What to Expect During an OCR Audit or Investigation and How to Prepare

This blog is based on part four of our 5-part webinar series, “HIPAA Audits Are On The Way—Are You Ready?” Access the replay and presentation materials here.

As a healthcare-covered entity or business associate, if the unthinkable happens and you’re the victim of a breach or other cyber incident, chances are you expect the Office for Civil Rights to launch an investigation, depending on the size and nature of the event. However, you may not realize that you and any vendors that access personal health information (PHI) can be the subject of a random OCR audit, similar to a formal investigation, at any time.

Under HIPAA and the HITECH Act, OCR has the authority to audit or investigate any healthcare-covered entity or business associate to ensure compliance with the HIPAA Security and Privacy rules. In fact, it’s anticipated OCR will launch a new round of audits, the third under HITECH requirements, as early as next year.

While investigations may feel more dire because of their potential consequences, don’t overlook the importance of ensuring you can quickly and accurately respond to an OCR HIPAA request anytime.

Investigation Triggers: A Complaint

OCR can initiate a HIPAA review at any time. Generally, investigations into HIPAA violations begin with a HIPAA complaint or triggering event. A patient or family may be the source that initiates a complaint, but that extends to others who may be affected by a HIPAA compliance issue. Other times, OCR may launch an investigation due to a breach or other cybersecurity event—one that you may be required to report directly to OCR yourself or that OCR finds out about through different sources, such as news reports.

OCR receives hundreds of thousands of complaints each year, and healthcare is just one of the many divisions it oversees. The good news is that not every HIPAA complaint turns into an investigation. OCR has established criteria to determine if a complaint is justified and will escalate into a full-scale investigation:

• Alleged action must have occurred in the past six years
• Must be filed against a covered entity or a business associate
• Must allege an activity that, if proven true, would violate the HIPAA Rules
• Must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the HIPAA Rules
  • OCR may waive this time limit if the individual demonstrates good cause

What Happens During an Audit or Investigation?

Each OCR investigation is assigned to an investigator. This investigator will handle every aspect of the case, from the initial complaint through review and rectification to determining if the case warrants additional consequences like fines and other penalties.

While the nature of each investigation may be different, the OCR investigative process generally looks like this:

1. Review the complaint. Accept, deny, or refer to another agency, such as the Centers for Medicare & Medicaid Services (CMS). Not all complaints warrant an investigation.
   
2. Notify the complainant and the covered entity named in the complaint.
   
3. Request information about the complaint from the complainant and covered entity (15 – 30 days to reply).

The investigator will interview the complainant at this stage to better understand what happened. The complainant may be asked to provide additional information and documentation about the HIPAA violation. This information may be used to inform the data request letter the investigator will later send to your organization.

Here, as with audits, the investigator will also consider:

• Is the complaint complete?
• Is the complaint filed on behalf of a third party?
• Does OCR have the authority to investigate?
• Does the complaint allege a violation of the HIPAA Rules? Does it include sufficient information?
• Are there particular sensitivities (consent to release identity, etc.)?
• Has the complainant filed prior complaints against the CE or business associate?
• Have prior complaints been filed against the CE or business associate?
• Was it filed on time?
• Does OCR have enough time to begin investigating? (i.e., was the complaint filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the HIPAA Rules, and did the alleged violation occur in the past six years?)
• Is it a high-impact case?
• Has the complaint been withdrawn?

As a healthcare organization, you can respond to the allegations against your organization, which will be detailed in your notification letter. While the specifics of your letter will vary depending on the issue, in general, notification letters outline the facts the investigator discovered during the initial complaint investigation, the related potential HIPAA violations, and a timeline to respond to a request for documentation concerning the complaint.

To facilitate a smooth investigation, your response should acknowledge receipt of the investigation notification and outline what you’ve done to address the issue. It’s best practice that the tone of your letter demonstrates that, whether or not you believe your organization is at fault, you take the investigation seriously and are committed to mitigating the issue.

Depending on the nature of your investigation notice and the documentation you must provide, OCR generally gives you 10 to 15 days to respond. In some cases, OCR may extend that up to 30 days.

• Review information and evidence gathered.

During this time, the investigator will analyze each potential violation and possible conclusions. This may include additional background research. In cases where the claims warrant deeper review, the investigator may request additional documentation and, in some cases, may want to conduct an on-site investigation.

• Determine if there are any HIPAA violations.

In addition to determining whether there were violations and what they were, your investigator will also consider how egregious the violation was, which can ultimately impact the degree of consequences from the findings.

• Resolution.

Many OCR complaints are resolved through voluntary compliance; however, if there is no resolution, there are three potential outcomes: a corrective action plan, a resolution agreement, or a referral to another agency.

A corrective action plan could be as short as a year or span multiple years. During this time, the covered entity or business associate must regularly report to OCR and undergo consistent audits.

