The U.S. Office for Civil Rights (OCR) says it is now working with its regional offices to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches.
Among other things, regional investigators will look for incidents involving inproper disposal or theft of unencrypted Protected Health Information (PHI), and inappropriate access to IT systems.
Here are examples of settlements in smaller breaches:
Catholic Health Care Services, relating to a business associate’s failure to safeguard nursing home residents’ PHI: $650,000.
St. Elizabeth’s Medical Center, relating to allegations that staff used an internet-based, document-sharing application to store PHI without having analyzed risks: $218,400.
Hospice of North Idaho, relating to an unencrypted laptop computer containing the electronic protected health information: $50,000.