The HHS Office for Civil Rights (OCR) has announced it is increasing its investigations of breaches of unsecured protected health information (PHI) affecting fewer than 500 individuals. As a reminder, the HIPAA Breach Notification Rule requires breaches of unsecured PHI to be reported; breaches involving fewer than 500 participants must be reported to the Secretary of HHS annually.  Information regarding the reporting requirement is available here.

In determining which smaller breaches to investigate, the regional offices will consider the size of breach and sensitivity of PHI involved, theft or improper disposal of unencrypted PHI, breaches involving hacking, and situations where the same covered entity or business associate is reporting multiple breaches. Regional offices may also consider the lack of reporting of breaches by an entity compared to similarly situated entities.  Information about the HIPAA enforcement process can be found here.

Resolution agreements following OCR investigations have included penalties in the millions of dollars. Covered entities and business associates should take the time to review their HIPAA privacy and security policies and procedures, confirm they have business associate agreements in place, review their policies regarding breach reporting, and determine if any updates are needed – before they face an audit or investigation.