[ Saturday, August 27, 2016 ]
Let's try this again, again:
OCR to investigate smaller breaches. This makes sense if they
want to look at entities with lots of small breaches, breaches involving the
exact same fact scenario, or breaches that cause a lot of damage even though
there are only a relative few victims (i.e., less than 500 affected
individuals). Timing of notifications
matters: OCR will find out that a big breach has occurred when the individuals
find out, but won't hear about small breaches until January-February of the
next year. And OCR will investigate
small breaches if there's a complaint, but not necessarily if there's not.
However, this initiative really only makes sense if OCR has
extra investigator time on their hands, which I'd guess they don't. Thus, what's the real rationale for a public
announcement of this kind? Probably to
keep people on their toes. If someone
thinks they're in the clear and able to fly under the radar when the breach is
less than 500 people, maybe this is intended to give them a little fear-factor
and make them think twice, at least about doing a good breach risk analysis and
maintaining good documentation.
PS: an earlier version of this post was garbled because I
used the "less than" sign rather than the words, which triggered a
weird HTML effect. Thanks to Theresa
Defino for the heads up.
Jeff [10:36 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template