A federal agency has just increased the odds that your company, or companies you do business with, could hear from health information data breach investigators.

The Office for Civil Rights, part of the U.S. Department of Health and Human Services, says it will now let its regional offices look into reports of incidents that have, or could have, exposed the protected health information of 499 or fewer individuals to the wrong people.

Up until now, HHS civil rights office investigators have mostly stuck to investigating data breaches involving the protected health information of 500 or more people.

Related: Inspectors Blast CMS Health Data Oversight

“Regional offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches,” civil rights office officials write in an email message sent to recipients who’ve signed up to get updates from the office.

The Health Information Technology for Economic and Clinical Health Act (HITECH) Act of 2009 added data breach reporting requirements to the older health information privacy and data security requirements set by the Health Insurance Portability and Accountability Act of 1996.

The HHS civil rights office applies the HIPAA health information protection standards both to the entities covered directly by the standards, such as hospitals and health insurers, and the business associates that exchange health information with the covered entities. Any insurance agents, insurance brokers or benefit plan administrators that handle protected health information may be classified as business associates.

The new expanded breach investigation effort will affect business associates as well as covered entities, officials say.

Officials list six factors that could be used to decide which small breaches to investigate:

    1. The size of the breach.

    2. Any theft of, or improper disposal of, unencrypted protected health information.

    3. Breaches that involve hacking or other unwanted system intrusions.

    4. The amount, nature and sensitivity of the protected health information involved.

    5. Multiple breach reports coming from the same covered entity or business associate.

    6. Efforts to compare breach data from multiple organizations.

Related:

3 reasons HIPAA audits might not be that bad

Lawyer: HIPAA auditors may target ‘good citizen’ entities

Have you followed us on Facebook?