The Wagner Law Group
Wagner Law Group, A Professional Corporation, is a nationally
recognized ERISA & employee benefits, estate planning,
employment, labor & human resources practice.
in 1996, The Wagner Law Group has 24 attorneys engaged
exclusively in employee benefits, estate planning and
employment law. Six of our attorneys are AV rated by
Martindale-Hubbell as having very high to preeminent legal abilities
and ethical standards. The firm is among the largest ERISA boutiques
in the country. Our practice is national in scope, with clients in
more than 40 states and several foreign countries.
Wagner Law Group
Fax: (561) 293-3591
7108 Fairway Drive
Palm Beach Gardens, FL 33418
East Kennedy Boulevard
Tampa, FL 33602
Francisco, CA 94104
100 South 4th Street, Suite 550
St. Louis, MO 63102
August 31, 2016
Health and Welfare Law
HHS to Increase
Investigations of PHI Breaches Affecting Fewer than 500 Individuals
Office for Civil Rights ("OCR") has announced it intends to
increase its investigations of breaches of protected health
information ("PHI") affecting fewer than 500
individuals. These investigations will begin this month.
Background. HIPAA governs how covered entities,
including employer-sponsored group health plans, may use and disclose
PHI. PHI includes individually identifiable health information
(e.g., names, social security numbers and addresses) when such
information is connected to health data.
HIPAA Privacy Rule protects the privacy of PHI from unauthorized use
or disclosure. In general, covered entities (and business
associates) may only use and disclose PHI without an individual's
prior authorization when such disclosure is expressly permitted under
the HIPAA Privacy Rule.
entities and business associates must comply with the HIPAA Breach
Notification Rule following a breach of unsecured PHI.
Specifically, they must evaluate whether the use or disclosure
constitutes a breach and document its determination. If the use
or disclosure is determined to be a breach of PHI, they must notify
affected individuals within 60 days of the breach. HHS and
"prominent media outlets" must also be notified of breaches
involving more than 500 residents in a particular area.
entities must report PHI breaches on an annual basis to HHS
regardless of the number of affected individuals.
to comply with the HIPAA Privacy Rule can result in OCR
investigations as well as the imposition of civil and criminal
penalties. HIPAA's civil penalties range from $100 to $50,000
per violation per day during the time period that the covered entity
is in violation.
Beginning this month, HHS's regional offices will begin an initiative
to more widely investigate the root cause of PHI breaches affecting
fewer than 500 individuals. OCR has identified the following
factors that it will use to determine whether a small PHI breach will
- the size of
- whether the
breach involved theft or improper disposal of PHI;
- whether the
breach involved unwarranted intrusions to IT systems (e.g.,
- the amount,
nature and sensitivity of the PHI involved; and
where numerous breach reports from a particular covered entity
or business associate raise similar issues.
Takeaway for Employers. To prevent breaches of PHI and costly
HIPAA enforcement actions, employers are advised to take the
following action steps:
- Conduct new
risk analyses after all modifications to underlying technology;
policies and procedures to account for changes in technology or
provide HIPAA training to employees;
security breaches; and
- Create and
implement a breach response plan.
This Newsletter is protected by copyright. Material
appearing herein may be reproduced with appropriate credit.
This Newsletter is provided for information purposes by
The Wagner Law Group to clients and others who may be interested in the
subject matter, and may not be relied upon as specific legal
advice. This material is not to be construed as legal advice or
legal opinions on specific facts. Under the Rules of the Supreme
Judicial Court of Massachusetts, this material may be considered