HIPAA Blog

[ Saturday, August 27, 2016 ]

Let's try this again, again:

OCR to investigate smaller breaches. This makes sense if they want to look at entities with lots of small breaches, breaches involving the exact same fact scenario, or breaches that cause a lot of damage even though there are only a relative few victims (i.e., less than 500 affected individuals). Timing of notifications matters: OCR will find out that a big breach has occurred when the individuals find out, but won't hear about small breaches until January-February of the next year. And OCR will investigate small breaches if there's a complaint, but not necessarily if there's not.

However, this initiative really only makes sense if OCR has extra investigator time on their hands, which I'd guess they don't. Thus, what's the real rationale for a public announcement of this kind? Probably to keep people on their toes. If someone thinks they're in the clear and able to fly under the radar when the breach is less than 500 people, maybe this is intended to give them a little fear-factor and make them think twice, at least about doing a good breach risk analysis and maintaining good documentation.

PS: an earlier version of this post was garbled because I used the "less than" sign rather than the words, which triggered a weird HTML effect. Thanks to Theresa Defino for the heads up.

Jeff [10:36 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template