Does the term ‘OCR Investigation’ send shivers down your spine? Well, if so, you’re definitely not alone. Every healthcare entity today faces multiple challenges with regard to information security and compliance. Incidents of data breach have become more frequent with increased use of mobile devices like laptops, smart phones, and portable storage devices like USB drives.
While this has complicated matters of information security on one side, on the other, rising fines and penalties for violation of HIPAA rules have left healthcare entities totally hassled. Earlier this year Cignet Health paid a heavy price of $4.3 million for denying patients access to medical records, and Massachusetts General was fined $1 million for loss of PHI.
Although these incidents clearly demonstrate that an incident of breach is bound to be followed by an OCR investigation, you should remember that an OCR investigation does not necessarily mean loss of reputation. Rick Kam, President and Co-Founder of ID Experts, and Christine Arivelo, Director of Healthcare Identity Management and founding employee of ID Experts share 3 tips to survive and OCR breach investigation:
- Avoiding a breach by being prepared: Preventive action is always better than corrective action, and only more so, when it is comes to preventing a security breach. It is therefore important that you strive for ‘voluntary compliance’ or what OCR calls a ‘culture of compliance’. While HIPAA guidelines have been around for several years, very few organizations have devised and implemented a compliance plan to prevent security breaches. A critical element in compliance planning is an Incident Response Plan (IRP), which comprises of a strategy for how providers will react to an incident.
In most cases, organizations are already doing the right things, but fail to document them. Hence in the face of investigation they have very less evidence to defend themselves. An IRP helps create a defensible response by allowing you to react to complaints in a documented, methodical and timely fashion.
- Educating the investigator: If your organization is under scrutiny by OCR the best approach would be to make the investigator’s job easy with a timely response. It is important to act defensibly and not defensively. The key to surviving an OCR investigation is creating such a defensible approach.
This would mean demonstrating consistency in the way you assess risk, document findings, and execute incident response; preparing yourself to handle unexpected requests for information and access; compiling information including policies and procedures limiting access to information, evidence of notification to media, copy of notice of privacy practices, evidence supporting action taken to prevent recurrence, etc. These can come a long way in easing the investigation process.
- Seeking help: Since investigators also aim to do the right thing just as you do, on most occasions they turn out to be a valuable asset during the investigation. Hence it may be helpful to call the investigator and get a baseline of expectations. You can even express your concerns to the investigator and ask questions. Most of all, you should show empathy for investigators and express your willingness to help them through the investigation by providing timely, accurate information.
Ensuring information safety is one of your primary responsibilities as a healthcare provider. While an automated HIPAA compliance software or expert professional help can come a long way in ensuring security and compliance, in the event of breach an OCR investigation becomes unavoidable. But by preparing yourself with a comprehensive IRP, co-operating with the investigator, and by seeking the investigator’s guidance in the process, you can not only survive the investigation, but also clearly demonstrate your determination to be compliant.