2016-09-02 19:05:41 UTC

Sept. 6, 2016

Office of Civil Rights to launch wider investigations of technology breaches affecting fewer than 500 individuals.

GI practices should pay close attention to small, seemingly benign HIPAA issues. The Office of Civil Rights (OCR) is launching a new initiative to pay closer attention to breaches that affect a smaller number of individuals, in this case less than 500. 

In the past, OCR’s regional offices have investigated all reported breaches involving protected health information of 500 or more individuals, and secondarily investigated smaller (less than 500) breaches as resources allowed. Beginning this month, OCR will focus their attention on all breaches equally, regardless of size. While all breaches will be considered for investigation, the regional offices will consider the following:

  • The size of the breach.
  • Breaches that involve unwanted intrusions to IT systems (e.g., hacking).
  • Theft of or improper disposal of unencrypted protected health information (PHI). 
  • The amount, nature and sensitivity of the PHI involved.
  • Instances in which numerous breach reports from a particular covered entity or repetitive reports from the same business associate.

For more information about OCR’s compliance and enforcement work with regard to breaches, and the other incidents that OCR investigates, please visit the OCR website.

More on Regulatory