Implementing a strong HIPAA Compliance framework is a requirement for all Covered Entities and Business Associates, but many practices don't realize this is also their best strategy to prevent a breach from happening! My hope is that understanding what the OCR will ask you for after a Data Breach will help you implement an IT security framework that will reduce your chances of ever experiencing a data breach.
Much can be learned from studying history, and this is especially true when it comes to HIPAA data breaches. After experiencing a data breach, a medical practice received a letter from the OCR titled "Data Request". They were kind enough to let me use the information in the letter to help other practices prevent suffering both the financial burden and the damage to their reputation that results from a data breach.
Would your practice be able to hand over this documentation if you experienced a breach? Notice how nearly every request begins with the word Proof, Evidence or Copy! In nearly every Risk Analysis I have ever conducted, I've been told that "we do that, but I don't have a document". The reality is that if you can't send them "Proof, Evidence or a Copy", you are not compliant. It's that simple.
Here is the comprehensive list of documentation that the OCR requested. Please also note that the response needed to be submitted to the OCR within 30 days of the receipt of the letter.
Implementing a Security Management Plan for your medical practice is critical in protecting ePHI and preventing a data breach. The first step is to conduct a HIPAA Risk Analysis, which will provide you with a clear understanding of your environment, and any risks to ePHI that need to be mitigated. The take away is that if you implement the security framework required for HIPAA compliance, you will significantly reduce your chances of experiencing a Data Breach.
If you have concerns about HIPAA Compliance, or are looking for an IT Support company that specializes in HealthCare and understands HIPAA Compliance , call us at 877-843-5767.