Wagner Header

The Wagner Law Group

The Wagner Law Group, A Professional Corporation, is a nationally recognized ERISA & employee benefits, estate planning, employment, labor & human resources practice. 


Established in 1996, The Wagner Law Group has 24 attorneys engaged exclusively in employee benefits, estate planning and employment law. Six of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.





Contact Info

The Wagner Law Group


  Integrity | Excellence



Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110

Palm Beach Gardens 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418



Tel: (813) 603-2959

Fax: (813) 603-2961

101 East Kennedy Boulevard

Suite 2140
Tampa, FL  33602 


San Francisco

Tel: (415) 625-0002

Fax: (415) 358-8300

300 Montgomery Street

Suite 600

San Francisco, CA 94104


St. Louis

Tel: (314) 236-0065

Fax: (314) 236-5743
100 South 4th Street, Suite 550
St. Louis, MO  63102 







August 31, 2016


 Health and Welfare Law Alert




 HHS to Increase Investigations of PHI Breaches Affecting Fewer than 500 Individuals




HHS's Office for Civil Rights ("OCR") has announced it intends to increase its investigations of breaches of protected health information ("PHI") affecting fewer than 500 individuals.  These investigations will begin this month.



Background.  HIPAA governs how covered entities, including employer-sponsored group health plans, may use and disclose PHI.  PHI includes individually identifiable health information (e.g., names, social security numbers and addresses) when such information is connected to health data. 



The HIPAA Privacy Rule protects the privacy of PHI from unauthorized use or disclosure.  In general, covered entities (and business associates) may only use and disclose PHI without an individual's prior authorization when such disclosure is expressly permitted under the HIPAA Privacy Rule. 



Covered entities and business associates must comply with the HIPAA Breach Notification Rule following a breach of unsecured PHI.  Specifically, they must evaluate whether the use or disclosure constitutes a breach and document its determination.  If the use or disclosure is determined to be a breach of PHI, they must notify affected individuals within 60 days of the breach.  HHS and "prominent media outlets" must also be notified of breaches involving more than 500 residents in a particular area.



Covered entities must report PHI breaches on an annual basis to HHS regardless of the number of affected individuals.



Failure to comply with the HIPAA Privacy Rule can result in OCR investigations as well as the imposition of civil and criminal penalties.  HIPAA's civil penalties range from $100 to $50,000 per violation per day during the time period that the covered entity is in violation.



HHS Announcement.  Beginning this month, HHS's regional offices will begin an initiative to more widely investigate the root cause of PHI breaches affecting fewer than 500 individuals.  OCR has identified the following factors that it will use to determine whether a small PHI breach will be investigated:


  • the size of the breach;
  • whether the breach involved theft or improper disposal of PHI;
  • whether the breach involved unwarranted intrusions to IT systems (e.g., hacking);
  • the amount, nature and sensitivity of the PHI involved; and
  • instances where numerous breach reports from a particular covered entity or business associate raise similar issues.


Takeaway for Employers.  To prevent breaches of PHI and costly HIPAA enforcement actions, employers are advised to take the following action steps: 


  • Conduct new risk analyses after all modifications to underlying technology;
  • Update policies and procedures to account for changes in technology or practices;
  • Regularly provide HIPAA training to employees;
  • Conduct HIPAA audits;
  • Monitor security breaches; and
  • Create and implement a breach response plan.





This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.


This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.