Implementing a strong HIPAA Compliance framework is your best plan to prevent a breach. Understanding what the OCR will ask you for in the event of a Data Breach, and preparing all of this documentation ahead of time will give you a very good head start on HIPAA Compliance and may just prevent you from experiencing a breach.

The documentation requested after a data breach may actually have prevented the breach in the first place

Much can be learned from studying history, and when it comes to HealthCare providers that have experienced a data breach, there is some very helpful information to be learned.  Here is a list of the documentation requested in a 2015 letter from the OCR titled "Data Request".  It is interesting to note that if this practice had completed all of the requirements asked for in this Data Request before the breach, it is highly likely that they never would have experienced a breach in the first place.

Would your practice be able to hand over this documentation if you experienced a breach?  Here is the comprehensive list of documentation that the OCR requested.  Please also note that the response needed to be submitted to the OCR within 30 days of the receipt of the letter. 

  1. A response detailing the alligation of what happened.
  2. Proof of proper response to the data breach, and proof of notification to affected patients, media, or OCR.
  3. Evidence of Policies and Procedures on workforce members' uses and disclosures of PHI.
  4. Evidence of appropriate administrative, technical and physical safeguards.
  5. A copy of the Risk Analysis performed for or by the CE prior to the incident, and any conducted after the incident.
  6. Evidence of the security measures implemented to reduce risks and vulnerabilities identified through the CE's risk analysis.
  7. Evidence of Policies and Procedures on reporting security incidents, including copy of incident report created in response to the incident & corrective actions taken.
  8. Evidence of security awareness training for all employees.
  9. Evidence of policies and procedures to safeguard the facility and the equipment therin from unauthorized physical access, tampering and theft.
  10. Evidence of Policies and Procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
  11. Copies of mechanisms in place for encryption/decryption of systems containing ePHI.
  12. Copies of breach notification policies and procedures.
  13. Policies and Procedures related to the disclosure and safeguarding of patient pHI.
  14. The organizational structure of the business, including who owns and operates business, where it is registered to do business, and identify the custodian of records with contact information.  
  15. Any additional information which would assist OCR in investigation of the complaint.

After reading this list, I can't help but wonder if "Guide to Breach Prevention" might have been a better title for this document. 

If you have concerns about HIPAA Compliance, or are looking for an IT Support company that specializes in HealthCare and understands HIPAA Compliance , call us at 877-843-5767.  If you'd prefer to have one of our Senior IntelliSuite Engineers call you, click here to request a call.



Rose Doherty

Written by Rose Doherty