Most Health Insurance Portability and Accountability Act (HIPAA) enforcement has focused on the larger breaches of protected health information (PHI). But the U.S. Department of Health and Human Services (HHS) has not forgotten those incidents that fall below the “major” threshold of 500 individuals.
HHS’ Office for Civil Rights (OCR) “has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals,” OCR announced August 18. “Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”
HIPAA requires major breaches to be reported to OCR without “unreasonable delay,” and within 60 days at the most. Smaller breaches must be logged and reported annually, within 60 days of the end of the calendar year in which they were discovered.