Small-Breach Focus Shows Growing Scope Of HIPAA Probes

by Ropes & Gray LLP

Ropes & Gray LLP

This article by partner Joanna Bergmann and associates Christine Moundas and Jamie Liebert was originally published in Law360 on September 27, 2016.

Flexing yet more enforcement muscle under the Health Insurance Portability and Accountability Act, on Aug. 18, 2016, the U.S. Department of Health and Human Services Office for Civil Rights announced that it will more widely investigate breaches of protected health information (PHI) affecting fewer than 500 individuals, termed “small breaches.”1

Despite statutory authority to investigate all PHI breaches, to date OCR has focused primarily on large-scale breaches and entered into only a handful of settlement agreements with entities affected by small breaches.2 By this, its most recent enforcement initiative, each of OCR’s regional offices has been instructed to “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to … [small] breaches.”3

As a result, health care providers and other covered entities and their business associates should expect an uptick in the volume of enforcement actions triggered by, and OCR settlements reached in connection with, small-scale PHI breaches. In preparation, entities should ensure that their responses to small breaches are just as thoughtful and methodical as their responses to large breaches.


Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the HIPAA breach notification rule, OCR’s regional offices have investigated all reported breaches involving the PHI of 500 or more individuals, and have exercised discretion over whether to investigate reports of smaller breaches.4 In practice, entities are identified for investigation based on mandatory breach reports made to OCR as well as submissions made pursuant to state-level notification requirements. In response, OCR has imposed fines, penalties and, with increasing frequency, corrective action plans (CAPs) on the entities responsible for and affected by such breaches.5

More recently, OCR has expanded its enforcement arsenal to include proactive measures. OCR has imposed higher fines, steeper penalties and more onerous CAPs on entities that fail to put the necessary preventative framework into place by, for example, conducting adequate risk analyses, implementing reasonable electronic safeguards to protect PHI, and entering into required business associate agreements (BAAs).6

OCR’s record-breaking settlement with Advocate Health Care Network earlier this year, under which Advocate must pay $5.55 million and enter into a two-year CAP subject to independent third-party oversight, illustrates the mounting financial impact OCR HIPAA investigations can have on affected entities.7 The Advocate settlement also marks the 10th OCR enforcement action in the first eight months of 2016 — compared to OCR’s previous one-year high of seven settlements.8

Since January 2013, OCR has entered into only a small handful of settlements with entities affected by small breaches; i.e., breaches of PHI affecting fewer than 500 individuals. These include settlements with Catholic Health Care Services, Triple-S, St. Elizabeth’s Medical Center, QCA Health Plan Inc., and Hospice of North Idaho. OCR’s new initiative, which will increase the number of investigations into these types of small-scale PHI breaches, fits within the agency’s overarching trend of more expansive and aggressive HIPAA enforcement.

New Initiative Guidelines

Going forward, OCR regional offices will increase investigatory and enforcement efforts with respect to small breaches, on the theory that investigating “[t]he root causes of [such] breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and … provide OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies and better understand compliance issues in HIPAA-regulated entities more broadly.”9

Although regional offices will retain discretion to prioritize which small breaches to investigate, OCR has directed that the following factors be considered in determining whether to launch an investigation:

  • The size of the breach;
  • The amount, nature and sensitivity of the PHI involved;
  • Theft or improper disposal of unencrypted PHI;
  • Breaches involving unwanted intrusions (i.e., hacking) into information technology systems; and
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues, or, in contrast, instances where a lack of breach reports for small breaches are reported by a specific covered entity or business associate relative to the amount of small breaches reported by “like-situated covered entities and business associates.”10

These factors, in particular the last, illuminate the ever-expanding scope of OCR HIPAA investigations. By directing regional offices to investigate HIPAA-covered entities and business associates for both an excess and a dearth of breach reports, OCR appears focused on all entities not achieving the Goldilocks of breach reporting.

