A healthcare organization’s involvement with OCR may begin with a simple letter acknowledging a complaint and providing guidance documentation related to it, notes Elizabeth Litten, JD, partner and HIPAA privacy and security officer with Fox Rothschild in Princeton, NJ. “Sometimes, [OCR] will send a complaint warning letter, knowing that it may be a one-off, but they want to make the covered entity aware and ensure it is complying with HIPAA,” Litten explains. “Sometimes, they’ll ask the covered entity to respond in some way, but, frequently, if they think it just involves one incident or individual, they will say they consider it closed but will be concerned if the problem persists.”
For a more serious concern, OCR will assign a case number and ask for substantial information, such as policies and staff education records. Typically, OCR gives a 30-day deadline, but often will grant an extension if requested. “They may ask for documentation on what occurred, your policies and procedures, how you addressed the incident. They’ll ask for very specific information, even financial information, to get a sense of who your business associates are,” she says. “They may ask for specific names and titles of individuals involved.”
The letter usually says that if an organization does not respond, that will be considered a violation of HIPAA. The course of OCR’s response will be determined largely by the nature of the complaint, says Emily Quan, JD, an attorney with Weinberg Wheeler Hudgins Gunn & Dial in Atlanta. Impermissible use and disclosure is the most common type of complaint.
“With that complaint, typically, the covered entity will be asked for some information to review the complaint,” Quan says. “[OCR is] looking at when this potential violation occurred, whether the entity is covered by the privacy rule, whether the complaint was filed within the usual six months, and whether the incident actually violates the privacy rule.” The outcome can be tough to predict. OCR could determine there was no violation, or the agency could rule there was a violation, and levy various civil penalties. Quan says this is why it is vital to conduct a comprehensive risk analysis early. “This is a process that tends to snowball, particularly if this involves a massive health system or institution. There can be a number of offshoots from the investigation, with each one of them requiring time and resources to investigate.”
There are countless HIPAA violations every year that are never detected or reported, says Eric D. Fader, JD, an attorney with Rivkin Radler in New York City. A media report may trigger an investigation, as with a recent case in which OCR fined a health system more than $2 million after reporters shared a photograph of an operating room screen that included a patient’s medical information (See previous article on common HIPAA violations for more information.)
“Sometimes, the OCR will begin an investigation after receipt of a complaint from a patient or other party,” Fader says. “However, I think most often, the filing of a covered entity’s or business associate’s own breach report with OCR will trigger the investigation.”
OCR uses wide latitude when determining potential penalties. Generally, a breach or other HIPAA violation in and of itself will not result in an expensive fine. If the breach affects few people and was identified and corrected promptly, an investigation is less likely. Still, OCR has made a point of publicizing some tiny breaches, just to show that “size isn’t everything,” Fader cautions.
OCR usually has much less patience and understanding when the covered entity or business associate has not adopted required HIPAA policies and procedures, has not properly trained and retrained its employees (no less often than once per year), failed to conduct required periodic enterprise-wide risk assessments, or failed to investigate and report a breach timely.
The absence of a business associate agreement between a covered entity and its business associate or between the business associate and its subcontractor can compound the potential penalty. “Breaches happen,” Fader says. “An entity that has taken HIPAA seriously and that investigates and takes corrective action promptly, and that doesn’t attempt to deceive OCR or minimize the severity of its actions, has a good chance of getting off lightly.”
Enforcement is not limited solely to the imposition of monetary fines, notes Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA. Enforcement can include investigations, audits, requirements for corrective actions, and private lawsuits, although litigation will not fall directly under HIPAA.
It is difficult to find any pattern for when a fine will be imposed. If there is a particularly egregious violation or the organization can pay a substantial fine, then infractions may be more likely to result in a monetary penalty. “Additionally, OCR is increasingly focused on denial of access problems, which suggests more fines could be coming on that front,” Fisher suggests.
An investigation may not necessarily make headlines, but it does affect an organization and take time and resources. For enforcement, OCR’s primary options are monetary penalties and/or corrective actions. “Monetary penalties are imposed in few instances, but there does not seem to be any rhyme or reason as to when a penalty will be imposed. Corrective actions often consist of technical advice to help organizations better comply with HIPAA requirements,” Fisher says. “Corrective actions will result quite frequently when an interaction occurs between an organization and OCR because some issue of noncompliance will likely arise. A corrective action is often collaborative and not punitive, as OCR wants to see good practices put into place.”
Enforcement will follow a standard course of investigation, audit, discussion, determination of baseline issues, and then outcome. The first few stages will consist of document requests and a written or verbal back and forth. Often, the goal is to establish that efforts are in place for an organization trying its best. “Even with the best of efforts, mistakes or issues can arise. The good faith effort at demonstrating compliance will be a big factor in influencing the outcome of an investigation or potential issue,” Fisher says. “If an organization is ignoring or deliberately not implementing a policy or procedure required by HIPAA, then issues will arise.”
In an ordinary course, the timeframe for resolution of an issue will be a few months. OCR usually will send a document request within one month of a large breach report or an individual complaint filing. From there, an organization will have about two weeks to submit a response. Some time later, OCR will reveal the resolution to the organization. “That is the ordinary course. However, recent monetary penalties seem to take years from the underlying incident,” Fisher observes. “There is no indication as to why so much time passes, though it could be that there is a lot of back and forth going on in the background.”
The biggest impact on a potential outcome is transparency and taking good faith steps to comply with HIPAA. OCR recognizes that no organization can be perfect all the time. Still, so long as honest efforts are taken, OCR will be willing to work collaboratively.
Sometimes, the OCR investigation reveals relatively minor violations that can be corrected without significant penalties, says Kimberly J. Gold, JD, partner with Reed Smith in New York City. OCR may only seek corrective action in these instances. They may seek changes to an organization’s HIPAA policies, procedures, and training. In more serious cases, OCR will pursue penalties in addition to corrective action. Criminal charges are seen less frequently. The course of enforcement typically is determined by how egregious a HIPAA violation is in the mind of OCR. “A data breach involving hundreds of thousands of individuals and underlying HIPAA violations, like the failure to conduct a security risk assessment, could trigger significant penalties,” Gold warns. “Even the failure to execute business associate agreements has led to penalties. Less serious violations that can be quickly remedied are often easier to resolve without financial penalty.”
In addition to cooperating, maintaining strong records (including documentation of policies, procedures, training, and risk assessments) will go a long way with OCR. “Should OCR investigate a large data breach and find no evidence of a risk assessment having been performed, or of any commitment to a HIPAA compliance program, enforcement will be more likely,” she cautions.