Data breaches and HIPAA audits are serious matters that require immediate attention. While every data breach is a problem, those that involve Protected Health Information (PHI) come with certain obligations under the HIPAA Breach Notification Rule and HITECH Act federal laws. A notice of HIPAA audit requires timely response to a request for information from the Department of Health & Human Services Office for Civil Rights (HHS OCR). Time is of the essence in both cases to protect patients and your business.
In a HIPAA audit, OCR will review your risk analysis & mitigation efforts, as well as your policies & procedures. Documentation is critical. It’s not just what you’ve done that matters; it’s what you can prove you’ve done. There is a short window for response. And actions taken after the notice of audit likely won’t count. The end result will likely be a negotiated monetary settlement plus a Corrective Action Plan (CAP).
PHI Data Breach Incident
A PHI data breach incident will likely require an investigation into what caused the breach. This may require computer forensics which is usually expensive. It will also require mitigation including actions to prevent further loss of PHI and to minimize damage to patients resulting from the breach. Lastly, it will require notification to OCR, patients, and possibly the local media. And of course, there will be an OCR audit.