Access All Live + All On-Demand Trainings for 1 Year! SAVE $500 NOW

All Blogs

HHS Targeting Smaller HIPAA Breaches


Posted Aug 30, 2016
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

HHS Targeting Smaller HIPAA Breaches

Posted August 30, 2016
Share: Share on Facebook Share on Twitter Share on LinkedIn
HIPAA Breaches

Beginning in August, the U.S. Health and Human Services Department (HHS) Office of Civil Rights (OCR) launched a new initiative to investigate smaller breach reports — meaning those that affect fewer than 500 individuals, the agency announced Aug. 18.

This effort is based on a series of recent case settlements where OCR investigated smaller breaches that generated significant fines, including those at:

  • Catholic Health Care Services ($650,000 fine)
  • Triple-S ($3.5 million fine)
  • Elizabeth’s Medical Center ($218,400 fine)
  • QCA Health Plan Inc. ($250,000 fine)
  • Hospice of North Idaho ($50,000 fine)

In each of these instances, the fine was just a part of the OCR response. Most also included corrective action plans, which required the hassle of additional reporting and documentation conditions for the alleged violators.

OCR directed its regional offices to more widely investigate the root causes of breaches affecting fewer than 500 individuals. In addition, each office has the discretion to prioritize which breaches to scrutinize. “But each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches,” OCR stated in its announcement.

Here are the key factors the regional offices will consider when choosing organizations to investigate:

  • Size of the breach
  • Theft of or improper disposal of unencrypted protected health information (PHI)
  • Breaches that involve unwanted intrusions to information technology (IT) systems (such as by hacking)
  • The amount, nature and sensitivity of the PHI
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

If you haven’t already created a HIPAA audit action plan or completed a risk assessment, now is the time to get one in place. Or you could be facing hefty fines and compliance actions that can go on for years.

Take Aways:

  • HHS OCR is targeting smaller breaches for enforcement action that can result in large fines.
  • OCR regional offices have full discretion to prioritize which breach types it chooses to investigate.
  • Be aware of five factors that OCR has identified as key target for enforcement actions.
Subscribe to Healthcare Practice Advisor
Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden