OCR to Enforce Investigating Breaches Affecting Under 500 Individuals
Federal health privacy officials issued an alert last week saying that starting this August, it is allocating more resources to an initiative aimed at investigating health data breaches affecting 500 patients or less.
In the alert, issued by the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the agency directed its local offices to prioritize the following factors when considering whether to investigate a smaller breach: whether the breach was the result of theft or improper disposal of protected health information (PHI), and whether an entity’s IT system had been intruded upon, Healthcare IT News reported.
According to the alert, officials “will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”
Typically, OCR has instructed its regional offices to focus on infractions that affect over 500 individuals. A breached entity that has impacted over 500 people earns a spot on HHS’s infamous “wall of shame.” Covered entities are required to report breaches affecting more than 500 people to OCR “no later than 60 days after the end of the calendar year in which the breaches are discovered,” OCR’s website states.
In a statement to the publication Health IT Security, OCR pointed to several covered entities that paid OCR settlements for infractions affecting under 500 people, such as Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia. CHCS paid OCR $650,000 because it had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS,” according to Health IT Security.