The Office for Civil Rights (OCR) for the Department of Health and Human Services (HHS) recently announced that its Regional Offices will increase investigations into HIPAA breaches that affect fewer than 500 individuals.

Under the HIPAA Breach Notification Rule, covered entities and their business associates are required to report breaches affecting the unsecured protected health information (PHI) of fewer than 500 individuals to HHS within 60 days of the end of the calendar year in which the breach was discovered.

OCR’s Regional Offices will increasingly investigate the root causes of such breaches which will lead to more settlement agreements with covered entities for these “smaller breaches.”

In determining whether to investigate a breach involving fewer than 500 individuals, OCR stated that it will consider:

• Size of the breach: The number of individuals affected
• Type of PHI involved: The amount, nature and sensitivity of the PHI involved
• Unencrypted PHI: Whether the breach involved the theft of or improper disposal of unencrypted PHI
• Intrusions to IT systems: Whether the breach involved unwanted intrusions to IT systems (e.g. hacking)
• Similar reports from the covered entity: Whether there are numerous breach reports from a particular covered entity or business associate raise similar issues
• Reports from other covered entities: Whether or not like-situated covered entities have reported similar breaches

With this new attention to breaches affecting fewer than 500 individuals, covered entities should:

• Create an action plan to deal with breaches and other privacy concerns.
• Develop a system for tracking and reporting breaches.
• Create sample letters to notify individuals should a breach requiring notification occur.
• Review internal policies and procedures related to retention, transmission, and destruction of PHI.

The HIPAA Privacy Toolkit contains several documents developed to help health centers to manage their breach reporting requirements, including a sample breach analysis and notification policy and procedure, template breach notification letter and a sample breach incident log. To check your health center’s subscription status or to learn more about the HIPAA Privacy Toolkit, please contact healthcentercompliance@feldesman.com.

For more information about your health center’s responsibilities under HIPAA, please contact an attorney at Feldesman Tucker Leifer Fidell LLP at (202) 466-8960 or register for our HIPAA webinar on November 10, 2016.