What to Expect After Reporting a Data Breach
Office for Civil Rights (OCR) Investigator Cassie Harris and Healthcare Attorney Paulette Thomas join the Healthcare InfoSec Roundtable (HISRT) to discuss the OCR investigation process and what HIPAA-covered entities and Business Associates can expect when reporting a data breach.
OCR's Priorities (at the time of the recording)
- Patient access to medical records
- Security risk analysis
OCR Investigation Process
- Investigation or compliance review initiated due to breach report, complaint, or media report.
- Contacted (phone call) to determine what happened and verify facts before publishing on OCR website.
Investigation Notes
- OCR develops an investigation strategy for each incident.
- OCR tries to keep the scope of the investigations narrow (don't go on "fishing expeditions").
- OCR may increase priority of the investigation if they discover multiple issues, or the breach is egregious (# of affected individuals or sensitivity of the data involved).
The Initial Data Request from OCR
- Facts of the incident
- How you responded
- Copies of policies and procedures*
Common Challenges for Providers
- Providers have policies and procedures but unable to demonstrate that they are implemented.
- Providers have risk analysis but have no risk management plan (follow-up).
- Lack of security / compliance of physician practices and other mergers and acquisitions, which then affects the hospital.
For additional guidance, see How OCR Enforces the HIPAA Privacy & Security Rules | HHS.gov