The Details Behind HHS Breach Investigation Ramp-UpHow HHS Office for Civil Rights Will Probe Smaller Breaches
The Department of Health and Human Services' Office for Civil Rights is ramping up and standardizing how smaller health data breaches are investigated by its regional offices, adding staff to support the effort, says Iliana Peters, OCR's senior adviser for HIPAA compliance and enforcement.
Under the HIPAA Breach Notification Rule that went into effect in 2009, OCR regional offices investigate all breaches of protected health information affecting 500 or more individuals. Those major incidents also get posted on OCR's "wall of shame" website.
But until now, OCR's regional offices only investigated smaller breaches affecting fewer than 500 individuals on a limited basis. Those offices are getting additional resources to more widely investigate the root causes of smaller breaches and to standardize OCR's approach to investigation of those incidents, Peters explains in an interview with Information Security Media Group.
The new initiative, which was unveiled last week, aims to ensure that "regional offices are on the same page in terms of how they address reports of smaller breaches," she says. The effort addresses a recommendation made in a September 2015 report by HHS' Office of Inspector General that asked OCR to take "a closer look at smaller breaches," she explains.
"This doesn't necessarily mean all regions will have an uptick in work in this area - many of them are doing a good job of this already. But we wanted to make sure we had a standard approach to looking at these reports."
The effort is also aimed at making sure that covered entities and business associates submit adequate reports of smaller breaches. "We're putting the industry on notice that they may receive [OCR] data requests in this area, but also to remind them to take a closer look at their compliance practices in regards to these smaller breaches."
In its investigations of smaller breaches, Peters says, OCR will in particular be on the lookout for organizations that have multiple smaller breaches stemming from the same causes, such as mismailings, "that might indicate that the covered entity needs to take a closer look at administrative safeguards."
As a result of the ramped up effort to scrutinize smaller breaches, Peters says, "we do expect the number of investigations to grow in the next year or so." The investigations will not only look at potential widespread compliance issues at the reporting organizations, but also aim to spot egregious concerns, such as criminal activities involving data theft. When criminal incidents are uncovered, OCR will refer the cases to the U.S. Department of Justice, Peters notes.
While breaches impacting 500 or more individuals must be reported to OCR within 60 days of discovery, smaller incidents must be reported annually. OCR plans to release its latest bi-annual report to Congress on smaller breaches in the coming weeks. That report will cover breaches reported to OCR in 2013 and 2014.
Funding for OCR's ramped-up investigative activities is coming, in part, from recent OCR enforcement activities, Peters acknowledges.
So far in 2016, OCR has announced 10 enforcement actions, including a recent record $5.55 million settlement with Chicago-based Advocate Health Care in the wake of an investigation into three 2013 breaches. OCR's 10 settlements this year raised a total of about $20.5 million, more than in any previous year (see 2016 Watershed Year for HIPAA Enforcement).
In the interview, Peters also discusses:
- How the investigations into smaller breaches will be similar to OCR's scrutiny of larger breaches;
- The types of smaller breaches most likely to be investigated;
- A status update on OCR's HIPAA compliance audit program that's underway, including situations when an audit could potentially result in a financial settlement or corrective action plan with the agency.
As senior adviser for HIPAA compliance and enforcement at the HHS Office for Civil Rights, Peters, an attorney, is the "national lead" for OCR enforcement of the HIPAA rules. She works closely with OCR's regional offices to promote HIPAA compliance, including through resolution agreements. Additionally, she supports many other OCR policy and outreach initiatives, including cybersecurity, and training and guidance on the rules. Before joining the OCR team in Washington, Peters worked as an OCR investigator in the Dallas regional office.