Data theft, ransomware, network attacks, and accidental privacy violations affect healthcare organizations of all sizes. In the past, HHS Office for Civil Rights (OCR) has focused on investigating breaches of 500 individuals or more and only investigated smaller HIPAA breaches as resources allowed. However, earlier this month the OCR announced that its regional offices have been instructed to more broadly investigate the causes of breaches affecting fewer than 500 people.

OCR stated that officials “will still retain discretion to prioritize which smaller breaches to investigate but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.” It has also been reported that the OCR will hone in on practices where “numerous breach reports from a particular covered entity or business associate raise similar issues.”

Some recent smaller breach settlements include St. Elizabeth’s Medical Center in Boson that used a web-based document sharing app to manage the information of at least 498 patients. Another example is Catholic Health Care Services which settled for $650,000 after a stole iPhone compromised the PHI of 412 nursing home residents. One of the first small HIPAA breach settlements was in 2013 for $50,000. Hospice of North Idaho reported that an unencrypted laptop was stolen, compromising less than 500 patient’s data.