In a listserv email distributed on August 18, 2016, HHS announced its intent to more widely investigate breaches affecting fewer than 500 individuals under HIPAA (see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations). The more extensive investigations will:

The government has prioritized investigations of reported breaches involving PHI through breach notification requirements added under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). Under implementing HIPAA regulations, the "500-or-more" affected individuals standard is a dividing line that impacts when notice of a HIPAA breach must be reported to HHS.

As part of HHS's initiative, the various regional offices will:

In evaluating which smaller breaches to investigate, the HHS regional offices will consider:

In addition, the HHS regional offices may consider the lack of breach reports affecting fewer than 500 individuals in comparing a particular CE or BA to like-situated CEs or BAs.

HHS has investigated and obtained settlements for breaches affecting under 500 individuals in the past (for example, see Legal Update, $3.5 Million HIPAA Settlement Highlights Need for Training). The agency's website indicates that the first settlement involving a breach of unsecured electronic PHI affecting fewer than 500 individuals occurred in late 2012. But HHS's formal initiative on breaches affecting fewer than 500 individuals appears to reflect the government's belief that investigating the "root causes" of smaller breaches may reveal the kinds of entity-wide HIPAA noncompliance that have driven some of the large and expensive settlements publicized in 2016-to-date, subject to HHS's enforcement resource limits (see Legal Update, HHS Claims a Record Haul With $5.55 Million HIPAA Settlement).