OCR Investigation Process


OCR Investigation Process: What to expect when you have a data breach.

Office for Civil Rights (OCR) Investigator, Cassie Harris, and Healthcare Attorney, Paulette Thomas, join the Healthcare InfoSec Roundtable (HISRT) to speak about the OCR investigation process and what HIPAA Covered Entities and Business Associates can expect when they report a data breach. 

OCR's Priorities (at the time of the recording)

  1. Patient access to medical records
  2. Security risk analysis

OCR Investigation Process 

  1. Investigation or compliance review initiated due to breach report, complaint, or media report.
  2. Contacted (phone call) to determine what happened and verify facts before publishing on OCR website.

Investigation Notes

  • OCR develops an investigation strategy for each incident. 
  • OCR tries to keep the scope of the investigations narrow (don't go on "fishing expeditions").
  • OCR may increase priority of the investigation if they discover multiple issues, or the breach is egregious (# of affected individuals or sensitivity of the data involved).

The Initial Data Request from OCR

  • Facts of the incident
  • How you responded
  • Copies of policies and procedures*

Common Challenges for Providers

  • Providers have policies and procedures but unable to demonstrate that they are implemented.
  • Providers have risk analysis but have no risk management plan (follow-up).
  • Lack of security / compliance of physician practices and other mergers and acquisitions, which then affects the hospital.

For additional guidance, see How OCR Enforces the HIPAA Privacy & Security Rules | HHS.gov

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

You may also like:

What is a Dedicated and Non-Dedicated HIPAA Security Officer?
What are the primary responsibilities of a HIPAA Security Officer?
What is a HIPAA Security Officer?
The Difference between Policy, Process, and Procedure

Subscribe now to get the latest updates!