In a listserv email, the Department of Health and Human Services (HHS) announced its plans to more widely investigate breaches affecting the protected health information (PHI) of fewer than 500 individuals under the Health Insurance Portability and Accountability Act (HIPAA).
In addition, the HHS regional offices may consider the lack of breach reports affecting fewer than 500 individuals in comparing a particular CE or BA to like-situated CEs or BAs.
Practical Impact
HHS has investigated and obtained settlements for breaches affecting under 500 individuals in the past (for example, see Legal Update, $3.5 Million HIPAA Settlement Highlights Need for Training). The agency's website indicates that the first settlement involving a breach of unsecured electronic PHI affecting fewer than 500 individuals occurred in late 2012. But HHS's formal initiative on breaches affecting fewer than 500 individuals appears to reflect the government's belief that investigating the "root causes" of smaller breaches may reveal the kinds of entity-wide HIPAA noncompliance that have driven some of the large and expensive settlements publicized in 2016-to-date, subject to HHS's enforcement resource limits (see Legal Update, HHS Claims a Record Haul With $5.55 Million HIPAA Settlement).