Posted In: Health Care
By Laura F. Fryan on March 12, 2019
How would you rate your practice’s HIPAA compliance? Do you have a workforce sanction policy? Do you have business associate agreements with all relevant vendors and subcontractors? Complying with all of the requirements under HIPAA can be tedious, but compliance is extremely important, and this Compliance Checkup is going to describe one of the reasons why.
If your practice has a HIPAA breach that affects 500 or more individuals, the practice must report the breach to the Department of Health and Human Services (HHS). After reviewing such reports, the Office of Civil Rights (OCR) is likely to send a follow-up letter with 15 to 20 document requests.
Understanding what documents the OCR will ask you for in the event of a breach, and confirming that you have all of this documentation in place now, is necessary for HIPAA compliance and may prevent your practice from experiencing a breach.
Here is a sample form that describes what information must be reported to HHS in the event of a breach. One of the questions asks what safeguards your practice had in place prior to the breach. Another question asks what actions were taken in response to the breach, such as new technical or physical safeguards, revisions to policies and procedures, and training. Don’t be fooled by these seemingly simple questions.
The document request from the OCR is extensive, and a response is required within 30 days. Here is a sample of the document request from an actual letter from the OCR on this blog:
- A response detailing the allegation of what happened.
- Proof of proper response to the data breach, and proof of notification to affected patients, media, or OCR.
- Evidence of policies and procedures on workforce members' uses and disclosures of PHI.
- Evidence of appropriate administrative, technical and physical safeguards.
- A copy of the Risk Analysis performed for or by the CE prior to the incident, and any conducted after the incident.
- Evidence of the security measures implemented to reduce risks and vulnerabilities identified through the CE's risk analysis.
- Evidence of policies and procedures on reporting security incidents, including copy of incident report created in response to the incident and corrective actions taken.
- Evidence of security awareness training for all employees.
- Evidence of policies and procedures to safeguard the facility and the equipment thereon from unauthorized physical access, tampering and theft.
- Evidence of policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
- Copies of mechanisms in place for encryption/decryption of systems containing ePHI.
- Copies of breach notification policies and procedures.
- Policies and procedures related to the disclosure and safeguarding of patient PHI.
- The organizational structure of the business, including who owns and operates business, where it is registered to do business, and identify the custodian of records with contact information.
- Any additional information which would assist OCR in investigation of the complaint.
The document request may vary slightly depending on the nature of the breach, but the above list represents a comprehensive example of what the OCR typically requests. Due to the increasing reliance on technology and corresponding risks like cybercrime, no practice - large or small - is safe from a HIPAA breach. Now is the time to ensure that your practice is in compliance with all of the requirements of HIPAA, and the documents required to be provided after a breach are a good place to start.
Stay tuned for Part II on HIPAA issues. In the meantime, contact the health care practice group at Brouse McDowell if you have any questions or want to learn more.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2019 Brouse McDowell. All rights reserved.