OCR To Devote Greater Resources To HIPAA Breaches Affecting Fewer Than 500 Individuals

Christine Bulgozdi
Associate Editor
Loyola University Chicago School of Law, JD 2018


The Office of Civil Rights (OCR) announced in August that they would be focusing more efforts on investigating breaches of Protected Health Information (PHI) affecting fewer than 500 individuals.  Currently, regional offices investigate all breaches affecting more than 500 individuals, but only investigate those affecting fewer than 500 individuals as resources permit.  Regional offices will begin stepping up their efforts to address “entity and systemic noncompliance” through increased focus on these smaller breaches.

The regional offices will still have a great deal of discretion in deciding which breaches they choose to investigate, and OCR has provided a few factors that are intended to guide such discretion:

  • Size of the breach;
  • Whether unencrypted PHI was stolen or improperly disposed of;
  • Whether the institution’s IT system was intruded upon (such as being hacked);
  • Amount, nature, and sensitivity of the PHI involved; and/or
  • Whether a particular covered entity or business associate has had multiple breach reports raising similar issues.

Interestingly, the OCR notice also states that regional offices may be looking into suspected underreporting of entities by comparing those without breach reports to similarly situated entities.

In response to OCR’s notice, compliance programs should re-examine the following items to protect their entities against unwanted attention from OCR:

Review Breach Reporting Procedures:

All entities should evaluate whether their breach reporting procedures are effective and well communicated.  Workforce members should be clear on their reporting obligations and how to report any suspected breaches.  If an entity is experiencing very few or no breach reports, an evaluation of workforce education is necessary.  Do workforce members know what constitutes a breach?  Are those tasked with evaluating potential breaches properly analyzing these incidents?

Risk Analysis:

In compliance with HIPAA requirements, entities should be performing thorough and accurate risk analyses.  This is an effort that shouldn’t be undertaken simply to comply with the law, but rather to proactively identify any vulnerabilities and correct them before governmental agencies have the chance to step in.

Data Security and Encryption Measures:

Compliance programs must work closely with IT to ensure that systems containing ePHI are as secure as possible.  Additional safeguards should be considered and implemented to reduce the likelihood of improper PHI disposal or any unwanted intrusions on an entity’s network.  In conjunction with required HIPAA training, workforce members should be educated on how to identify potential threats to the entity’s network, especially those threats presenting themselves in the form of phishing emails.

Business Associates:

An evaluation of all vendors should be executed to confirm that each vendor that requires a Business Associate Agreement (BAA) has one in place.  Entities should also confirm that Business Associate’s subcontractors also have a BAA in place.  Agreements should adequately express the need for Business Associates (and their subcontractors) to protect PHI to the same degree as the covered entity itself.


Each and every security incident should be thoroughly documented and recorded.  Documentation should include what occurred to create the breach, who was affected, and how the entity responded.  If any compliance improvements were made as a result of a breach or a risk analysis, these efforts should also be documented.

This announcement from OCR should only reaffirm the importance of having strong and effective privacy practices.  With privacy concerns clearly on the forefront of OCR’s agenda, entities should take the time to reevaluate their current practices to ensure they are protecting their patient’s privacy to the best of their ability.