HHS: Smaller Health Data Breaches to Be Investigated Now



The federal government intends to investigate more small data breaches of protected health information, HHS announced Aug. 18.

The Department of Health and Human Service’s Office of Civil Rights announced the initiative in an email, stating it would investigate all reported breaches involving the PHI of fewer than 500 people.

Covered entities are required to comply with the HIPAA breach notification rule following a breach of unsecured protected health information.  This includes notifying affected individuals, HHS and prominent area media outlets in cases where over 500 individuals are affected. 

The OCR previously prioritized large data breaches, directing regional offices to investigate all reported breaches involving the PHI of 500 or more individuals and those involving the PHI of fewer than 500 individuals as resources permit. 

Investigation Selection 

OCR provided the following list as factors used to determine whether or not a small breach will be investigated, noting that regional OCR offices retain discretion in prioritizing investigations: 

• The size of the breach;

• Theft of or improper disposal of unencrypted PHI;

• Breaches that involve unwanted intrusions to IT systems (for example, by hacking); 

• The amount, nature and sensitivity of the PHI involved; or 

• Instances where numerous breach reports from a particular covered entity or business associate raise similar issues. 

The OCR said the initiative, set to begin in August, is meant to investigate the root causes of small data breaches.  

Health-Care Breaches and Costs Surge

The health-care industry became the most frequently attacked industry in 2015, according to a report by IBM. In addition to increase in attacks, data breaches cost health-care organizations more than any other industry. (See related story, Health-Care Cybersecurity Rose to Fever Pitch in 2015.)  

The average cost of a data breach at a health-care organization in the U.S. could cost as much as $401 per stolen record, compared to the average cost across industries of $221 per stolen record, according to 2016 Cost of Data Breach Study:  United States by IBM and Ponemon Institute.

Health-care records are uniquely valuable on the black market since they contain information that can remain valid for decades such as credit card data, email addresses, Social Security numbers, employment information and medical history.

Gain access to the most reliable source for comprehensive pension and benefits and executive compensation research with a free trial to the Benefits Practice Resource Center.