A business partner of mine was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach. I thought you would find some of their requests and the timing interesting.
- Documentation of the covered entity’s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations
- Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.
- Documentation of the covered entity’s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:
- Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity’s current policies and procedures, and as required by the Privacy Rule.
- Re-training of appropriate workforce members.
- Mitigation of the harm alleged, as required by the Privacy Rule.
HIPAA Policies and Procedures
- A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.
- A copy of the policies and procedures implemented to safeguard the CE’s facility and equipment.
- Evidence of physical safeguards implemented for computing devices to restrict access to PHI.
- Business Associate Agreements and/or policies and procedures implemented to ensure Business Associates have implemented the appropriate safeguards (if applicable).
- A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.
- Evidence of security awareness training for involved workforce members including training on workstation security.
- Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.
- A copy of the written notification of the breach provided to the affected individuals.
- A copy of the written notification given to the media. This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.
Initially, this request was in response to a self-reported breach. The OCR is asking for a great deal of information in a relatively short time. Practically, this means that an organization would generally not have enough time to fill in missing gaps in its documentation and safeguards.
The key message here is that the OCR does not only get involved in this type of activity during a “random” audit. An incident, for which a Covered Entity and/or Business Associate are bound by law to report, can also generate this activity.
Joe Dylewski, President, ATMP Group
Joseph Dylewski is a twenty-three year Information Technology Professional veteran, with eight years spent exclusively in the Healthcare Industry. In addition to holding positions as a Project Manager and Director of Information Technology, Joseph has also served as a Healthcare IT Services Practices Director and Account Manager with a proven track-record of successfully delivering end-to-end IT application and infrastructure project services. Joseph also currently serves as an Assistant Professor at Madonna University.