On August 18, 2016, the Office for Civil Rights (OCR) announced an initiative to more widely investigate breaches affecting fewer than 500 individuals. Although covered entities are required to report breaches affecting any number of individuals, to date OCR’s regional offices have focused on investigations of reported breaches involving the protected health information (PHI) of 500 or more individuals, and have only investigated reports of smaller breaches as resources permitted. In practice, this meant that if a covered entity reported a smaller breach, in many cases it is unlikely that there would be additional questions or investigation by OCR.
Starting this month, scrutiny of reported breaches affecting less than 500 individuals will increase. OCR regional offices plan to increase efforts to investigate the “root causes” of such breaches, and obtain corrective action to address what OCR refers to as systemic noncompliance.
It is likely that many small breaches are never reported to OCR, either because a covered entity does not realize the incident is a reportable event, or possibly because a covered entity is not inclined to report a breach that it determines otherwise has little risk of exposure, and the covered entity does not want to invite further investigation regarding its compliance practices generally. This recent announcement by OCR could potentially further discourage some covered entities from self-reporting smaller breaches, given that the stakes now appear higher.
However, a covered entity should report any security incident that it determines to be a reportable breach, regardless of size, in order to comply with the requirements of HIPAA. If that is not enough incentive for covered entities, OCR has made the following statement:
Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.
This statement, which is somewhat downplayed by being written at the end of OCR’s announcement, is noteworthy. Although not expressly stated, it appears that OCR is indicating there may be consequences if a covered entity shies away from reporting breaches as required by HIPAA. If a covered entity shows up as an outlier with low reporting levels compared to other similarly situated covered entities, that in itself could trigger an investigation. Breaches can occur in a number of ways, whether it be intentional or inadvertent, big or small, so reports of routine and minor breaches do not necessarily reflect badly on an organization, and in fact they are to be expected. If not reported, it could signal compliance issues to OCR, ranging anywhere from intentionally avoiding reporting a breach to not having a compliance program in place, including workforce training and policies in place addressing what constitutes a breach, and what to do in the event of a breach.
The decision whether to report a breach has two steps – whether there was a use or disclosure not permitted by the privacy rule, and if so, whether PHI was “compromised.” If the first part of the test is met, the incident is reportable unless the covered entity establishes and documents that the PHI was not compromised. Careful documentation of this analysis may help to demonstrate that a low reporting rate is not indicative of systemic noncompliance.
For more information, please contact Paul Smith or Steve Phillips in San Francisco at 415.875.8500, Hope Levy-Biehl or Amy Joseph in Los Angeles at 310.551.8111, Bob Roth in Washington, D.C. at 202.580.7701 or Stanton Stock in San Diego at 619.744.7313.