In a blog post, “500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR,” Colin J. Zick of Foley Hoag writes:
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit.
While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed. According to that same budget report, “[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals).” That’s a mere 2% of all breaches that have OCR’s full attention. The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.
Apart from the fact that I don’t like the fact that he’s right, Mr. Zick did not include subsequent statements that indicate that HHS is seeking additional resources so that it can investigate more breaches. What the fuller section of the fiscal budget request says is:
Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit. Based on OCR’s current HIPAA case load, almost all breach reports that impact less than 500 individuals are not investigated. Accordingly, OCR requires additional FTE and resources to ensure it is able to conduct investigations of potential small- and mid-sized breaches.
Even under its currently limited resources, though, entities would be foolish to hope that certain types of breaches will evade investigation. As a recent news story indicates, Rowan Regional Medical Center was investigated following a privacy complaint that involved one patient. Not only were they investigated, but the investigation was subsequently re-opened.
Does HHS need greater resources so that it can investigate more complaints? Undoubtedly. In the interim, even if it is true that being under the 500 threshold reduces the likelihood of an investigation, covered entities should not count on that protecting them from investigation for issues such as employee snooping or improper handling or disposal of paper records containing PHI. Both of those appear to be “hot-button” issues for HHS in the past few years.
h/t @MarieAndreeW