- OCR Blitzkrieg: Wider Investigation of Smaller Breaches
- September 12, 2016 | Author: Kelly A. Leahy
- Law Firm: Shumaker, Loop & Kendrick, LLP - Columbus Office
On the heels of its first business associate settlement with a business associate and a hat trick of multi-million dollar settlements with covered entities involving electronic Protected Health Information (“PHI”), on August 18, 2016 the Office for Civil Rights (“OCR”) announced that it has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. The goals of the initiative are to better evaluate covered entities’ compliance programs, obtain corrective action of any deficiencies and to better understand compliance issues of HIPAA covered entities more broadly.
Currently, OCR Regional Offices investigate all breaches involving PHI of more than 500 individuals and other breaches as time permits. Under the new initiative the OCR Regional Offices will increase their efforts to identify and obtain correction action to address entity and systemic noncompliance related to smaller breaches. They will have the discretion to prioritize which smaller breaches to investigate and will consider:
- The size of the breach;
- Theft of or improper disposal of PHI;
- Breaches that involve unwanted intrusions to IT systems (such as hacking);
- The amount, nature and sensitivity of the PHI involved; and
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
- A 2013 settlement with Hospice of North Idaho involving a corrective action plan and a penalty of $50,000 after an investigation of a PHI breach involving 441 individuals resulting from the theft of an unencrypted laptop;
- A 2014 settlement with QCA Health Plan involving a corrective action plan and a monetary penalty of $250,000 after an investigation of a PHI breach involving 148 individuals, also resulting from the theft of an unencrypted laptop; and
- A 2015 settlement with St. Elizabeth Medical Center involving a corrective action plan and a monetary penalty of $218,400 after an investigation of two PHI breaches involving a combined 1093 individuals resulting from unsecured PHI on a former employee’s laptop and a USB drive, and employee use of an internet application without analyzing the risks of doing so.
To avoid costly penalties and onerous corrective action plans, covered entities and business associates should identify and address the root cause of identified deficiencies to ensure they are not an indication of entity wide or systemic noncompliance.