Office for Civil Rights Plans to Investigate Smaller Healthcare Breaches

By: Arieanna Schweber | 8/30/2016

While big breaches grab all the headlines, smaller breaches can cause just as much trouble for those affected. Now, it seems that smaller breaches in healthcare organizations will be getting a closer look from the Office for Civil Rights (OCR) in the US Department of Health and Human Services (HHS). The OCR recently distributed an email announcing an initiative to more widely investigate data breaches affecting fewer than 500 individuals.

HIPAA Breach Notification Rules & Breach Size

For healthcare organizations, HIPAA breach notification regulations state that if a breach affects 500 or more residents, covered entities are required to notify affected individuals, the Secretary and the media of a breach within 60 days. For fewer than 500 individuals, the covered entity must notify the Secretary of such breaches on an annual basis. The OCR announcement notes that the “OCR has prioritized investigation of reported breaches” of protected health information, while the OCR Regional Offices would investigate smaller breaches “as resources permit.”

The first HIPAA breach settlement involving less than 500 patients was settled in 2013. Although subsequent enforcements have largely focused on larger data breach incidents, there have been additional settlements highlighting the fact that healthcare breaches of all sizes are significant.

The OCR intends to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” However, Regional Offices will still have discretion on which breaches to investigate. In order to push this new agenda, Regional Offices will increase efforts to “identify and obtain corrective action to address entity and systemic noncompliance.”

How to Prepare for the Pressure

Given that a breach of any size indicates a gap in security preparedness, the additional pressure to ensure corrective action could prevent such gaps from turning into large-scale data breaches. As the OCR notes, investigations help:

  • identify entity-wide noncompliance with HIPAA regulations
  • correct any deficiencies
  • offer insights into industry-wide noncompliance and deficiencies

At Absolute, we believe that visibility is the key to identifying and remediating security incidents before they become data breaches. Absolute DDS for Healthcare provides visibility for your fleet of devices, as well as the data they contain. We do this with alerts for events and activities that could be precursors to a security incident. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed.

With full reporting capabilities, you can prove that your data remained protected, even when it was physically outside your control. Absolute DDS for Healthcare is a comprehensive on boarding program which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at

Financial Services