By: Edward J. Welch
The Office for Civil Rights (OCR) is the agency within the U.S. Department of Health and Human Services (HHS) that investigates privacy breaches of unsecured, protected health information (PHI) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The exponential growth in the use of electronic devices for the storage and transmission of PHI correspondingly has increased the risk to healthcare organizations of experiencing a Breach of PHI and subsequent, costly OCR investigation.
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a Breach of PHI. A Breach of PHI is defined as the acquisition, access, use or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual. Following a Breach of PHI, covered entities must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media. The reporting protocol for a Breach of PHI varies depending upon the number of individuals affected by the breach. If a Breach of PHI affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. If a Breach of PHI affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. An investigation by the OCR is virtually assured when a covered entity experiences a Breach of PHI affecting more than 500 individuals. Such a regulatory investigation likely will be time-consuming and nerve-wracking. The risk that the OCR may decide to impose a civil money penalty in response to a covered entity’s failure to address a Breach of PHI is real and ever-present.
On August 18, 2016, the OCR announced that it had begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. Prior to this announcement, the OCR had prioritized investigation of reported Breaches of PHI affecting greater than 500 individuals and would investigate breaches affecting fewer than 500 individuals only as resources permitted. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, the announcement marks an increased focus upon smaller breaches. In prioritizing their investigations, Regional Offices will consider:
- The size of the breach;
- Whether theft or improper disposal of unencrypted PHI was involved;
- Whether the breach involved an unwanted intrusion to an IT system (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
The Regional Offices may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.
The OCR’s announcement serves as: a reminder that covered entities must remain vigilant of even the smallest Breaches of PHI; and incentive to safeguard against breaches and to maintain effective policies and procedures to deal with a breach, should one occur. Policies and procedures for the storage, use and dissemination of PHI regularly should be reviewed and updated.