Implications for Health Care Entities

Given the current enforcement environment, all HIPAA-regulated entities should redouble efforts to ensure that they are diligently adhering to best practices with respect to the full scope of their HIPAA obligations. OCR’s increased investigatory and enforcement activities with respect to small breaches demonstrate that each and every security incident and breach must be addressed with one eye on the specific incident and the other on the entity’s HIPAA compliance program more generally.

In particular, during an investigation triggered by a small breach, OCR may request information specifically pertaining to the breach, including the:

  • Steps taken to investigate the breach, including any forensic reports;
  • Methods used to determine the number of individuals affected by a breach;
  • Manner in which breach notification was provided to individuals;
  • Actions taken to mitigate, to the extent practicable, any harmful effects of the breach;
  • Actions taken to ensure that the breach does not recur;
  • Sanctions imposed on the person(s) responsible for the breach; and
  • Enhancements made to the HIPAA training program as a result of the breach.

Here, OCR will be interested in confirming that the incident was handled in compliance with the HIPAA breach notification rule. Accordingly, the covered entity or business associate, as appropriate, must ensure that its documentation regarding the investigation and response is carefully and comprehensively compiled and maintained. OCR may also probe why certain incidents were reported and others not. HIPAA-covered entities and business associates should, therefore, ensure that every security incident is timely and sufficiently documented, including, for those incidents not reported, the supporting rationale.

During an investigation triggered by a small breach, OCR may also ask questions designed to shed light on the root causes of the breach, such as any:

  • Existing HIPAA privacy and security rule policies or procedures implicated by the breach, as well as any revisions implemented as a result of the breach;
  • Administrative, technical and physical safeguards that may have failed or been absent during the breach, such as encryption or access controls;
  • BAA oversight procedures (including with business associates and their subcontractors);
  • HIPAA risk analyses performed prior to the breach; and
  • Risk management and remediation plans in place prior to the breach.

Notably, to investigate whether systemic vulnerabilities contributed to the breach, OCR may request documentation going back six years. In this manner, OCR has been converting discrete breach investigations into more comprehensive HIPAA compliance reviews. The very broad scope of these requests shows that a small breach can now lead to a far-reaching and potentially consequential investigation.

In sum, even after a small breach, HIPAA covered entities and business associates must not only satisfy their obligations under the HIPAA breach notification rule, but also undertake to assess the root causes of the breach and remediate any deficiencies detected in their HIPAA compliance program in a holistic and timely manner.

Republished with permission from Law360.



1 Email Notification from Office of Civ. Rights to OS OCR Privacy List, OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals, OCR Security List (Aug. 18, 2016), available at;65d278ee.1608 (hereinafter “Email Notification from OCR”).
2 See Health & Human Servs. Office of Inspector Gen., OEI No. 09-10-0051, OCR Should Strengthen Its Followup Of Breaches Of Patient Health Information Reported By Covered Entities (September 2015), at 8, available at (hereinafter “OIG Report”).
3 Email Notification from OCR, supra note 1.
4 See e.g., OIG Report, supra note 2; U.S. Dept. of Health & Human Servs. Office of Civ. Rights, Breach Notification Rule,,
5 See U.S. Dept. of Health & Human Servs. Office of Civ. Rights, Enforcement Results by Year,, (Graph, Resolutions by Year and Type: Apr. 14, 2003 through Dec. 31, 2012) (showing a steady increase in the number of corrective actions obtained since 2003).
6 See, e.g., U.S. Dept. of Health & Human Servs. Office of Civ. Rights, Resolution Agreements,, (resolutions from 2015 to 2016 noting the importance of conducting risk analyses, implementing reasonable safeguards and entering into BAAs).
7 See App’x A. to Res. Agreement, Corrective Action Plan between the U.S. Dept. of Health & Human Servs. & Advocate Health Care Network, at §III (July 8, 2016), available at
8 See
9 Email Notification from OCR, supra note 1.
10 Email Notification from OCR, supra note 1.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.