In the middle of a HIPAA investigation is the last place you want your practice to be.
As a federal law, HIPAA has many different rules and regulations that healthcare organizations, such as your practice, must comply with. However, certain compliance violations, such as data breaches, can easily happen, whether due to internal or external factors.
Now here’s the catch. If the HIPAA violation is severe enough or is action isn’t taken to address it, it can easily trigger a formal investigation at your practice. And the bad news is that the outcome of this investigation can impact your business, cause you stress, and damage your patient trust — but also result in your practice paying skyrocketing fines.
Navigating a HIPAA compliance investigation may sound confusing for practices to handle. But, in reality, what you’re probably lacking is the right knowledge of HIPAA compliance violations, alongside the right tools that can guide you through the process.
Every practice should take a formal HIPAA violation investigation seriously. However, given that HIPAA investigations are not as discussed online, it is only natural that you might have some questions regarding the process.
Namely —
- Who investigates HIPAA violations?
- What triggers a HIPAA violation investigation?
- Who does a HIPAA violation investigation affect?
- Can patients complain of a HIPAA violation at your practice?
- What happens during a HIPAA violation investigation?
- How big are the potential penalties and fines?
- Most importantly, how is a HIPAA investigation successfully resolved?
Don’t stress ahead of time — we’re here to help you get a grasp of how compliance investigations work and share the answers you need.
Read our guide on how to successfully handle a potential HIPAA violation investigation and how to minimize its impact on your practice.
Or, get started by downloading our free step-by-step HIPAA compliance checklist👇
Who investigates HIPAA violations?
HIPAA violation investigations are conducted by the Office for Civil Rights (OCR). The OCR works directly under the US Department of Health and Human Services (HHS) and mainly focuses on enforcing the HIPAA Privacy and Security Rules.
The OCR also proposes penalties and corrective action plans that your practice should implement, in case a violation was proven. It’s then your legal obligation to inspect and act upon any detected HIPAA violation and resolve it within a given deadline.
What types of HIPAA violations will the OCR investigate?
Not every HIPAA violation type will be subject to an investigation by the OCR. For the OCR to launch a HIPAA investigation against you, there needs to be a larger violation.
A formal investigation by the OCR will only happen in these instances:
1. When a patient files a privacy violation complaint
This is the most common reason why the OCR will investigate your clinic for a HIPAA violation. The same can happen if a patient’s personal or treatment information is breached, regardless if the breach was your fault or not. If a patient was denied access to their medical records, for example, they have the right to file a privacy complaint against you.
Initially, a patient doesn’t have to file a formal complaint — if you prove that you resolved the violation. But, if a patient is still dissatisfied with the action taken or the outcome, they can turn to the OCR. To avoid a patient filing a violation complaint, it is necessary to understand the rights your patients have under HIPAA.
2. When the breach affects 500+ individuals
Breaches come in all shapes in sizes. Typically, a smaller breach, one that affects under 500 people, can be handled only on your part, without needing an OCR investigation. However, you must report any breach that affects over 500 people to the OCR, so they can investigate further and help you cope with the threat better.
When reporting a breach, you need to submit supporting documentation on the detected breach, alongside proof that you notified your patients about the issue.
3. When the OCR performs audits
The OCR has a right to perform compliance checks, without giving a heads-up. This helps them ensure that healthcare practices truly comply with all HIPAA requirements, at all times.
Sometimes, the OCR can decide to perform a completely random audit of your HIPAA compliance as a regular practice. This is to confirm that your practice indeed fulfils all HIPAA compliance requirements, so you have to be prepared ahead of time, just in case. But other times, the OCR will have a viable reason to instigate this investigation.
A deliberate HIPAA audit by the OCR might be triggered if you:
- Had a recent breach of PHI
- Experienced ransomware or malware incidents
- Misplaced or lost any electronic devices that store PHI
- Didn’t dispose of paper PHI (by using shredding services or locked trash bins)
- Had office burglaries that might have threatened the safety of PHI
How does the OCR handle HIPAA violation complaints?
