Over the last year, government investigations of HIPAA complaints have increased significantly. According to Health Information Privacy/Security Alert, health data breaches involving more than 500 patients are averaging between 400 and 500 a month, with 489 health data breaches reported between July 18, 2012 and August 17, 2012. In all, these breaches affect over 20 million individuals. As of July 2012, the Office of Civil Rights (“OCR”), the government agency authorized to investigate HIPAA breaches, reports 72,684 HIPAA complaints, with 25,612 matters under active investigation and approximately 500 cases sent to the Department of Justice for possible criminal investigation. The government has also started random audits of health care providers to determine HIPAA compliance.
Historically, most HIPAA breaches are due to theft, unauthorized access/disclosure or loss of patient data. It is very easy for a patient, employee, including a disgruntled ex-employee, or competitor to file a HIPAA complaint with OCR. Accordingly, it is very important that your organization understand the necessary steps to quickly and effectively address any notice of HIPAA investigation.
Step 1: Most importantly, a health care provider should have updated and effective HIPAA privacy and security policies, procedures and forms, appropriate business associate agreements and documentation of HIPAA training of personnel. Proactive compliance is not only a health care provider’s best chance of avoiding a data breach, but it is also the best way to resolve a breach investigation quickly and without the imposition of any fines or other administrative penalties.
Step 2: If an OCR notice of investigation is received, a provider should carefully review the notice as it will provide important information. While the letter will not disclose who filed the complaint, it will provide information on the matter under investigation, including, for example, the specific patient data subject to the complaint, the date of the alleged breach and the HIPAA regulation(s) at issue. The letter will also provide a date by which the provider must respond to the allegations and a contact person at OCR. The letter may also request that any response include specific information, such as copies of the providers’ HIPAA policies and procedures.
Step 3: A provider should identify the individuals within its organization that can provide information regarding the complaint and that can help formulate a response. However, the provider should only identify a single individual to deal directly with OCR. It is also important at this stage to determine whether outside counsel should be engage. That decision is dependent on the severity and scope of the alleged HIPAA breach and the potential penalties.
Step 4: At this stage, the provider should begin its own investigation into the alleged HIPAA breach. It is important to keep in mind that the process used to investigate may be part of the discussions with OCR, especially if the provider takes the position that its own internal controls and investigation procedures are adequate and OCR imposed requirements are not necessary.
Step 5: Once the provider’s investigation is complete, it should prepare a written submission to OCR to address the allegations contained in the notice of investigation. Before any submission, it may be helpful to speak to the OCR contact person to ask additional questions and to explore OCR’s position and concerns. An effective response is achieved by gathering as much information as possible about the alleged breach. Any response should be submitted in a timely manner and should include relevant HIPAA policies and procedures, training logs, business associate agreements and investigation notes. If a provider is unable to provide material requested by OCR, it will need to explain the missing information in its response.
In general, responses fall into four categories: (1) the provider is not covered by the HIPAA regulations (i.e., is not a “covered entity”), (2) the alleged HIPAA breach did not occur (i.e., there was no use or disclosure of protected health information), (3) the use or disclosure of protected health information was in compliance with HIPAA, or (4) the alleged breach did occur, but the provider took prompt and corrective action to address the situation, including, for example, employee discipline, additional HIPAA training and/or the adoption of additional HIPAA policies and procedures. If a provider takes this last position, it would be very helpful if the corrective action was initiated before the provider received the OCR notice.
Step 6: Any OCR investigation will include a review of material submitted by the provider and may include interviews by the OCR investigator of not only the complainant, but also individuals at the provider’s office. Once the OCR investigator has concluded his or her investigation, there are typically five possible results: (1) the complaint is dismissed without any action by OCR, (2) the provider is requested to prepare and submit for OCR review and approval additional HIPAA policies and procedures, and to demonstrate additional HIPAA training, (3) OCR may require a compliance agreement with the provider, which will include ongoing review and oversight by OCR, (4) the provider may be assessed a civil fine, and/or (5) OCR can turn the matter over to the Department of Justice if the breach has the potential to rise to the level of a criminal violation.
Howard E. Bogard is Chair of the Health Care Practice Group at Burr & Forman LLP and exclusively represents health care providers in regulatory and corporate matters.