How to prepare for an HHS investigation after a breach

The Office for Civil Rights (OCR) enforces the Privacy and Security Rules in several ways: 

• Investigating complaints filed with it. 
• Conducting compliance reviews to determine if covered entities are in compliance. 
• Performing education and outreach to foster compliance with the rules' requirements.

According to Holland & Hart LLP, being well-prepared and transparent in your response to a HIPAA breach can greatly influence the outcome of an HHS investigation. Demonstrating that your organization had taken reasonable steps to prevent breaches and responded appropriately when one occurred can lead to reduced fines and sanctions. 

Understand the investigation process

After a breach is reported, the OCR gets involved in the following ways:

• Complaint investigation: The OCR investigates complaints filed regarding potential HIPAA violations. This involves gathering information and assessing whether the covered entity has complied with HIPAA rules.
• Compliance reviews: OCR conducts compliance reviews to determine if covered entities are adhering to HIPAA regulations. These reviews are aimed at ensuring that the entities have proper measures in place to protect patient information, such as encrypting data, not sharing passwords, developing an Incident Response Plan, and educating staff about the best ways to maintain the privacy of protected health information (PHI).
• Audits: OCR performs audits of covered entities and business associates to verify their compliance with HIPAA rules. These audits can be routine or triggered by specific incidents, such as a reported breach.
• Imposition of penalties: If OCR finds that a covered entity has not complied with HIPAA rules, it may impose civil penalties. The severity of the penalties depends on the nature and extent of the violation, as well as the harm caused by the breach.
• Voluntary compliance and corrective actions: In many cases, OCR attempts to resolve non-compliance issues through voluntary compliance or by obtaining corrective actions from the covered entity. This may involve implementing measures to prevent future breaches and ensuring that all staff are adequately trained.
• Resolution agreements: OCR may enter into resolution agreements with covered entities, which typically involve corrective action plans and may include monetary settlements.
• Referral to the Department of Justice (DOJ): In cases of willful neglect or severe non-compliance, OCR may refer the case to the DOJ for potential criminal prosecution.
  
  

Assemble a response team

Gather a team of specialists to manage a thorough breach response. Based on your company's size and specifics, this team might include experts from forensics, legal, information security, IT, operations, HR, communications, investor relations, and management.

Identify a data forensics team and consider hiring independent forensic investigators to determine the breach's source and scope. These investigators will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps. Consult with legal counsel to ensure compliance with federal and state laws. You may also consider hiring outside legal counsel with expertise in privacy and data security to provide further guidance.

Gather documentation

You must keep written records to show that the following actions have been completed:

• Conducting a breach risk assessment
• Notifying required parties, including keeping copies of the notification letters

Conduct an internal investigation

Conducting an internal investigation allows the covered entity to determine the scope of the breach in terms of:

• Which data was possibly accessed or even used.
• The individuals affected.
• How to mitigate and prevent further harm.

Determining this information will also provide guidance on how the organization should provide notice of the breach and to whom.

Learn from the incident

Conduct a post-incident review to identify lessons learned and improve your organization's privacy and security practices. Use this information to enhance your breach response plan and prevent future incidents.

FAQs

How should an organization notify affected individuals and authorities? 

Notify affected individuals and the HHS Secretary as required by HIPAA regulations. If the breach affects 500 or more individuals, immediate notification is required, along with media notification if it affects more than 500 residents of a state or jurisdiction.

Related: What are the notification requirements if more than 500 individuals are affected

How can we ensure our staff is adequately trained in HIPAA compliance?

Training programs should be conducted regularly and include updates on new regulations, best practices for data security, and incident response procedures.

How can we demonstrate our HIPAA compliance to OCR during an investigation?

Provide comprehensive documentation of your security measures, breach response actions, compliance policies, training programs, and any corrective actions taken.