The OCR might accept a patient’s HIPAA violation complaint if they believe there’s enough evidence. If that happens, here’s a timeline of the steps you can expect:
👉 An investigation into the patient’s complaint will be triggered
👉 The OCR notifies you and the complainants of this process via letter
👉 The OCR gives you enough time to submit the required documentation
👉 The OCR needs up to 180 days to review the documentation and violation grounds
👉 The OCR makes a final decision, and lets you and the complainant know in writing
👉 You have around a month to correct any violations or pay any imposed fines
The OCR will mainly look into —
⬜ The type and volume of PHI that’s been affected by the breach
⬜ The security measures that you implemented to protect PHI
⬜ Any risk analysis that you have performed to detect PHI threats
⬜ Whether your privacy policies are aligned with HIPAA requirements
⬜ Any breach response strategies that you have prepared
⬜ Any employee compliance training that you carried out
⬜ Relevant paperwork that supports your HIPAA compliance
⬜ Any Business Associates Agreement that you signed
⬜ Your business associates’ adherence to HIPAA compliance
HIPAA violations fines
If you fail to meet the changes required by the OCR or ignore them, they might decide to give you a higher fine or even take legal action. These fines can vary in amount, depending on the violation type and severity.
Have a look at the OCR fines below, based on the different violation types and responses.
Important HIPAA violation investigation deadlines
The OCR sets several different deadlines when investigating a HIPAA violation:
- 60 days to report a breach as a healthcare organization. Your practice can report a HIPAA violation to the Office for Civil Rights (OCR) within 60 days of discovering the breach. Missed deadlines may result in higher penalties if the OCR discovers the violation first.
- 180 days for patients to file a violation complaint. Patients will have 180 days from the date of the violation, or from the date they discovered the violation, to file a complaint. If they miss this deadline, the OCR may not look into their complaint.
- 180 days for the OCR to investigate and make a decision. The OCR aims to decide on HIPAA complaints within 180 days of receiving the complaint. But, this period can be extended if the case is more complex or if the threat is bigger.
- 30 days to pay for a violation fine. If the OCR fines you, you will have 30 days to pay this fine from the day of reaching a resolution agreement. If you fail to meet this deadline, the OCR can take additional legal action against you to collect the fine.
- 10 business days to respond to an OCR audit. If the OCR decides to do a random audit of your HIPAA compliance, you will be notified, after which you will have 10 days to submit the data and documentation required by the OCR.
The OCR doesn’t provide a specified deadline for how long your practice will need to implement its recommendations and corrective steps. But, you should do it as fast as possible, usually in up to 30 days. The OCR may even work with you to establish a timeline for implementation, which should be reasonable, depending on how serious the violation is.
How to report a detected HIPAA breach to the OCR
You’re legally obliged to report a HIPAA breach threat to the OCR if the breach has affected over 500 people. To report it, you’ll have to go through the following steps:
⬜ Enter the basic details of your practice and the person who manages IT security.
⬜ Summarize how the breach was discovered. This should be written by the individual who discovered the breach.
⬜ Detail the nature and extent of the PHI involved.
⬜ Detail the unauthorized person to whom the disclosure was made.
⬜ Determine whether the PHI was acquired or viewed by the unauthorized person.
⬜ Safely store all breach documentation — critical if you deal with another breach, and need to present this information.
Handling a HIPAA violation complaint during an investigation
Let’s say that a patient did file a formal violation complaint to the OCR. Now what? What’s the first thing you can do? Well, if you have already appointed a compliance or a privacy officer — which is a HIPAA compliance requirement — you turn to them first.
The foremost responsibility of your internal compliance officer will be to investigate the reason behind the violation — and its extent — before the OCR checks in with you. This process is detailed, but it needs to be done fast, and error-free. Addressing the damage done promptly will help you look prepared in the eyes of the OCR.
A note — if a single compliance officer cannot perform a whole internal investigation, you might have to appoint a committee of officers.
Since you need to be swift and efficient, here is how you can best handle a violation complaint so you can better present yourself before the OCR.
