Blog Post

OCR Now Investigating Breaches of Fewer Than 500 Patients

14 Tips to Reduce Breaches

OCR announced that it has begun devoting more resources to investigating smaller breaches affecting fewer than 500 patients. This a change in direction for the agency that previously focused on breaches and other violations involving a large number of individuals or presenting a particularly egregious issue. OCR makes it clear that its determination of which reported incidents it will investigate is not going to depend only on the size of the breach. OCR has instructed its regional offices to more broadly investigate the causes of incidents affecting these smaller breaches. It also seeks a better understanding of how breaches occur and what can be done to better guard against the problem. OCR recognizes that its movement to investigate smaller breaches will be limited by available resources and will result in exercising discretion on how many and which breaches to investigate.

OCR’s intent is to encourage covered entities to be more aggressive in guarding against all breaches, regardless of size. Priority should be given where “numerous breach reports from a particular covered entity or business associate raise similar issues.” For smaller breaches affecting fewer than 500 individuals, the covered entity must notify HHS within 60 days after the end of the calendar year and report all such breaches for the prior calendar year at the same time. The decision of whether or not to institute an investigation will then be made by the local Regional Office.

This policy change is not necessarily intended to be on isolated instances of minimal impact, but rather to seek any organization or industry-wide causes of non-compliance. As such, effective now, each regional office will be increasing its efforts to identify entities with systemic non-compliance and find ways to reduce this problem. All of this comes with OCR’s current implementation of its Phase II Audit Program. This program increases HIPAA oversight, which in turn increases the chances of an OCR audit or investigation. Factors that OCR identified for consideration in Regional Offices’ determination of whether to investigate a breach are:

  • Size of the breach
  • Theft of or improper disposal of unencrypted PHI
  • Improper intrusions to IT systems (e.g., hacking)
  • Amount, nature, and sensitivity of PHI involved
  • Multiple breach reports from an entity or business associate

Contact Strategic Management Services

Camella Boateng, a HIPAA compliance expert and consultant, notes: “With this new broader investigative mandate, it is reasonable to assume that there will be more enforcement actions and settlements to come. Furthermore, the most serious consequence from this policy direction is that it will likely affect physicians more than anyone else, because they are responsible for most breaches and predominated in breaches fewer than 500 patient records that went largely unnoticed or made public. Additionally, the primary cause of the breaches has been mobile devices, with lost or stolen devices representing more than two thirds of HIPAA breaches. The dependency on mobile devices such as smart-phones and tablets to communicate information about patients continues to increase. Therefore, the best advice for those responsible for HIPAA compliance is to focus on physician mobile device security. This area often does not receive the needed attention, resulting in the failure to have proper passwords in accessing information, not encrypting stored data, and using Wi-Fi or unsecure cellular networks to send and receive information which risks exposing ePHI.”

Another HIPAA compliance expert, Carrie Kusserow, suggests an independent security review is best practice and offers the following 14 tips to reduce risks of breaches involving mobile devices:

Mobile Device Security Tips

  1. Establish policies, protocols, processes, and procedures for use of mobile devices.
  2. Keep an inventory of personal mobile devices authorized for use, access, and transmission of ePHI.
  3. Establish rules for use of personal mobile devices.
  4. Use a device key, password, or other user authentication to verify identity of users.
  5. Install and/or enable encryption that protects PHI stored on and sent by mobile devices.
  6. Install or enable firewalls and regularly update security software.
  7. Install or activate remote wiping and/or disabling.
  8. Ensure those with devices maintain them under personal control or under lock and key.
  9. Install radio frequency identification (“RFID”) tags to help locate a lost/stolen mobile device.
  10. Establish remote shutdown tools that can remotely lock lost mobile devices.
  11. Disable, or do not install or use, file-sharing applications on devices used for ePHI transmission.
  12. Establish electronic processes to ensure ePHI is not destroyed or altered by unauthorized parties.
  13. Train on procedures when using mobile devices to access ePHI.
  14. Delete all stored PHI before reusing or discarding a device.
Subscribe to blog