Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of reported breaches of protected health information (PHI).  The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.  OCR’s Regional Offices investigate all reported breaches involving the PHI of 500 or more individuals.  Regional Offices also investigate reports of smaller breaches (involving the PHI of fewer 500 individuals), as resources permit.

Recent settlements of cases where OCR’s investigated smaller breach reports include Catholic Health Care Services (, Triple-S (, St. Elizabeth’s Medical Center (, QCA Health Plan, Inc. (, and Hospice of North Idaho (

Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.  Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.  Among the factors Regional Offices will consider include:

  • The size of the breach;
  • Theft  of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking); The amount, nature and sensitivity of the PHI involved;  or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.  

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates. 

For more information about OCR’s compliance and enforcement work with regard to breaches, and with regard to the many other incidents that OCR investigates, please visit: