HIPAA Lessons Learned from an OCR Investigator

[feather_share]

I recently had the opportunity to attend a presentation by an OCR Investigator from the Chicago region. It was very interesting to hear what the HIPAA investigation process looked like, what they ask for, a note on encrypted devices, and what covered entities do that annoy investigators (you definitely want to avoid these!)

This is the high level stuff, and I hope to do some deep dives in future posts.

What Initiates an Inquiry/Investigation?

A HIPAA investigation currently can be initiated by one of the two following events:

1. Complaint investigations – a patient or employee reports potential HIPAA violations to the OCR.
2. Compliance reviews – your practice or business associate had a breach of patient information.
   • Breaches of over 500 affected individuals AUTOMATICALLY require an investigation.
   • Breaches under 500 affected individuals may be reviewed at the discretion of the Regional OCR Office.

The Investigation Process

The investigation process was described as containing these 4 parts:

1. Notification letter - The process starts with a notification letter from the OCR and will include their request list
2. Covered Entity and Business Associate response – as this says, this is email/mailing in all the supporting documentation of your information security program. IMPORTANT NOTE by the investigator: even if the breach happened at the Business Associate, the Covered Entity (you) may still be required to supply documentation (So the security of who you do business with matters!)
3. On-site Investigation – This is optional, depending on the quality of the supporting documentation supplied in Step 2.
4. Case Resolution – you will receive an official letter of your case resolution. If you don’t receive the letter, your case is still open and you should contact your investigator. The possible outcomes are:
   • No Violation or Voluntary Compliance – your Information Security Program was in good shape and/or you had minor issues that were quickly corrected.
   • Resolution Agreement or Corrective Action Plan - A signed agreement by the Covered Entity (you) to perform certain actions within a certain time period. Often includes payment of a resolution amount.
   • Civil Monetary Penalty – When a satisfactory resolution cannot be achieved, the OCR will issue a penalty. You want to do everything in your power to avoid this.

Q:  Where does the money go (i.e.: from a Resolution Agreement or Civil Monetary Penalty)?
A:  It goes to the OCR and can only be used for HIPAA enforcement.

Typical Request Items

So what will the request list look like when you go through an OCR investigation? The list can change based on what events occurred to generate the review, but here are some items that the OCR Investigator said is typically requested:

1. Position Statement
2. Business Associate Agreements
3. Policies and Procedures
4. Evidence of Workforce Training on Information Security
5. Evidence of Sanctions against acting employee (they want to see you followed your policy)
6. Your most recent Risk Assessment
7. Your action plan from the Risk Assessment

***VERY IMPORTANT: The OCR needs to see paper documentation on ALL items; they can’t take your word for it.

A NOTE ON Encryption:
20% of the breaches that involve 500 individual records or more were the result of a lost or stolen laptop. If those providers had encrypted the hard drives on those laptops (and documented that encryption), it would have not been considered a breach.

What does this mean? Avoid some likely future headaches by encrypting all your portable devices ASAP.

Avoid These Pet-Peeves

What are some things that annoy an OCR Investigator? Here were a few things to avoid:

1. Don’t be deceitful or tell half-truths – if you don’t have a policy or document, be forthcoming and clearly state that, you’ll fare better in the long run.
2. Don’t overload them with unnecessary documentation – sometimes in an effort to make things look rosier that they really are, Covered Entities will pile on documentation unrelated to the investigation at hand.   If they didn’t ask for it, don’t send it.
3. Don’t mess around with your risk analysis – most Resolution Agreements contain a citation for a deficient risk assessment. You need to thoroughly assess WHERE you ePHI is and what risk that presents.

Question: how well prepared is your organization to handle an OCR investigation? 

Email or Tweet me your responses and/or any questions on this post.

Like this?  Please Share:

[feather_share]