HIPAA For MSPs by David Sims OCR Small Breach Investigations
00:00:00 00:00:00

The OCR memo “OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals” states:

Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches. The increase in OCR small breach investigation will hopefully decrease minor breaches and therefore stop even larger breaches.

Factors that Regional Offices will consider include:

  • The size of the breach
  • Theft of or improper disposal of unencrypted PHI
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking)
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

Other OCR small breach investigations

  • BA’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
  • Catholic Health loss of a an unencrypted iPhone affected 412 patients
    • First BA settlement
    • Under 500 patients involved
  • Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement
    • Puerto Rico – multiple breach notifications
  • St. Elizabeth’s Medical Center
    • HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
    • A complaint was filed by several workforce members that documents were beingOCR small breach investigations shared on internet based computers without security in place. This involved 498 patients.
    • 595 patients on a personal laptop and USB flash drive of a former employee
    • Resolution agreement
  • QCA Health Plan in Arkansas
    • 148 patients on a laptop that was stolen from an employee’s car
    • $250,000 settlement was the result
  • Hospice of North Idaho (HONI) settles HIPAA security case for $50,000
    • HHS announces first HIPAA breach settlement involving less than 500 patients
    • 441 patients on a laptop stolen from a car

Get your documentation in order

  • Be able to present your risk analysis
  • Have proof of actions taken after the risk analysis
  • Document every time you talk about HIPAA, even if you decide to do nothing