The HHS Office for Civil Rights (OCR) has announced it is increasing its investigations of breaches of unsecured protected health information (PHI) affecting fewer than 500 individuals. As a reminder, the HIPAA Breach Notification Rule requires breaches of unsecured PHI to be reported; breaches involving fewer than 500 participants must be reported to the Secretary of HHS annually. Information regarding the reporting requirement is available here.In determining which smaller breaches to investigate, the regional offices will consider the size of breach and sensitivity of PHI involved, theft or improper disposal of unencrypted PHI, breaches involving hacking, and situations where the same covered entity or business associate is reporting multiple breaches. Regional offices may also consider the lack of reporting of breaches by an entity compared to similarly situated entities. Information about the HIPAA enforcement process can be found here. Resolution agreements following OCR investigations have included penalties in the millions of dollars. Covered entities and business associates should take the time to review their HIPAA privacy and security policies and procedures, confirm they have business associate agreements in place, review their policies regarding breach reporting, and determine if any updates are needed – before they face an audit or investigation.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.