Patricia Wagner, a Member of the Firm in the Health Care and Life Sciences and Litigation practices; Carrie Valliant, a Member of the Firm in the Health Care and Life Sciences practice; and Robert Hudock, Counsel in the Health Care and Life Sciences practice, all in the Washington, DC, office, were quoted in an article titled "Attorneys' Advice to Covered Entities: Comply With HIPAA Complaint Investigations."
Following is an excerpt:
As the federal government steps up enforcement of the Health Insurance Portability and Accountability Act and launches audits of compliance with HIPAA rules, health care attorneys advised Sept. 8 that covered entities and business associates fully cooperate with federal investigations of HIPAA violation complaints.
Health care attorneys with Epstein Becker and Green P.C. in Washington said during a firm-sponsored webinar on HIPAA enforcement that penalties for failing to cooperate with a HIPAA investigation could be higher than the penalties for an actual HIPAA violation.
One recent case—involving insurer Cignet Health—was evidence that HHS's Office for Civil Rights will impose such higher penalties for failure to cooperate, they said. In February, OCR imposed its first-ever civil monetary penalty on a HIPAA-covered entity—Cignet—for violating the HIPAA Privacy Rule (see previous article). A bulk of the $4.3 million penalty—$3 million—was assessed for Cignet's failure to cooperate with the OCR investigation, attorney Patricia Wagner said.
Wagner said OCR's process for investigating possible HIPAA rule violations typically starts with a letter from the agency asking for specific information, such as data privacy and security policies and procedures, audit logs, and the history of any internal investigations of the complaints.
Attorney Carrie Valiant said that health care organizations, when they are made aware of HIPAA violation complaints, should conduct internal investigations to determine whether a data breach actually occurred.
In fact, Valiant noted, federal regulators do not expect incidents that do not rise to the status of data breaches to be reported to patients.
Valiant said internal investigations should document what happened, why it happened, who or what function was responsible for the incident, how the problem was fixed, and the steps taken to prevent the problem from occurring again.
Attorney Robert Hudock recommended covered entities and business associates utilize data breach risk assessment tools that help frame breach analyses and determine the risk of harm to patients.