Most Health Insurance Portability and Accountability Act (HIPAA) enforcement has focused on the larger breaches of protected health information (PHI). But the U.S. Department of Health and Human Services (HHS) has not forgotten those incidents that fall below the “major” threshold of 500 individuals.

HHS’ Office for Civil Rights (OCR) “has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals,” OCR announced August 18. “Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

HIPAA requires major breaches to be reported to OCR without “unreasonable delay,” and within 60 days at the most. Smaller breaches must be logged and reported annually, within 60 days of the end of the calendar year in which they were discovered.

Most of the OCR enforcement actions that culminated in big-money settlements, such as the recent record $5.5 million payment by Advocate Health Care Network, have begun when the health plan or provider reported a major breach to the agency.

However, some minor breaches also have proven costly, such as that involving business associate Catholic Health Care Services (CHCS). After CHCS had a mobile device stolen with data on 421 patients, this nursing home management organization ultimately agreed to pay $650,000 in a resolution agreement with OCR.

OCR has prioritized investigation of breach reports, the agency explained, because they may be signs of broader HIPAA compliance problems, and because it “provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.”

In prioritizing investigation of smaller breaches, OCR regional offices will consider:

• The size of the breach;
• Theft or improper disposal of unencrypted PHI;
• Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
• The amount, nature, and sensitivity of the PHI involved; and
• Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

A covered entity or business associate also may trigger OCR scrutiny if it has reported fewer minor breaches than other similar ones, the agency added.

“The key takeaway from this announcement by the OCR is to treat every breach as if it will result in an OCR investigation,” observed BakerHostetler attorney Scott Koller in a blog post. “Do not become complacent, especially when dealing with smaller or routine incidents, because you never know when the OCR will come knocking.”