OCR Investigation Process: What to expect when you have a data breach.
Office for Civil Rights (OCR) Investigator, Cassie Harris, and Healthcare Attorney, Paulette Thomas, join the Healthcare InfoSec Roundtable (HISRT) to speak about the OCR investigation process and what HIPAA Covered Entities and Business Associates can expect when they report a data breach.
OCR's Priorities (at the time of the recording)
- Patient access to medical records
- Security risk analysis
OCR Investigation Process
- Investigation or compliance review initiated due to breach report, complaint, or media report.
- Contacted (phone call) to determine what happened and verify facts before publishing on OCR website.
- OCR develops an investigation strategy for each incident.
- OCR tries to keep the scope of the investigations narrow (don't go on "fishing expeditions").
- OCR may increase priority of the investigation if they discover multiple issues, or the breach is egregious (# of affected individuals or sensitivity of the data involved).
The Initial Data Request from OCR
- Facts of the incident
- How you responded
- Copies of policies and procedures*
Common Challenges for Providers
- Providers have policies and procedures but unable to demonstrate that they are implemented.
- Providers have risk analysis but have no risk management plan (follow-up).
- Lack of security / compliance of physician practices and other mergers and acquisitions, which then affects the hospital.
For additional guidance, see How OCR Enforces the HIPAA Privacy & Security Rules | HHS.gov