Beginning in August, the U.S. Health and Human Services Department (HHS) Office of Civil Rights (OCR) launched a new initiative to investigate smaller breach reports — meaning those that affect fewer than 500 individuals, the agency announced Aug. 18.
This effort is based on a series of recent case settlements where OCR investigated smaller breaches that generated significant fines, including those at:
- Catholic Health Care Services ($650,000 fine)
- Triple-S ($3.5 million fine)
- Elizabeth’s Medical Center ($218,400 fine)
- QCA Health Plan Inc. ($250,000 fine)
- Hospice of North Idaho ($50,000 fine)
In each of these instances, the fine was just a part of the OCR response. Most also included corrective action plans, which required the hassle of additional reporting and documentation conditions for the alleged violators.
OCR directed its regional offices to more widely investigate the root causes of breaches affecting fewer than 500 individuals. In addition, each office has the discretion to prioritize which breaches to scrutinize. “But each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches,” OCR stated in its announcement.
Here are the key factors the regional offices will consider when choosing organizations to investigate:
- Size of the breach
- Theft of or improper disposal of unencrypted protected health information (PHI)
- Breaches that involve unwanted intrusions to information technology (IT) systems (such as by hacking)
- The amount, nature and sensitivity of the PHI
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
If you haven’t already created a HIPAA audit action plan or completed a risk assessment, now is the time to get one in place. Or you could be facing hefty fines and compliance actions that can go on for years.
- HHS OCR is targeting smaller breaches for enforcement action that can result in large fines.
- OCR regional offices have full discretion to prioritize which breach types it chooses to investigate.
- Be aware of five factors that OCR has identified as key target for enforcement actions.
To ensure you stay in the clear and HIPAA-compliant, check out the Coding Leader online HIPAA training page. Each session listed gives you access to national experts that walk you through a specific aspect of HIPAA compliance in plain-English so it’s easier for you to comply.