Post-Breach: Preparing for a HIPAA Investigation

May 08, 2019 at 03:02 pm by steve


The Office of Civil Rights ("OCR") is the federal agency that oversees compliance with the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations ("HIPAA"). In that regard, among other things, OCR conducts investigations following breach reports and imposes penalties and enters into corrective action plans as appropriate. In 2018, OCR imposed $28,683,400 in total settlements and judgments for HIPAA violations.

As with many governmental agencies these days, the manpower of OCR is limited, causing delays in investigations until years after the breach reports are filed. For example, in December 2018, we saw resolutions relating to breaches that were reported to OCR in 2013, 2014, and 2015, at least three years prior. This delay in enforcement by OCR makes documentation and preparation immediately following a breach extremely important.

Oftentimes, when a HIPAA breach occurs, providers are focused on providing the required notifications to both patients and OCR and then quickly move on. However, in light of the fact that an investigation may ensue years later, there are certain additional steps that providers should take to put themselves in a better position to respond to the investigation and to minimize the harm.

In addition, you should retain copies of the breach notification letters that were mailed to patients, as well as the breach report that was filed with OCR and any police/FBI reports that were filed. If the breach involves a cyber-attack, maintain documentation of the IT Report and security logs, reports, and scans. Document any and all steps you take to mitigate the harm, retain copies of all policies in effect at the time the incident occurred (as well as any new policies that were implemented in response to the incident), and document all training. All documentation should be retained for at least six years.

When a breach incident occurs, if you can take appropriate steps to respond to the incident and to document what transpired, you will be all the more prepared for an investigation by OCR....when it eventually occurs several years later.


Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm's Health Care Industry Group.

Sections: Business