The Department of Health and Human Services’ Office for Civil Right is the main enforcer of HIPAA Rules. All complaints about potential violations of HIPAA Rules are followed up, and OCR data breach investigations are initiated for all breaches if they impact more than 500 individuals.
That is not to say that data breaches involving the exposure or theft of fewer than 500 records are never investigated, only that with limited funding and resources, larger data breaches are given priority. Smaller data breaches are investigated as resources permit, with the investigations most commonly conducted by the OCR’s regional offices. However, according to a recent statement issued by the HHS, OCR data breach investigations will be increasing conducted following smaller PHI breaches.
The largest penalties for HIPAA violations have previously been issued to organizations that have experienced large-scale breaches, although notable settlements have been reached following reports of small-scale breaches.
In June 2016, OCR announced a $650,000 settlement had been reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). The investigation was conducted following a data breach involving 412 patient records.
In November 2015, a $3.5 million settlement was reached with Triple-S Management Corporation. In this case, the organization has experienced multiple small breaches of PHI over a short space of time.
QCA Health Plan, Inc., settled potential HIPAA violations with OCR that were discovered during an investigation into a breach of 148 records. QCA Health Plan agreed to pay $250,000 to resolve the case.
The first financial settlement with OCR following a data breach involving fewer than 500 records was reached in January 2013. The Hospice of North Idaho agreed to a financial settlement of $50,000 following a breach of 441 records.
While large-scale breaches certainly warrant a detailed investigation, the root cause of small-scale breaches may also be a serious violation of HIPAA Rules. Only by investigating these breaches will OCR be able to determine whether organizations are complying with HIPAA Rules. By increasing the number of investigations, OCR will be able to gain a much better understanding of the level of compliance.
According to a recent press release, OCR data breach investigations for breaches of fewer than 500 records will continue to be conducted by regional offices and priority will be given to larger breaches. However, organizations reporting breaches of fewer than 500 records are going to be scrutinized more closely.
The regional offices will be looking at the number of records exposed or compromised, whether IT systems have been breached, the extent of the PHI that was exposed or stolen, and the volume of breaches that have been reported by a covered entity.
If OCR data breach investigations reveal that HIPAA laws have been violated, the covered entity may be penalized financially. OCR is permitted to issue fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist. Even a small breach could therefore potentially lead to a multi-million dollar fine if an investigation reveals multiple violations of HIPAA Rules.