HHS' Office for Civil Rights is increasing data breach investigation efforts and is making a concerted push to look into smaller breaches affecting fewer than 500 people.
The OCR investigates all reported breaches involving 500 or more individuals, and the regional offices investigate reported smaller breaches "as resources permit," according to the OCR.
But now, the OCR intends to investigate the root causes of smaller breaches more widely. "Each [regional] office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches," according to the OCR.
When deciding what breaches to investigate, the regional offices will consider the size of the breach, whether unencrypted protected health information was stolen or improperly disposed, whether the breach involved external intrusions and the amount and sensitivity of PHI involved.
Several OCR investigations into breaches involving fewer than 500 individuals have resulted in settlements and fines, including with the Catholic Health Care Services of the Archdiocese of Philadelphia and St. Elizabeth's Medical Center in Brighton, Mass.
More articles on data breaches:
Will understanding hackers' incentives reduce the threat of breaches?
From the Hippocratic Oath to HIPAA: A history of patient privacy
Banner Health may face 3 new lawsuits after security breach