Small Breaches Matter Too: OCR Broadens HIPAA Breach Investigations
Healthcare Alert | 2 min read
Aug 26, 2016
The Regional Offices of the Department of Health and Human Services Office for Civil Rights (OCR) already investigate every reported Health Insurance Portability and Accountability Act (HIPAA) breach affecting 500 or more individuals, but now they will intensify efforts to scrutinize smaller breaches too. According to OCR, the root causes of small breaches may indicate entity-wide and industry-wide noncompliance with HIPAA regulations. By investigating the breaches of fewer than 500 individuals, OCR can evaluate an entity's compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA regulated entities.
For breaches involving less than five hundred individuals, a covered entity is required to maintain a log and collectively report to OCR all such breaches occurring during a calendar year within sixty days of the end of the calendar year. OCR regional offices still retain discretion to prioritize which smaller breaches to investigate. In assessing breaches, the factors OCR Regional Offices will consider include:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI (protected health information);
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; and
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
Regions may take into account the lack of small breach reports when comparing a specific covered entity or business associate to others that are similarly situated. OCR regional offices may also consider covered entities with multiple small breaches as a better target of an investigation.
What It Means for You
The announcement emphasizes the importance of HIPAA compliance and the continued rise of HIPAA enforcement. Covered entities and business associates should assess, audit, and monitor HIPAA compliance on a regular basis, and any entity that reports a breach should be prepared for an audit and/or investigation. HIPAA financial penalties can be substantial, so all reasonable safeguards to avoid HIPAA privacy or security breaches should be instituted.
Hinshaw attorneys have significant experience in advising health care organizations on HIPAA privacy and security compliance matters. For further information, please contact Michael A. Dowell or your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.
Related People
Related Capabilities
Featured Insights
Press Release
Dec 4, 2025
Hinshaw Recognized by the Leadership Council for Legal Diversity as a 2025 Top Performer
Press Release
Nov 25, 2025
Hinshaw Legal Team Secures Summary Judgment in Gas Station Injury Case
Press Release
Dec 4, 2025
Hinshaw Recognized by the Leadership Council for Legal Diversity as a 2025 Top Performer
Press Release
Nov 25, 2025
Hinshaw Legal Team Secures Summary Judgment in Gas Station Injury Case
Press Release
Nov 18, 2025
Hinshaw Releases the Third Edition of Duty to Defend: A Fifty-State Survey
In The News
Nov 13, 2025
A Profile on Neil Rollnick: After 57 Years in Practice, He Has No Plans to Retire
Privacy, Cyber & AI Decoded Alert
Oct 22, 2025
Press Release
Oct 22, 2025
Hinshaw & Culbertson LLP Launches New Website and Refreshed Brand
