Ophthalmology and Optometry Coding Alert

Patient Privacy:

HHS Targets Small HIPAA Breaches for Increased Scrutiny

New focus could impact eye care practices that aren’t part of big health systems.

It may be October, but you’d better make a HIPAA compliance list and check it twice before the HHS Office for Civil Rights auditors come knocking.

Many eye care offices might be at increased risk of HIPAA investigation and enforcement efforts, thanks to OCR’s recent announcement that it will redouble its regional offices’ efforts in investigating smaller HIPAA breaches involving fewer than 500 individuals.

Old way: Up until now, OCR’s Regional Offices (ROs) focused their enforcement attentions on investigating larger breaches involving the protected health information of 500 or more individuals, but investigated smaller breaches only “as resources permit,” an August announcement from OCR stated.

New way: Now, the ROs will more widely investigate these smaller breaches. “The root causes of breaches may indicate entity-wide and industrywide noncompliance with HIPAA’s regulations,” OCR says. “And investigation of breaches provides ... an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.”

This announcement emphasizes that OCR can detect both large-scale trends among HIPAA-regulated entities as well as entity-specific compliance issues by investigating breaches, notes New York City-based attorney Lindsay Borgeson of Epstein Becker & Green. The announcement should also serve as a warning to ensure that your “breach reporting and other HIPAA compliance efforts are up-to-date and ready to withstand any potential scrutiny from OCR.”

Beware Laptop, Device Thefts

Although ROs will still have discretion to prioritize their investigations of smaller breaches, OCR has directed each office to increase its efforts to identify and deliver corrective action to address breach-related noncompliance. OCR has instructed regional offices to consider specific factors, such as:

  1. The size of the breach;
  2. Theft or improper disposal of unencrypted PHI;
  3. Breaches involving unwanted intrusions to IT systems (for example, by hacking);
  4. The amount, nature, and sensitivity of the PHI involved; and/or
  5. Instances where numerous breach reports from a particular covered entity (CE) or business associate (BA) raise similar issues.

OCR’s new interest in investigating smaller breaches may arise from the multitude of such incidents in recent months. In the announcement, OCR highlighted recent investigations and settlements involving small-scale breaches like the Catholic Health Care Services case, based on an employee’s iPhone theft (See Ophthalmology Coding Alert, Vol. 19, no. 9).

Lack of Breach Reports Also Red Flag

If you pride yourself on your spotless HIPAA record, you may want to reconsider. In announcing increased scrutiny of small breach report cases the OCR also states that its regional offices may consider whether or not a Covered Entity (CE) or Business Associate (BA) has any breach reports impacting fewer than 500 individuals when compared with other CEs or BAs, according to Chicago-based attorney Valerie Breslin Montague of Nixon Peabody. “This implies that it is not only breach reports that may trigger an investigation, but, likely for large systems or organizations, the lack thereof as compared to peer entities.”

“In other words, if everyone else like you reports breaches and you don’t, why not?” points out Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems.

Another layer to this change is that OCR has noted that it may consider the lack of breach reports for a region, suggesting that OCR is interested in investigating the possibility of under-reporting, notes New York City-based attorney Lindsay Borgeson of Epstein Becker & Green.

In short, the word from the government is clear—just because your practice is small doesn’t mean you’re excused from meeting the HIPAA requirements.