveal that a covered entity or business associate has not completed an enterprise-wide information security risk assessment and its risk management plan to effectively safeguard PHI.
In selecting organizations for compliance reviews, OCR will initially look at specific factors, including:
- The size of the breach
- Theft or improper disposal of devices or media containing unencrypted protected health information (PHI)
- Breaches that involve unwanted intrusion to IT systems (e.g. hacking)
- The amount, nature and sensitivity of the PHI involved
- Instances where numerous breach reports from a particular covered entity or business associate raises similar issues.
OCR will also look for covered entities that may have underreported breaches and failed to notify the individuals. The agency can draw on its efforts to identify covered entities and business associates to find those who have not reported any breach incidents. OCR will then open compliance reviews to examine how organizations uncover and respond to unauthorized uses and disclosures of PHI, as well as their procedures for making required notification to individuals and the government when there has been a breach.
What is clear is this is a new, aggressive front to how OCR treats breach reporting. In light of recent enforcement actions and resolution agreements the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in these organizations’ respective cultures and day-to-day business practices. Nor may entities that timely report a privacy or security breach resulting from a stolen laptop realistically believe that they can avoid investigation and a potential civil money penalty.
Now, HHS is looking behind the stolen laptop, the patient photo posted to an employee’s Twitter account, the patient file left on the seat of a subway car, etc. These are all symptoms of conditions that identify if sufficient attention has been paid to HIPAA privacy and security requirements, as well as reviewing the mechanisms that could have brought the risk to light sooner and potentially prevented the disclosure of PHI in a timely manner.
If you have any questions please do not hesitate to contact us.