HIPAA Breach Reporting: Focus on Remediation in Responding to OCR Investigation
Last year was another banner year for HIPAA data breaches reported to the Office of Civil Rights (OCR). Under HIPAA, covered entities must report to the OCR any unauthorized “acquisition, access, use, or disclosure” of protected health information (PHI).
Depending on the circumstances, OCR may take no action -- or it may open an investigation, which could lead to the issuance of civil penalties. The department’s approach depends on both the incident and the nature of the response. According to a blog posted by law firm Lewis Brisbois, there are a number of steps that covered entities should consider taking when dealing with the OCR. A few suggested action steps are noted below:
Conduct an updated HIPAA security risk analysis: OCR requires organizations governed by HIPAA to perform such analyses in order to be compliant with HIPAA’s Security Rule. Following a breach, the organization should perform an updated security risk analysis, and if an organization’s security risk analysis is not current, OCR may require one to be completed. Consider performing a risk analysis before reporting as evidence of an ongoing commitment to compliance.
Consult with a digital forensics firm: In breaches arising out of data security events, consider retaining a qualified and independent digital forensics firm to assist with evaluating the incident and confirm that the data environment is secure. A forensics firm may be able to help identify vulnerabilities as part of a broader risk analysis, and will bring an unbiased, independent perspective.
Schedule and document regular audits of your technical system: Regular audits are required by the HIPAA Security Rule. Be sure to conduct these audits and document them. They can be handled internally or done in conjunction with a vendor.
Review all practice policies and procedures: Take the time to review your HIPAA policies and procedures, addressing both the Privacy Rule requirements and the Security Rule requirements. Determine if they need updating or revision and start that process.
Reevaluate relationships with business associates: If the breach is a result of information handling by a business associate, confirm that appropriate Business Associate Agreements are in place, update those agreements if necessary, or consider the value of continuing the relationship with that business associate.
Reinforce your “human firewall”: Retrain employees as needed, and discipline or terminate employees who could be a liability. Implement frequent training of employees regarding the proper handling of PHI and how to identify social engineering attacks.
Review your Incident Response Plan: Make sure to review your incident response plan and confirm that it is up to date. Consider retraining staff regarding the incident response plan if it has been a while since training was done.
When reporting breaches to the OCR, organizations should be mindful of critical remedial steps which can demonstrate ongoing commitment to HIPAA compliance. Demonstrating a commitment to HIPAA compliance can help minimize the risk of an OCR investigation. In addition, robust HIPAA compliance can help avoid additional breaches in the long term.
HIPAAcraticRX can assist you with most of the steps listed above. Retaining a HIPAA compliance firm, such as HIPAAcraticRx not only minimizes the risk of a breach -- it demonstrates your practice's ongoing commitment to compliance. This speaks volumes to the Office of Civil Rights.