OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

August 24, 2016 David Holtzman

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.

Investigations into the root cause of small breaches can identify an entity’s wide spread or systemic noncompliance with the privacy and security rules. A review into a single stolen laptop that held e-PHI of 100 individuals may uncover an organization’s failure to encrypt any of the data it creates or maintains. And just as easily as a large breach, a small breach can reveal that a covered entity or business associate has not completed an enterprise-wide information security risk assessment and its risk management plan to effectively safeguard PHI.

In selecting organizations for compliance reviews, OCR will initially look at specific factors, including:

  • The size of the breach
  • Theft or improper disposal of devices or media containing unencrypted protected health information (PHI)
  • Breaches that involve unwanted intrusion to IT systems (e.g. hacking)
  • The amount, nature and sensitivity of the PHI involved
  • Instances where numerous breach reports from a particular covered entity or business associate raises similar issues.

OCR will also look for covered entities that may have underreported breaches and failed to notify the individuals. The agency can draw on its efforts to identify covered entities and business associates to find those who have not reported any breach incidents. OCR will then open compliance reviews to examine how organizations uncover and respond to unauthorized uses and disclosures of PHI, as well as their procedures for making required notification to individuals and the government when there has been a breach.

What is clear is this is a new, aggressive front to how OCR treats breach reporting. In light of recent enforcement actions and resolution agreements the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in these organizations’ respective cultures and day-to-day business practices. Nor may entities that timely report a privacy or security breach resulting from a stolen laptop realistically believe that they can avoid investigation and a potential civil money penalty.

Now, HHS is looking behind the stolen laptop, the patient photo posted to an employee’s Twitter account, the patient file left on the seat of a subway car, etc. These are all symptoms of conditions that identify if sufficient attention has been paid to HIPAA privacy and security requirements, as well as reviewing the mechanisms that could have brought the risk to light sooner and potentially prevented the disclosure of PHI in a timely manner.

If you have any questions please do not hesitate to contact us.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
Pay Now or Pay Later: The Cost of Privacy and Security
Pay Now or Pay Later: The Cost of Privacy and Security

For many things in health care, if you don’t spend the energy and resources to reduce risks now you will li...

Next Article
Insider Threats
Insider Threats

Our infographic highlights types of insider threats with stats on insider breaches, OCR settlements and sec...