1. Register the complaint
First, ensure that your compliance officer has processed the formal complaint, and:
- Added a date stamp and log the complaint as an official record
- Informed the patient in writing that their complaint has been received
- Identified everyone involved in the violation
- Inspected if the breach was internal or external
- Checked if any of your policies and procedures were breached
- Informed the patient of the findings and resolution, in writing
If the officer concludes that there is no active violation, they should date stamp the complaint as closed, and inform the patient in writing. You will also need to submit a risk assessment to the OCR to prove that PHI wasn’t affected, alongside supporting reports.
2. Conduct a comprehensive risk analysis
If a violation has been detected in your electronic devices or privacy and security policies, you will have to perform a risk analysis to determine the source.
Some aspects to cover when doing your risk analysis can include:
- Assess your compliance training and access control policies
- Review if your data storage and transfer methods are viable
- Evaluate physical security measures, like access controls and locked rooms
- Inspect technical safeguards, like encryption, authentication, net security, etc.
- Inspect potential threats in your electronic protected health information (ePHI)
- Review how your employees complied with HIPAA policies and procedures
- Assess or update your business associate agreements
- Document any detected threats and resolution recommendations
- Collaborate with HIPAA experts for comprehensive assessments
3. Double-check your devices
Often, devices like computers, laptops, and smartphones can be used to store protected patient information. However, such devices can easily end up misplaced, unattended, or stolen, which then puts the PHI stored in that device at risk of exposure or misuse.
To detect any issues, check all devices you use, like the patient journey iPad, and see how well the data in them is protected.
Do you have a strong password policy? Are you using 2FA to sign to platforms via a device? Are your folders locked? Has anyone accessed a device without having authorized access to PHI? These are some of the questions you will need to answer for the OCR and support them with evidence.
4. Evaluate your HIPAA policies and procedures
Next up — your compliance officer(s) will need to review and revisit your HIPAA policies. They have to check whether they align with the latest regulations and updates.
HIPAA compliance is prone to constant changes, so keep an eye on any vital news. Double-check your plan for handling emergencies in case of a breach and address gaps and loopholes, if any.
Every practice needs to have HIPAA compliance documentation prepared ahead of time. This helps the OCR determine what aspects of your compliance were successfully covered, and what documentation might be incomplete or not updated.
Some necessary HIPAA compliance records you will need to have ready for the OCR can include reports on the usage and storage of PHI, an emergency plan for prompt incident response, worksheets on how you implemented HIPAA’s specific rules, etc.
5. Understand patient rights
Patients have the right to access their health information, like treatment details, photos, and billing records. Patients should also be able to edit or update their information and give you consent before you can use and manage their PHI, or share them with others.
These aside, patients also have the right to —
✔️ Know how their health information is used and disclosed.
✔️ Request restrictions on the use and disclosure of their information.
✔️ Receive a notice of privacy practices from healthcare providers.
✔️ Request confidential communication methods.
✔️ Be informed of breaches of their health information.
✔️ Obtain an accounting of disclosures of their health information.
✔️ Designate individuals who can access their health information.
✔️ File complaints with the Office for Civil Rights.
At the same time, patients don’t have the right to:
✖️ Access medical records of other family members without their consent
✖️ Access certain medical records, like psychotherapy notes
✖️ Demand specific security measures for protecting their data
✖️ Refuse payment for healthcare services
✖️ File a lawsuit against your practice, due to a HIPAA violation
Whenever you are dealing with protected health information, you must always inform patients of what they can and can’t do with their data. You also need to let them know how their PHI is secured and handled.
6. Re-examine your compliance workforce training
If you determine that the HIPAA violation reported was a result of internal employee negligence, you need to inspect further.
- Check how extensive your HIPAA compliance training is, and test employees on their knowledge.
- Create a plan on how you will retrain employees on HIPAA compliance. This will ensure that employees know how to implement HIPAA’s security, privacy, and breach notification guidelines.
🔎 If an employee was at fault for the violation —
Share this with your human resource department or the person who manages your employees or monitors HIPAA compliance (like your appointed compliance officer).
It is your clinic’s responsibility to investigate which employee might have caused a violation; if this was intentional or accidental, and if they were aware they were breaking HIPAA’s policies. To ensure all-around understanding and compliance, you need to (re)train your staff on HIPAA regulations and policies.
🔎 If a business associate was responsible for the violation —
Forward the complaint to them, and also inform the person who filed the complaint. But it will ultimately be your responsibility to investigate if your BAs are at fault for the HIPAA violation in question.
