Following the settlement of a number of comparatively small patient privacy violations, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has directed its regional offices to take a more aggressive approach to breaches involving protected health information (PHI) of fewer than 500 individuals. While most providers are routinely prepared to prevent and respond to investigations, public scrutiny, and enforcement mechanisms related to breaches involving PHI of 500 or more individuals, providers of all sizes should be aware of the agency’s renewed focus on investigating “systematic noncompliance” related to small-scale breaches.
HHS referenced the following recent settlements with various covered entities (including providers and business associates) as a warning to all covered entities under the Health Insurance Portability and Accountability Act (HIPAA):
In addition to highlighting these recent breach settlements, HHS also emphasized OCR’s commitment to investigating routine compliance issues within organizations and scrutinizing regional trends stemming from underreporting. Providers and business associates of all sizes should ensure that their policies, procedures, and business associate agreements are in compliance with HIPAA standards and that they have implemented adequate corrective action plans sufficient to respond to even minor breaches and investigations by OCR.
Thank you to Aubrey Beckham, Belmont University College of Law, for her help in preparing this article.