Nursing home settlement spurs HHS to investigate small health data breaches

The OCR will increase focus on breaches involving health data of fewer than 500 patients
The OCR will increase focus on breaches involving health data of fewer than 500 patients

A recent case involving a stolen iPhone containing nursing home residents' medical records has prodded federal officials to place more scrutiny on smaller healthcare data breaches, according to the Department of Health and Human Services Office for Civil Rights.

The OCR referenced five “small” breaches – involving the health data of fewer than 500 patients – in an email announcement sent Thursday. Among them is the case of Catholic Health Care Services of the Archdiocese of Philadelphia, which paid a $650,000 settlement after a phone with more than 400 residents' information was stolen in 2014.

Those smaller cases are typically investigated by OCR's regional offices, but beginning this month the agency will kick off a wider initiative into the “root causes” of such small breaches, the announcement said. Regional offices will still prioritize which breaches to investigate, but will ramp up efforts to address noncompliance and issue corrective actions.

Among the factors that will figure into the investigations are the size of the breach, theft or improper disposal of unencrypted health data, breaches caused by “unwanted intrusions” to providers' IT systems such as hacking, and the nature and sensitivity of the data involved.

The new investigations will apply to HIPAA-covered entities, including nursing homes and other long-term care providers that transmit information in electronic forms.

The OCR's announcement also cited the first-ever “small” breach settlement involving a laptop stolen from an Idaho hospice organization.