A word from the experts...
The best way to learn about HIPAA investigations? Ask for the wisdom of experts.
David D. Smith
Co-founder of BladGo
👉 David D. Smith is the co-founder of BladGo, an eCommerce shop for medical equipment and devices. He has extensive experience in the medical industry and understands that handling a HIPAA investigation can be a complex process. But, he encourages practices to take action rather than stress, noting —
“HIPAA investigations can be daunting. However, if healthcare organizations and providers adhere to HIPAA guidelines and take appropriate measures to protect patient data privacy, then there is nothing to worry about.”
He also shares a summary of steps you can take during the process:
- “Keep calm and composed. HIPAA investigations can be intimidating and
stressful, but it is essential to cooperate with investigators and don’t try to hide anything. As a healthcare provider, it’s your responsibility to follow HIPAA guidelines and take appropriate measures to protect patient data privacy. Following the rules, regulations, and laws should give you the confidence to handle an investigation. - Prepare documentation: During the investigation, officials may ask for documents related to your healthcare organization’s HIPAA compliance. Being prepared with these documents, even before they are asked, can demonstrate your readiness and professionalism. Documents such as policy manuals, security plans, training records, incident response plans, breach notification letters, and risk assessments should be easily accessible and analyzed to help solve the issue.
- Conduct a thorough self-assessment: Before being investigated by HHS, a healthcare provider should conduct a self-assessment so that they can identify and resolve any potential vulnerabilities to protect patient health information. Include a review of security policies, a record of any breaches or complaints filed, staff training records, documented risk assessments, and an evaluation of any third-party vendors who handle patient data. This way, you ensure that all bases are break-proof and play a safe game ahead of being fined or punished.
- Comply with HIPAA and keep up with periodic training: Ensuring that all employees are appropriately trained on HIPAA guidelines is fundamental to avoid any violations. Any healthcare organization should have training sessions that are updated frequently to keep employees up to speed on what they need to do when any proceedings on HIPAA appear. This periodic refresh can help prevent complaints, breaches, and costly investigations.
- Engage professional HIPAA counsel: HIPAA laws can be difficult to understand, but you don’t have to face an investigation alone. A trusted legal team with expertise in HIPAA compliance can guide you through the investigation process and knows how to handle cases with regulatory bodies. Engaging a professional HIPAA counselor can help you mitigate possible penalties and efficiently defend your organization.”
How the OCR will conclude the HIPAA violation investigation
After you’re done investigating internally, your practice will have to present arguments regarding the violation incident before the OCR. The person who filed the complaint should also do the same. After considering what both sides have to say, the OCR will review the information and evidence and decide.
When the OCR makes a final decision (in up to 180 days), they will share it with your practice and the person who filed the complaint, in writing. They will also propose a deadline by which you’ll need to perform all corrective actions suggested. Sometimes, the OCR might even collaborate with you to resolve the issues faster.
Next, the OCR will ask you to sign a Resolution Agreement. This agreement is official and outlines the corrective actions and penalties the OCR imposed for the violations. The agreement is signed by both the OCR and yourself, but not by the person who filed the complaint.
If the OCR decides to fine you for the violation, you’ll have to pay it within 30 days of receiving it. Finally, when the OCR wants a second opinion or extra revision, they will send the complaint to their ‘superior’, the Department of Health and Human Services (HHS).
💡 The OCR cannot act upon a violation complaint if the action took place before HIPAA’s date of enactment, April 14, 2003.
Support your HIPAA compliance with Pabau 🦾
The best way to handle a HIPAA investigation is to not have one in the first place. And the best way to do that is to ensure you have robust compliance policies and processes in place, to begin with.
👉 One way to do this is by using practice management software that supports your HIPAA compliance, like Pabau.
A designated practice management software, Pabau offers several features — such as data encryption protocols and automatic audit logs. We support your HIPAA compliance and reduce the risk of investigation-worthy violations.
👉 Implement the required compliance steps — and Pabau will ensure you are supported all the way!
Want to ensure through-and-through HIPAA compliance? Download our free HIPAA compliance checklist to get started today! 👇