Recently, OCR has given precedence for inquiry of the reported breaches of Protected Health Information (PHI), as per the passage of Health Information Technology for Economic and Clinical Health Act 2009 and successive implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule. OCR will find out the root causes of breaches which indicate entity-wide and industry-wide non-compliance with HIPAA’s regulations. This has given OCR an opportunity which evaluates entities compliance program, achieve correction of any shortage, and also understand the compliance issues in HIPAA regulated entities widely. Regional Offices of OCR examines all reported breaches which involve the PHI of more than 500 individuals.
Below are some cases of settlements where OCR has examined the smaller breaches.
- Health Care Services (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html)
- Triple-S (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/triple-s-management/index.html)
- Elizabeth’s Medical Center (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/semc/index.html),
- QCA Health Plan, Inc. (http://www.hhs.gov/about/news/2014/04/22/stolen-laptops-lead-to-important-hipaa-settlements.html),
- Hospice of North Idaho (http://www.hhs.gov/about/news/2013/01/03/hhs-announces-first-hipaa-breach-settlement-involving-less-than-500-patients.html)
Due to its extensive hard work of Regional Offices, OCR has started an inquiry of the root causes of breaches which affect less than 500 individuals. However, Regional Offices will keep the prudence to prioritize which smaller breaches need to inquire. To solve the entity and systematic non-compliance related issues of breaches, the regional office will increase their efforts to identify and decide on corrective action.
Regional office will consider the below factors:
- Breach size;
- Offensive removal of unencrypted PHI or stealing
- Unwanted infringement to IT systems (by hacking) Or
- Most instances of breaches from particular entity or business associates.
The absence of breach reports which affects less than 500 individual when compared to the specific covered entity or business associates will also be considered by the Region.