The Office for Civil Rights (OCR) has announced that it will begin to more actively investigate breaches of Protected Health Information (PHI) affecting fewer than 500 individuals in order to evaluate the primary, and likely, causes of such incidents, and develop appropriate corrective action. Under the Health Insurance Portability and Accountability Act (HIPAA), breaches of under 500 affected individuals are reported to the Department of Health and Human Services (HHS) on an annual basis, rather than the more immediate reporting requirement for 500 or more affected individuals. When determining how to allocate investigative resources, covered entities and business associates can expect that OCR will consider the number of breaches reflected in an annual report, as well as an entity’s lack of breach reporting when compared to similarly situated organizations. To further identify and prioritize which breaches to investigate, OCR will evaluate annual breach reports to consider the size of the breach, the nature of the PHI involved, and whether the incident involved theft, hacking, or improper disposal of PHI.
OCR has become particularly interested in incidents involving hacking in the wake of an Arizona breach affecting more than 880,000 patients and employees of an anesthesia and pain management practice. The breach, an intrusion to the practice’s information technology system, was evaluated by an independent forensic consultant who found no evidence to establish that the PHI was in fact accessed. Nevertheless, the consultant was unable to definitively rule out the potential that unauthorized access occurred. In such circumstances, organizations must presume that a reportable breach has occurred despite the lack of evidence demonstrating actual access to PHI, unless the entity can conclusively prove otherwise.
Furthermore, the cumulative annual breaches of an entity may trigger a more thorough investigation by OCR in order to determine the cause of the repeated incidents. Earlier this month, OCR entered into its largest settlement with a single entity to date. The $5.5 million agreement results from an investigation which occurred after the entity reported three incidents affecting four million people within the same year. The settlement agreement represents the penalty for the entity’s overall failure to adequately evaluate and mitigate the various risks associated with its business. Specifically, OCR found that the health care network failed to:
- conduct an accurate and thorough risk assessment
- limit physical access to its data center where PHI was housed
- obtain satisfactory assurances that its business associate would properly safeguard PHI
- reasonably safeguard PHI that was contained on portable electronic devices
The director of OCR said of this noteworthy breach settlement, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
HIPAA enforcement has been, and will continue to be, on the rise, particularly in light of OCR’s implementation of Phase Two HIPAA Audits. In the investigation of breaches, as well as in compliance audits, a predominant focus of OCR is ensuring that entities are actively compliant with HIPAA regulations and are well prepared for, and responsive to, any privacy or security incidents.
Frier Levitt provides clients with comprehensive HIPAA compliance planning and training to help prevent costly breaches and OCR enforcement actions. We are also experienced in managing HIPAA breaches and OCR compliance audits. Contact us today to speak to an attorney.
