The recent spike in the number of healthcare industry data breaches, many resulting from alleged HIPAA violations, has spawned a new federal government response. On August 18, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced that it will begin devoting more resources to investigating data breaches involving protected health information (PHI) affecting fewer than 500 people.

The OCR has almost always investigated breaches involving more than 500 individuals, but it generally hasn't had the manpower to investigate smaller breaches. The new initiative will be handled primarily through the OCR's regional offices, which will consider the following five factors in deciding which breaches to investigate:

  • The size of the breach;
  • The theft of or improper disposal of unencrypted PHI;
  • Whether the breach involved an intrusion into a computer system (e.g., hacking);
  • The amount, nature and sensitivity of the PHI affected; and
  • Repeated breach reports from a particular covered entity or business associate.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.