The Office for Civil Rights announced recently that it will step up its investigations of HIPAA breaches affecting fewer than 500 people.

Noting that the root causes of breaches might indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, the Office for Civil Rights sent electronic notification to providers alerting them that small-scale breaches will receive more attention than in the past. It also pointed out that investigation of breaches provides its office with an opportunity to evaluate an entity’s compliance programs and obtain correction of any deficiencies.

In the past, the Office for Civil Rights focused on breaches involving 500 or more individuals, and it investigated smaller breaches as time and resources permitted. The Office for Civil Rights says regional offices still will retain discretion to prioritize which breaches to investigate.

The Office for Civil Rights cites the following determining factors:

  • the size of the breach;
  • whether the breach involved theft of or improper disposal of unencrypted protected health information (PHI), or hacking;
  • the amount, nature, and sensitivity of the PHI;
  • repeated breach reports from a covered entity or from a business associate.