The impending HIPAA audits from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) have received lots of headlines and are a source of understandable dread for many organizations. But winning (losing) the audit lottery shouldn’t be your only, or even your biggest, worry.

Anyone can file a HIPAA complaint against your organization.

Take a look:  For any complaint deemed relevant and reasonable, OCR has an open door to investigate. And Clearwater has proof the feds are more than interested than ever in walking through that open door. OCR is turning up the heat in a big way, and you need to know that the days of voluntary compliance have officially given way to an era of strict enforcement. In other words, be afraid. Be very afraid.

Using a recent OCR Investigation and Data Request Letter as a case study, I’d like to illustrate the business burden of an OCR inquiry into your HIPAA compliance practices.

The specific OCR Investigation Letter that is the highlight of this blog was the alleged result of a healthcare organization failing to have an appropriate technical safeguard in place, which allegedly led to a breach of almost 200,000 individuals’ protected health information (PHI).  OCR stated that the lack of this technical safeguard could reflect violations of 21 Standards and/or Implementation Specifications in the respective Privacy, Security and Breach Notification regulations.

What you can expect from OCR

To investigate the allegations, OCR requested 23 items in the “Initial Data Request” attached to theOCR Investigation Letter.  Each piece of evidence that OCR requested directly related to the alleged violations of the 21 Standards and/or Implementation Specifications – 15 alleged violations of the Security Rule; 3 alleged violations of the Privacy Rule and 3 alleged violations of the Breach Notification Rule.  Some highlights of the data requested:

  • Submit a copy of your most recent risk analysis, as well as a copy of ALL risk analyses performed within the past 6 years.
  • Evidence of your organization’s Risk Management Plan
  • Evidence of security measures in place to reduce risks to electronic Protected Health Information (ePHI)
  • Evidence of HIPAA training, including Security Awareness training and periodic security updates
  • Steps taken to mitigate harm
  • Please provide policies and procedures related to:

o   Safeguarding PHI

o   Impermissible uses and disclosures

o   Notifying individuals, the media and the Secretary of HHS in the event of  breach

o   Sanctions

o   Access to ePHI

o   Responding to and reporting security Incidents

  • Evidence that prominent media outlet was notified of breach, if applicable

OCR wants to see that an organization is ‘abiding by, practicing, and enforcing HIPAA’ through its policies and procedures and through its actions.  And, according to this letter, OCR wants this evidence in 10 DAYS!

If OCR finds this case to be of ‘willful neglect,’ it must impose a Civil Monetary Penalty (CMP).  Prior to the Omnibus Rule, HHS was required to seek resolutions through informal means for all violations. In the post-Omnibus world, HHS may seek informal resolution. And, Omnibus does not allow violations due to willful neglect to be resolved through informal means without also imposing CMP.

A violation of ‘willful neglect’ comes with a heavy price tag.

For each regulatory violation, OCR must invoke a CMP of at least $50,000 per violation.  However, that figure is capped at $1.5 million for each regulatory violation per calendar year.  It doesn’t take a mathematician to figure out, if this covered entity was found to willfully neglectful, and OCR took into consideration all of the alleged violations of 21 Standards and/or Implementation Specifications listed in the OCR Investigation Letter, this covered entity will be in for a hefty CMP – tens of millions of dollars.

Finally, it’s important to note that OCR requested six years of Risk Analysis evidence, underscoring the focus the agency is placing on assessing privacy and security risks.

Always be prepared, not matter what

Obviously, the best case scenario is for your organization to avoid an OCR investigation all together. After all, the reason to invest in a thorough and effective approach to HIPAA compliance is to appropriately protect the privacy of the individuals you serve, not to avoid legal penalties. But should you find yourself the subject of an audit or investigation, you need to be prepared to demonstrate your good faith efforts and prove you’ve taken adequate steps to safeguard protected health information. Based on recent evidence, it all starts with a robust approach to risk analysis and risk management.

The good news is that even though there is much to fear when thinking about investigations and audits, there are blueprints for facing these fears head on. Want to learn more? Drop us a note, and a seasoned HIPAA compliance and information risk management expert will get right back to you!

Join one of Clearwater Compliance’s NEW Information Risk Management BootCamp™ events and learn to understand your requirements under HIPAA and how to best manage your information security risks.

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.