Understanding HIPAA Privacy Compliance Investigations
by Beth Hjort, RHIA, CHP
Question: Under what circumstances would our organization be investigated for HIPAA privacy compliance?
Answer: The complaint investigation process will be complaint driven. The Department of Health and Human Services’ Office for Civil Rights (OCR), the enforcement body for the privacy regulations, is not gearing up for witch hunts to expose privacy noncompliance. But when individuals register a complaint about the way their privacy rights were handled by a covered entity, the OCR can be expected to investigate. It is important to know that the OCR’s intention is to aid covered entities to come into compliance. They will press for corrective actions plans and voluntary resolutions whenever possible and may provide technical assistance in pursuit of the overarching goal- protection of individually identifiable health information.
If your organization is the target of an investigation, your due diligence efforts will help support you. OCR is expected to review and evaluate the compliance efforts an organization has made to implement the requirements.While it’s not clear whether the investigations will be on site or mainly through document production, investigators would be expected to probe for evidence of a good faith effort toward compliance with the regulations in areas such as:
- a budget for privacy implementation
- appointment of individuals or groups to carry out privacy responsibilities
- completion of a gap analysis
- policies and procedures written and implemented
- evidence of training
While it’s not the nature of OCR to jump to conclusions, it does have the discretion to apply civil monetary penalties within limits set by the rule. Limits are $100 per occurrence or $25,000 maximum per calendar year for identical violations. Remember that the ones who will go to jail over noncompliance are those who make an intentional decision to violate privacy rights. Those cases are outside OCR authority and are handled under criminal investigations by the Department of Justice.
Consider that if your organization has an effective internal complaint handling process with clear instructions noted in your notice of privacy practices, individuals may be satisfied with local resolution and feel no need to take the complaint to the federal level. Because the Centers for Medicare & Medicaid Services’Web site posts an intention to develop a Web-based complaint management process, covered entities would do well to establish an equally convenient process for individuals to bring their concerns first to the CE.
This question was fielded by Beth Hjort, RHIA, CHP, professional practice manager with AHIMA. She can be reached at firstname.lastname@example.org.
Hjort, Beth. "Understanding HIPAA Privacy Compliance Investigations." In Confidence 11:6 (June 2003), p.7.