"OCR Will Increase Focus on Smaller Breaches"

Article

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities with breaches affecting fewer than 500 individuals. Previously, OCR’s Regional Offices focused their attention on investigating all reported breaches involving the PHI of 500 or more individuals.

The announcement states that while Regional Offices retain discretion to determine which smaller breaches to investigate, there are several factors that will help them determine which smaller breaches to pursue:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

OCR hopes that this initiative will further its goals of identifying entity-wide and industry-wide noncompliance with HIPAA’s regulations, evaluating entities’ compliance programs, obtaining correction of any deficiencies, and better understanding compliance issues in HIPAA-regulated entities more broadly.

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.