Perhaps you have received a notice of HIPAA audit from the HHS Office for Civil Rights (OCR). Maybe you have experienced a breach of patient data. Ransomware attacks and thefts of devices containing unencrypted PHI are considered breaches under HIPAA. Breaches incurred by one of your Business Associates affect you too. Litigation can also result from a data breach. All of these are examples of “hitting the wall”.
Mode of Operation
You are in emergency response mode and these situations call for immediate action. A notice of HIPAA audit requires that you provide documentation within 10 days of the date on the notice. Large PHI data breaches (those affecting 500 or more individuals) require notice to OCR, the affected individuals, and the local media; all within 60 days of the breach. Smaller breaches still require notice, but the timeframes are different. Failure to act in a timely fashion will just make matters worse and cost you more money.
Plan of Action
PHI Data Breach Plan
- Determine the cause of the breach. This may require computer forensics.
- Implement measures to mitigate the problem and prevent further loss of PHI.
- Identify individuals (patients) who may have been affected by the breach.
- Determine breach notification obligations and take required actions.
- Gather all available documentation (breach information, risk analysis report, policies & procedures, etc.)
- Assemble breach response team (legal counsel, computer forensics consultant, PR consultant, administrative support)
Audit Notification Plan
- Seek legal counsel.
- Gather all available documentation requested in the notice.
- If requested documentation is not available, don’t try to create it now (e.g. risk analysis).
- Submit available requested documentation within the timeframe required.
- Continue to gather other HIPAA documentation that was not requested in the notice. You may have to provide this later as the audit progresses.
- Review audit report received from OCR and respond accordingly.
- Negotiate a settlement and complete the tasks in the Corrective Action Plan (CAP).