Implementing a strong HIPAA Compliance framework is a requirement for all Covered Entities and Business Associates, but many practices don't realize this is also their best strategy to prevent a breach from happening!   My hope is that understanding what the OCR will ask you for after a Data Breach will help you implement an IT security framework that will reduce your chances of ever experiencing a data breach.  

Much can be learned from studying history, and this is especially true when it comes to HIPAA data breaches.  After experiencing a data breach,  a medical practice received a letter from the OCR  titled "Data Request".  They were kind enough to let me use the information in the letter to help other practices prevent suffering both the financial burden and the damage to their reputation that results from a data breach.

Would your practice be able to hand over this documentation if you experienced a breach?  Notice how nearly every request begins with the word  Proof, Evidence or Copy!  In nearly every Risk Analysis I have ever conducted, I've been told that "we do that, but I don't have a document".  The reality is that if you can't send them "Proof, Evidence or a Copy",  you are not compliant.  It's that simple.   

Here is the comprehensive list of documentation that the OCR requested.  Please also note that the response needed to be submitted to the OCR within 30 days of the receipt of the letter. 

  1. A response detailing the allegation of what happened.
  2. Proof of proper response to the data breach, and proof of notification to affected patients, media, or OCR.
  3. Evidence of Policies and Procedures on workforce members' uses and disclosures of PHI.
  4. Evidence of appropriate administrative, technical and physical safeguards.
  5. A copy of the Risk Analysis performed for or by the CE prior to the incident, and any conducted after the incident.
  6. Evidence of the security measures implemented to reduce risks and vulnerabilities identified through the CE's risk analysis.
  7. Evidence of Policies and Procedures on reporting security incidents, including copy of incident report created in response to the incident & corrective actions taken.
  8. Evidence of security awareness training for all employees.
  9. Evidence of policies and procedures to safeguard the facility and the equipment therin from unauthorized physical access, tampering and theft.
  10. Evidence of Policies and Procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
  11. Copies of mechanisms in place for encryption/decryption of systems containing ePHI.
  12. Copies of breach notification policies and procedures.
  13. Policies and Procedures related to the disclosure and safeguarding of patient pHI.
  14. The organizational structure of the business, including who owns and operates business, where it is registered to do business, and identify the custodian of records with contact information.  
  15. Any additional information which would assist OCR in investigation of the complaint.

Implementing a Security Management Plan for your medical practice is critical in protecting ePHI and preventing a data breach.  The first step is to conduct a HIPAA Risk Analysis, which will provide you with a clear understanding of your environment, and any risks to ePHI that need to be mitigated.  The take away is that if you implement the security framework required for HIPAA compliance, you will significantly reduce your chances of experiencing a Data Breach. 

 If you have concerns about HIPAA Compliance, or are looking for an IT Support company that specializes in HealthCare and understands HIPAA Compliance , call us at 877-843-5767. 





Rose Doherty

Written by Rose Doherty