The department of Health and Human Services Office of Civil Rights is charged with enforcing HIPAA privacy and security rules. Since the passage of the HITECH Act (2009) and the subsequent implementation of the HIPAA Breach Notification Rule, OCR has prioritized investigation of reported breaches of protected health information, investigating all reported breaches involving the PHI of 500 or more individuals.
Regional Offices also investigate reports of smaller breaches (involving the PHI of fewer 500 individuals), as resources permit.
Recent settlements of cases where investigations of smaller breach reports include:
Beginning this month, OCR, through its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches. Among the factors Regional Offices will consider include:
Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.
More information about OCR’s compliance and enforcement work with regard to breaches is available online at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. The OCR Twitter handle is @HHSOCR.
©2016 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Tim Rowan's Home Care Technology Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. editor@homecaretechreport.com