The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates all breaches of protected health information (PHI) and Part 2 records that affect 500 or more individuals. Breaches affecting fewer than 500 individuals may be investigated based on Departmental resources and enforcement priorities. A breach of health information that is both PHI and a Part 2 record should be reported separately as a HIPAA breach and a Part 2 breach.
File a HIPAA BreachView HIPAA Breach Reports
Under the HIPAA Breach Notification Rule, a breach is, generally, the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information. More information about what constitutes a reportable breach of unsecured protected health information is available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
File a 42 CFR Part 2 BreachView 42 CFR Part 2 Breach Reports
Under Part 2, a breach is, generally, the acquisition, access, use, or disclosure of a Part 2 record in a manner not permitted under 42 CFR part 2 which compromises the security or privacy of the Part 2 record. More information about breach notification requirements under Part 2 is available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html.
When OCR receives a breach report, we review it to determine whether we have legal authority to open an investigation. OCR may close a breach report based on a review of the facts presented by the report or contact the person who submitted the breach report to verify the information in the report. OCR may act on a breach report if a regulated entity (HIPAA covered entity, business associate, Part 2 program, or qualified service organization) experienced a breach of unsecured protected health information and/or Part 2 records. OCR may resolve a breach report with technical assistance, refer the report to another agency for appropriate action, investigate the breach, or close the breach report without further investigation.
Upon the completion of an investigation, OCR will issue a letter notifying the entity under investigation that the investigation has been closed. The letter may include the steps that OCR took to address the issues raised and/or that the regulated entity took to respond to OCR’s investigation. In some cases, OCR may negotiate a written agreement and corrective action steps with the regulated entity to resolve compliance issues identified during OCR’s investigation.
