DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Coming in "under the line:" when breaches affect less than 500 individuals

Posted on February 21, 2011 by Dissent

In a blog post, “500 Is a Magic Number:  Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR,” Colin J. Zick of Foley Hoag writes:

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, “[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals).”  That’s a mere 2% of all breaches that have OCR’s full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

Apart from the fact that I don’t like the fact that he’s right, Mr. Zick did not include subsequent statements that indicate that HHS is seeking additional resources so that it can investigate more breaches. What the fuller section of the fiscal budget request says is:

Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit. Based on OCR’s current HIPAA case load, almost all breach reports that impact less than 500 individuals are not investigated. Accordingly, OCR requires additional FTE and resources to ensure it is able to conduct investigations of potential small- and mid-sized breaches.

Even under its currently limited resources, though, entities would be foolish to hope that certain types of breaches will evade investigation. As a recent news story indicates, Rowan Regional Medical Center was investigated following a privacy complaint that involved one patient. Not only were they investigated, but the investigation was subsequently re-opened.

Does HHS need greater resources so that it can investigate more complaints? Undoubtedly.  In the interim, even if it is true that being under the 500 threshold reduces the likelihood of an investigation, covered entities should not count on that protecting them from investigation for issues such as employee snooping or improper handling or disposal of paper records containing PHI. Both of those appear to be  “hot-button” issues for HHS in the past few years.

h/t @MarieAndreeW

Category: Health Data

Post navigation

← Technology would enhance 911 system
Privacy and Security in Health Care: A fresh look →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.