Now is a Good Time to Review Your HIPAA Policies

The HHS Office for Civil Rights (OCR) has announced it is increasing its investigations of breaches of unsecured protected health information (PHI) affecting fewer than 500 individuals. As a reminder, the HIPAA Breach Notification Rule requires breaches of unsecured PHI to be reported; breaches involving fewer than 500 participants must be reported to the Secretary of HHS annually.  Information regarding the reporting requirement is available here.

In determining which smaller breaches to investigate, the regional offices will consider the size of breach and sensitivity of PHI involved, theft or improper disposal of unencrypted PHI, breaches involving hacking, and situations where the same covered entity or business associate is reporting multiple breaches. Regional offices may also consider the lack of reporting of breaches by an entity compared to similarly situated entities.  Information about the HIPAA enforcement process can be found here.

Resolution agreements following OCR investigations have included penalties in the millions of dollars. Covered entities and business associates should take the time to review their HIPAA privacy and security policies and procedures, confirm they have business associate agreements in place, review their policies regarding breach reporting, and determine if any updates are needed – before they face an audit or investigation.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their