HIPAA:
How To Avoid An On-Site Privacy Investigation
Published on Thu Apr 22, 2004
Do you know what to do if you receive a call from OCR? Ring ... ring! You answer the phone and an investigator with the HHS Office for Civil Rights is on the other end. What you say and do during this phone call could mean the difference between a slap on the wrist and a visit from OCR's investigators.
Here are some stats on HIPAA Enforcement: There have been more than 3,900 privacy rule complaints submitted to OCR. That number has risen from 3,700 complaints since the end of 2003.
Roughly 40 percent of all complaints have been resolved.
No civil monetary penalties have been imposed thus far. Do you know what to do if you receive a call from OCR? Here's a bit of advice that could wind up saving you from an on-site investigation:
Answer All Correspondence ASAP. If OCR suspects a violation, the enforcement agency will make direct, verbal contact with your organization.
Make sure you get in touch with OCR im-mediately upon receiving their message, advises William Pierce, a spokesperson with HHS. If you receive a message from OCR, contacting them immediately to address the complaint will earn you some important credibility. Don't Panic - Just Cooperate. The worst thing you can do if you receive a call from OCR is panic. Remember, OCR knows that sometimes a violation sent by an angry patient really isn't a privacy rule violation at all. The agency's first goal is to determine what violation, if any, occurred.
If a violation did happen, they want to know why. The best thing you can do is answer OCR's questions as honestly and as fully as possible. After that OCR will work with you to fix any problems and to ensure that a privacy breach doesn't occur again.
After all, the complaint could've arisen from "a simple mistake or error -- or it could be a lack of knowledge (about the privacy rule)," says Pierce.
Also, keep in mind that OCR must show "clear cause and motivation" when it submits a complaint to the Department of Justice. As long as you cooperate with the agency and answer all of the investigator's questions, you shouldn't have to worry about any on-site investigations, much less incurring a fine, assures Pierce.
Straight From the Source
Pierce sums up OCR's enforcement goals with some advice for health care organizations: "What (OCR) really wants to do is, they want you to know what the rule is - to know what you're supposed to do - and to implement it."
Remember: "The ultimate goal of the privacy rule is to protect an individual patient's medical records. Everyone shares that goal. Nobody's working at cross-purposes here," Pierce tells Eli.