OCR thinks small to stop data breaches

Reports of breaches impacting the protected health information (PHI) of 500 or fewer individuals will be more widely investigated by the HHS Office for Civil Rights (OCR), beginning August 2016. Previously, the OCR’s regional offices investigated all breach reports involving the PHI of 500 or more individuals and only investigated smaller breaches when resources permitted the additional oversight. Under the new initiative, regional offices will retain discretion to investigate smaller breaches, but each office will increase investigative efforts to identify smaller breaches and obtain necessary corrective action.

Considerations

Covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), are required to report breaches of PHI to affected individuals and the HHS Office for Civil Rights (OCR), consistent with the Breach Notification Rule; in instances of breaches involving at least 500 individuals, they must also notify the media. To decide which breach reports affecting fewer than 500 individuals will be investigated, the OCR plans to consider the following factors:

  • the size of the breach;
  • the presence of theft or improper disposal of unencrypted PHI;
  • unwanted intrusions into information technology IT systems (hacking); and
  • instances where numerous breach reports from a single entity raise similar issues.

Prior breaches

The OCR has already investigated some smaller breach reports, which have led to settlements. Those investigations include breaches resulting from a business associate’s failure to safeguard the PHI of skilled nursing facility residents, an insurance company’s failure to implement adequate PHI security measures, a medical center’s improper use of a data-sharing internet application, and the theft of two unencrypted laptops—one from a hospice provider and another from an employee’s car at a physical therapy center.

Other threats

Data breaches and cybersecurity threats of all kinds continue to plague the health care industry. For example, in July 2016, Banner Health experienced a breach of PHI and payment card data of 3.7 million patients, members, beneficiaries, and food and beverage outlet customers (see Banner Health breach potentially affects millions, Health Law Daily, August 4, 2016). Additionally, health systems are facing new threats, like ransomware, where hackers “kidnap” data and demand ransom payments for the data’s release (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).