HIPAAcraticRx - The Prescription for HIPAA Compliance

HOME   |   THE RISKS   |  PATH TO COMPLIANCE  |  ADDITIONAL SERVICES  |  ABOUT  |  CONTACT

20 Hempstead Turnpike, Farmingdale, New York 11735 . (516) 200-6610 . info@hipaacraticrx.com

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon

© 2019 HIPAAcratic Rx -

HIPAA Breach Reporting: Focus on Remediation in Responding to OCR Investigation

March 25, 2019

 

Last year was another banner year for HIPAA data breaches reported to the Office of Civil Rights (OCR). Under HIPAA, covered entities must report to the OCR any unauthorized “acquisition, access, use, or disclosure” of protected health information (PHI).

 

Depending on the circumstances, OCR may take no action -- or it may open an investigation, which could lead to the issuance of civil penalties. The department’s approach depends on both the incident and the nature of the response. According to a blog posted by law firm Lewis Brisbois, there are a number of steps that covered entities should consider taking when dealing with the OCR. A few suggested action steps are noted below:

 

  • Conduct an updated HIPAA security risk analysis: OCR requires organizations governed by HIPAA to perform such analyses in order to be compliant with HIPAA’s Security Rule. Following a breach, the organization should perform an updated security risk analysis, and if an organization’s security risk analysis is not current, OCR may require one to be completed. Consider performing a risk analysis before reporting as evidence of an ongoing commitment to compliance.

  • Consult with a digital forensics firm: In breaches arising out of data security events, consider retaining a qualified and independent digital forensics firm to assist with evaluating the incident and confirm that the data environment is secure. A forensics firm may be able to help identify vulnerabilities as part of a broader risk analysis, and will bring an unbiased, independent perspective.

  • Schedule and document regular audits of your technical system: Regular audits are required by the HIPAA Security Rule. Be sure to conduct these audits and document them. They can be handled internally or done in conjunction with a vendor.

  • Review all practice policies and procedures: Take the time to review your HIPAA policies and procedures, addressing both the Privacy Rule requirements and the Security Rule requirements. Determine if they need updating or revision and start that process.

  • Reevaluate relationships with business associates: If the breach is a result of information handling by a business associate, confirm that appropriate Business Associate Agreements are in place, update those agreements if necessary, or consider the value of continuing the relationship with that business associate.

  • Reinforce your “human firewall”: Retrain employees as needed, and discipline or terminate employees who could be a liability. Implement frequent training of employees regarding the proper handling of PHI and how to identify social engineering attacks.

  • Review your Incident Response Plan: Make sure to review your incident response plan and confirm that it is up to date. Consider retraining staff regarding the incident response plan if it has been a while since training was done.

 

When reporting breaches to the OCR, organizations should be mindful of critical remedial steps which can demonstrate ongoing commitment to HIPAA compliance. Demonstrating a commitment to HIPAA compliance can help minimize the risk of an OCR investigation. In addition, robust HIPAA compliance can help avoid additional breaches in the long term.

 

HIPAAcraticRX can assist you with most of the steps listed above. Retaining a HIPAA compliance firm, such as HIPAAcraticRx not only minimizes the risk of a breach -- it demonstrates your practice's ongoing commitment to compliance. This speaks volumes to the Office of Civil Rights.

 

 

 

Share on Facebook
Share on Twitter
Please reload

Featured Posts

Ransomware Costs Rise and Cause Downtime

July 16, 2019

1/10
Please reload

Recent Posts
Please reload

Archive