{"id":154,"date":"2016-09-09T15:48:09","date_gmt":"2016-09-09T15:48:09","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=154"},"modified":"2016-09-09T15:48:09","modified_gmt":"2016-09-09T15:48:09","slug":"ocr-to-devote-greater-resources-to-hipaa-breaches-affecting-fewer-than-500-individuals","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=154","title":{"rendered":"OCR To Devote Greater Resources To HIPAA Breaches Affecting Fewer Than 500 Individuals"},"content":{"rendered":"<p><em>Christine Bulgozdi<\/em><br \/>\n<em>Associate Editor<\/em><br \/>\n<em>Loyola University Chicago School of Law, JD 2018<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The Office of Civil Rights (OCR) <a href=\"https:\/\/list.nih.gov\/cgi-bin\/wa.exe?A2=OCR-PRIVACY-LIST;65d278ee.1608\">announced<\/a> in August that they would be focusing more efforts on investigating breaches of Protected Health Information (PHI) affecting fewer than 500 individuals.\u00a0 Currently, regional offices investigate all breaches affecting <em>more<\/em> than 500 individuals, but only investigate those affecting fewer than 500 individuals as resources permit.\u00a0 Regional offices will begin stepping up their efforts to address \u201centity and systemic noncompliance\u201d through increased focus on these smaller breaches.<\/p>\n<p>The regional offices will still have a great deal of discretion in deciding which breaches they choose to investigate, and OCR has provided a few factors that are intended to guide such discretion:<\/p>\n<ul>\n<li>Size of the breach;<\/li>\n<li>Whether unencrypted PHI was stolen or improperly disposed of;<\/li>\n<li>Whether the institution\u2019s IT system was intruded upon (such as being hacked);<\/li>\n<li>Amount, nature, and sensitivity of the PHI involved; and\/or<\/li>\n<li>Whether a particular covered entity or business associate has had multiple breach reports raising similar issues.<\/li>\n<\/ul>\n<p>Interestingly, the OCR notice also states that regional offices may be looking into suspected underreporting of entities by comparing those without breach reports to similarly situated entities.<\/p>\n<p>In response to OCR\u2019s notice, compliance programs should re-examine the following items to protect their entities against unwanted attention from OCR:<\/p>\n<p><strong>Review Breach Reporting Procedures:<\/strong><\/p>\n<p>All entities should evaluate whether their breach reporting procedures are effective and well communicated.\u00a0 Workforce members should be clear on their reporting obligations and how to report any suspected breaches.\u00a0 If an entity is experiencing very few or no breach reports, an evaluation of workforce education is necessary.\u00a0 Do workforce members know what constitutes a breach? \u00a0Are those tasked with evaluating potential breaches properly analyzing these incidents?<\/p>\n<p><strong>Risk Analysis:<\/strong><\/p>\n<p>In compliance with HIPAA requirements, entities should be performing thorough and accurate <a href=\"https:\/\/www.healthit.gov\/providers-professionals\/security-risk-assessment\">risk analyses<\/a>.\u00a0 This is an effort that shouldn\u2019t be undertaken simply to comply with the law, but rather to proactively identify any vulnerabilities and correct them before governmental agencies have the chance to step in.<\/p>\n<p><strong>Data Security and Encryption Measures:<\/strong><\/p>\n<p>Compliance programs must work closely with IT to ensure that systems containing ePHI are as secure as possible.\u00a0 Additional safeguards should be considered and implemented to reduce the likelihood of improper PHI disposal or any unwanted intrusions on an entity\u2019s network.\u00a0 In conjunction with required HIPAA training, workforce members should be educated on how to identify potential threats to the entity\u2019s network, especially those threats presenting themselves in the form of phishing emails.<\/p>\n<p><strong>Business Associates:<\/strong><\/p>\n<p>An evaluation of all vendors should be executed to confirm that each vendor that requires a Business Associate Agreement (BAA) has one in place.\u00a0 Entities should also confirm that Business Associate\u2019s subcontractors also have a BAA in place.\u00a0 Agreements should adequately express the need for Business Associates (and their subcontractors) to protect PHI to the same degree as the covered entity itself.<\/p>\n<p><strong>Documentation:<\/strong><\/p>\n<p>Each and every security incident should be thoroughly documented and recorded. \u00a0Documentation should include what occurred to create the breach, who was affected, and how the entity responded.\u00a0 If any compliance improvements were made as a result of a breach or a risk analysis, these efforts should also be documented.<\/p>\n<p>This announcement from OCR should only reaffirm the importance of having strong and effective privacy practices.\u00a0 With privacy concerns clearly on the forefront of OCR\u2019s agenda, entities should take the time to reevaluate their current practices to ensure they are protecting their patient\u2019s privacy to the best of their ability.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Christine Bulgozdi Associate Editor Loyola University Chicago School of Law, JD 2018 &nbsp; The Office of Civil Rights (OCR) announced in August that they would be focusing more efforts on investigating breaches of Protected Health Information (PHI) affecting fewer than 500 individuals.\u00a0 Currently, regional offices investigate all breaches affecting more than 500 individuals, but only &#8230;<br \/><a class=\"read-more-link btn btn-outline-secondary\" href=\"https:\/\/blogs.luc.edu\/compliance\/?p=154\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[321,322,333,1460,1577,1623,1733],"class_list":["post-154","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-breach","tag-breach-reporting","tag-business-associate-agreement","tag-ocr","tag-phi","tag-cybersecurity","tag-risk-analysis"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=154"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/154\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}