For many healthcare organizations, a dreaded acronym may well be OCR—the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. With fines and enforcement of the HIPAA Privacy and Security Rules on the rise, it’s natural for collective muscles to tense in anticipation of an OCR investigation.

After all, non-compliance means any violation of the HIPAA rules—from improper disclosure of protected health information (PHI) to denying access to medical records. In the latter case, Cignet Health was fined $4.3 million for denying patients access to their medical records. And HHS fined Massachusetts General $1 million for the loss of 192 patients’ PHI.

It’s clear that OCR is ready and willing to impose penalties for violators. And there have been several violations to date, mostly related to improper disclosure of PHI—with 14,000 reported privacy incidents, the majority due to theft and loss, according to the OCR website. Technology has complicated matters, with laptops and other portable storage devices such as USB flash drives accounting for 38 percent of reported incidents.

[Cover story: ICD-10's ten-year reign of fear.]

Once an organization has reported a privacy incident to HHS, it’s only a matter of days before OCR comes calling. But there is hope. As we’ve worked with healthcare organizations, we’ve learned three key lessons about surviving an OCR investigation with reputation and sanity intact, and with patients well taken care of:

1. Be prepared before an incident occurs

2. Educate the investigator

3. Ask for help

Lesson 1: Be prepared before an incident occurs. Organizations should strive for “voluntary compliance”—or what OCR terms a “culture of compliance.” Doing so can help healthcare providers avoid a corrective action plan (CAP), which can cause years of headache.

The reality is, there’s no legitimate excuse for most violations. The HIPAA guidelines have been around since 1996—long enough to institute some form of compliance plan. This includes:
• Workforce security awareness training
• Annual privacy/security risk assessment
• Review and update privacy/security process and procedures
• Retain appropriate services pre-incident

Perhaps the most critical element in planning for compliance is what we call an Incident Response Plan, or IRP. The IRP provides an overall strategy for how providers will react to an incident—and it can be a major help with OCR investigations. We like to consider the IRP as a “living” document, a process that adapts to an organization’s changing compliance needs.

Often, organizations are doing a lot of the right things already. But without documentation, it’s much less defensible in the face of an investigation. An IRP helps create a defensible response, allowing providers to react to complaints or data breaches in a timely, methodical, and documented way.

Not all incidents are breaches, but all breaches begin as incidents. Different levels of risk management are important, but more important is maintaining some consistency in terms of methodology for responding to and documenting an incident. More than anything, this will help healthcare organizations achieve voluntary compliance.

[Related: 8 tactics for mobile data privacy and security.]

A proper IRP should be based on a documented risk assessment to determine an organization’s security and privacy vulnerabilities. This customized IRP will help providers promptly and properly mitigate, self-investigate, impose sanctions, conduct training, prepare a report, and make changes to policies and procedures.
The following questions highlight just a few of the areas an IRP could answer:
• Do you have a plan for consistently treating individuals and their sensitive information in a caring way?
• Are there siloed incidents in your organization that are leaving you vulnerable?
• Does the physical security team know when a security event is also a PHI event?
• Does the janitor realize that a prescription label in the trash might be a PHI issue?

Preparation takes time, money, and energy. In the long run, it’s better to be prepared to protect an organization’s good name and the patients it serves.

Lesson 2: Educate the investigator. Once an organization is under OCR’s microscope, the best thing executives can do is to make the investigator’s job as easy as possible with a timely response. When emotions are on the line—and they will be—it may be difficult to cooperate. The key is to act defensibly, not defensively. Some tips:
• Create a defensible approach. This includes demonstrating a consistent response in the way an organization assesses risk, documents findings, and executes incident response. In addition, an organization should be consistent in the way it determines the risk of harm—and document that methodology.
• Expect the unexpected request for information and access. While the investigation will focus on the breach or other basis for instituting the investigation, it also may include review of the entire compliance program and much of its implementation.
• Compile and be prepared to supply information from the OCR checklist, which includes (an integrated breach service provider can greatly assist here):
• Policies and procedures limiting physical access to sensitive information
• Confirmation that notification reached 100 percent of the reported population.
• Evidence and description of notification to the media.
• Copy of notice of privacy practices.
• Actions taken to mitigate harm to individuals affected.
• Evidence supporting actions taken to prevent reoccurrence.
• Copies of written policies and procedures relevant to breach notification, employee training, copies of sanctions policies. Before and subsequent to incident.
• Copy of the risk analysis report preformed before the breach, which identified risks or vulnerabilities relating to incident—and the most recent risk analysis preformed.
Lesson 3: Ask for help. Investigators, like healthcare executives, want to do the right thing, and surprisingly, may be an organization’s most valuable asset during an investigation:
• Call the investigator and get a baseline of expectations.
• Express concerns or ask questions. Talking through a situation can help. Perhaps you had a good reason for your choices following an incident.
• Show empathy for investigators. They’re tasked with applying vague legislation to a specific incident. Demonstrate that you want to help, and make their job easier by giving them the information they need.

When it comes to surviving an OCR investigation, the laws are real and the fines are real. But so are the people. Being prepared in advance with an incident response plan, providing information in a timely manner, and getting the help you need from the very people who are investigating will go a long way in demonstrating compliance and your determination to do the right thing.

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Christine Arevalo is director of healthcare identity management and a founding employee of ID Experts. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for healthcare organizations.