A resolution agreement is a settlement between the Department of Health and Human Services (HHS) and a covered entity or business associate, where the covered entity or business associate agrees to perform certain obligations over a span of time.  A resolution agreement may include a corrective action plan, resolution payment, or a civil monetary penalty. As with the corrective action plan, OCR will continue to monitor that organization during the time associated with the resolution agreement.

OCR may also refer the case to other departments, such as the Department of Justice, for additional review and potential consequences.

OCR may also impose civil money penalties (CMPs). When this happens, you can request a hearing from an administrative law judge for a case review. This impartial official will review all case details and decide if OCR made the correct decision.

If OCR issues a fine, the individual(s) who filed the initial complaint will not get a portion of the penalties. Instead, OCR deposits the penalties into the U.S. Treasury.

• Notify the complainant and covered entity of findings.

OCR Audit Processes

OCR audits and investigations are similar but quite different.

OCR has conducted two audits so far, Phase 1 in 2011-2012 and Phase 2 in 2016-2017. In both audits, OCR identified a range of covered entities, including healthcare providers, health plans, and healthcare clearinghouses. They considered size, affiliations, location, and whether the entity was public or private. OCR also divided health plans into group plans and issuers. From there, OCR categorized providers by type, such as hospital, practitioner, elder care/skilled nursing facility (SNF), health system, or pharmacy. OCR randomly selected organizations in each category from this pool of potential auditees. Phase 2 audits also included business associates.

Based on how OCR conducted the first two audits, should your organization be subject to a future audit, the process will likely resemble the following:

First, OCR will send two emails: an initial notification letter and a document request. You may have 10 days to respond (based on the 10-day period given in previous audits).

From there, OCR will review the documents you submitted against its audit protocol.

After this review, OCR will create a draft findings report and give your organization time to respond to those findings. It’s important to note that OCR considers your organization’s responsiveness when preparing a final report. Following your response, OCR will issue its final report. While internal reports are not provided to either the covered entity or complainant during an investigation, OCR will provide your organization of its final report during an audit.

Preparing for an OCR Audit or Investigation

With a new round of HIPAA audits looming, now is the perfect time to ensure your organization is ready to respond quickly and accurately to OCR requests. That begins with your front-line staff (for example, call-takers and those who receive general organizational emails) knowing how to spot an official OCR communication.

During COVID, OCR sent audit notification emails to several entities that thought the emails were scams. As such, they failed to respond to an official government inquiry. While this is certainly a valid concern—and one your staff should take seriously—there are several ways they can quickly confirm if a data request is from OCR:

• Check the email address of the sender (should be “hhs.gov”)
• Each data request letter has a transaction number. The first two letters of this number correspond to the year OCR sends the request.
• If you still have concerns:
  • Call the phone number listed on the complaint
  • Do a LinkedIn search for the investigator named in the complaint
  • Call or email OCR directly:
    • OCR’s contact page: https://www.hhs.gov/ocr/about-us/contact-us/index.html
    • Email: OCRPrivacy@hhs.gov for Health Information Privacy questions
  • Contact regional offices (information on contact page)

Do not rely on the OCR Breach Portal to determine if your organization is under investigation. Remember, OCR receives hundreds of thousands of complaints. Each investigator has a heavy caseload, so your case may not yet be listed in the portal. That doesn’t mean the investigation is not legitimate.

Other best practices to consider for OCR audit prep:

• Include/invite all appropriate stakeholders (and ensure that those stakeholders have been identified and documented well before a notification letter). This may go beyond privacy, compliance, and security teams and include representatives from other departments.
• Understand if your audit/investigation will be onsite or virtual (i.e., a desk investigation/audit).
• Gather relevant documentation and ensure evidence is readily available (digital and print).
• Craft an incident narrative.
  • Summarize your organization’s perspective and how you responded (or future remediation efforts). This is important because it gives investigators a framework to understand all the evidence they collect.

Some other helpful tips to ace your HIPAA audit:

• Carefully read the letter/request.
• Be respectful, but don’t be afraid to clearly state when you believe something is incorrect (and can provide evidence to prove it).
• Respond in a timely fashion and answer data requests on time.
• Routinely and clearly communicate with your assigned investigator.
• If you need a deadline extension, request it early.
• Remember, every case (and investigator) is different, so you should never guess your case’s outcome based on the outcomes of similar cases.

Are You Ready?

OCR investigations and audits can happen at any time. Be sure your team is always prepared. Consider conducting mock investigations and tabletop exercises to ensure processes work as intended. This will give your team a chance to identify and mitigate issues before you face an actual event. This is particularly important in determining if your process efficiencies will enable you to respond accurately and on time to an OCR request, no matter how detailed or complex it may be.

Ensure you have policies and processes in place to document evidence supporting your organization’s compliance with HIPAA Privacy, Breach Notification, and Security Rules. If you’re unsure about being ready for an audit, Clearwater’s compliance experts can help. Let’s connect.