Small Breaches Matter Too: OCR Broadens HIPAA Breach Investigations
Healthcare Alert | 2 min read
Aug 26, 2016
The Regional Offices of the Department of Health and Human Services Office for Civil Rights (OCR) already investigate every reported Health Insurance Portability and Accountability Act (HIPAA) breach affecting 500 or more individuals, but now they will intensify efforts to scrutinize smaller breaches too. According to OCR, the root causes of small breaches may indicate entity-wide and industry-wide noncompliance with HIPAA regulations. By investigating the breaches of fewer than 500 individuals, OCR can evaluate an entity's compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA regulated entities.
For breaches involving less than five hundred individuals, a covered entity is required to maintain a log and collectively report to OCR all such breaches occurring during a calendar year within sixty days of the end of the calendar year. OCR regional offices still retain discretion to prioritize which smaller breaches to investigate. In assessing breaches, the factors OCR Regional Offices will consider include:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI (protected health information);
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved; and
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
Regions may take into account the lack of small breach reports when comparing a specific covered entity or business associate to others that are similarly situated. OCR regional offices may also consider covered entities with multiple small breaches as a better target of an investigation.
What It Means for You
The announcement emphasizes the importance of HIPAA compliance and the continued rise of HIPAA enforcement. Covered entities and business associates should assess, audit, and monitor HIPAA compliance on a regular basis, and any entity that reports a breach should be prepared for an audit and/or investigation. HIPAA financial penalties can be substantial, so all reasonable safeguards to avoid HIPAA privacy or security breaches should be instituted.
Hinshaw attorneys have significant experience in advising health care organizations on HIPAA privacy and security compliance matters. For further information, please contact Michael A. Dowell or your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.
Related People
Related Capabilities
Featured Insights

Lawyers' Lawyer Newsletter
Jun 29, 2026
Beyond Malpractice: The Rising Threat of Privacy and Statutory Claims Against Lawyers

In The News
Jun 26, 2026
Brian McGrath Discusses Far-Reaching Impact of a NY Foreclosure Ruling on Mortgage Industry

In The News
Jun 26, 2026
Jason Oliveri Discusses AI Companions in Elder Care and the Risks for LGBTQ+ Residents

Event
June 25-26, 2026
Todd Young Speaks on Importance of Financial Literacy to ESOP Culture

Press Release
Jun 25, 2026
Scott Seaman Appointed to DRI Center for Law and Public Policy’s Social Inflation Task Force

In The News
Jun 23, 2026
Michael Dowell Explores New OIG Compliance Expectations for MAOs

Press Release
Jun 23, 2026
Jennifer Driscoll Reappointed as the ABA Antitrust Law Section Co-Chair of Comments

Press Release
Jun 22, 2026
Hinshaw Named a Client Service Standout Firm in BTI Consulting Client Service A-Team 2026

In The News
Jun 22, 2026
Lucy Wang Discusses California Insurance Solvency Regulation Addressing Climate Risks




