Regional Office to more broadly investigate breaches involving fewer than 500 individuals

We often advise our clients that one of the criteria separating a “high risk” breach from a “low risk” breach is whether the breach affects more or fewer than 500 individuals. This is because the HHS Office of Civil Rights (which is the HIPAA enforcement arm of HHS) has historically prioritized investigation of and corrective action following breaches affecting in excess of 500 individuals—OCR’s Regional Offices investigate all reported breaches involving the PHI of 500 or more individuals. However, OCR recently announced that it would be teaming up with its Regional Office staff to more widely investigate HIPAA breaches affecting fewer than 500 individuals—sending a strong signal to covered entities and business associates that no one is “safe” from repercussions emanating from a HIPAA breach.

This announcement is another in a series of indications from OCR that they are continuing to ramp up HIPAA enforcement. Recent settlements of breaches affecting smaller patient populations include:

• Catholic Health Care Services (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html);

• Triple-S (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/triple-s-management/index.html);

• St. Elizabeth's Medical Center (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/semc/index.html);

• QCA Health Plan, Inc. (http://www.hhs.gov/about/news/2014/04/22/stolen-laptops-lead-to-important-hipaa-settlements.html); and

• Hospice of North Idaho (http://www.hhs.gov/about/news/2013/01/03/hhs-announces-first-hipaa-breach-settlement-involving-less-than-500-patients.html)

This news does not mean, however, that smaller breaches are guaranteed to draw government scrutiny. Regional Offices will have the discretion to decide which entities they will investigate, and OCR has released some of the criteria they will use to prioritize investigations. In addition to looking at the size of the breach and the nature of the information compromised (e.g., is it just name and address, or does it include SSNs?) , Regional Offices will look to whether the breach involves theft of or improper disposal of unencrypted PHI, and if there is evidence of unwanted intrusions to IT systems (for example, by hacking). They will also be paying close attention to whether there have been multiple breach reports from a particular covered entity or business associate that raise similar issues. Repeated breaches of similar nature can reveal an entity’s systemic noncompliance or failure to secure protected health information.

Physician practices should (if they haven’t already) commit resources toward assessing their compliance with HIPAA. When vulnerabilities are identified, practices should immediately mitigate or address them. Evidence that an entity instituted a new policy or patched a piece of software, or retrained staff can often lessen the consequences of a breach. Areas of focus should include employee training regarding the protection of mobile devices, like laptops, tablets, and thumb drives, and securing the network used to access patient records. In addition, covered entities and business associates should examine common or recent sources of breach (e.g., faxing records to an incorrect number), and institute procedures and protocols to address the contributing behavior or technology vulnerability (e.g., put in place a process for double checking or verifying numbers). For more information, you may contact rebecca.gwilt@nixonlawgroup.com.