OCR Announces Initiative to Investigate More Small Breaches
On August 18, 2016, the Office for Civil Rights (“OCR”) announced a new initiative to more widely investigate breaches affecting fewer than 500 individuals (referred to as “small breaches”). Prior to this announcement, OCR investigated all breaches reported by covered entities that affect 500 or more individuals (considered to be “large breaches”). Those large breaches must be reported to OCR at the same time that notice is provided to the individuals.
Conversely, small breaches that impact fewer than 500 individuals are not reported to OCR immediately. Those breaches must be kept in a log and reported to OCR within sixty days after the end of the calendar year in which the breach occurred. OCR has previously stated from the podium on several occasions that an assigned investigator reviews every small breach report that is filed. We know that OCR has, on several occasions, chosen to investigate a small breach based solely on the breach report and OCR refers to several settlements involving small breaches in its announcement.
OCR is now looking for the root causes of small breaches, with each Regional Office “increasing its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to those breaches.” OCR specifically identified certain factors they would consider, among other factors, in opening an investigation:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
OCR also confirmed our belief that failure to have any breach reports on file when “comparing a specific covered entity or business associate to like-situated covered entities and business associates” is now a potential red flag and could subject the covered entity or business associate to a compliance review. It’s unclear how OCR would undertake this comparison if a covered entity has never filed a breach report and has not previously been identified for audit.
We will pose that question and more to an OCR Investigator who will be presenting at the 2016 Baird Holm Health Law Forum on Friday, November 18, 2016. OCR has invited questions from clients in advance to help them focus their presentation. You can contact Vickie Ahlers (firstname.lastname@example.org) with any questions you would like us to submit to OCR in advance to be addressed at the Health Law Forum.