When covered entities and business associates are faced with a data breach investigation or compliance audit by federal regulators, there are a number of moves they should and shouldn't make, says attorney Marti Arvin of security consulting firm Cynergistek.
While the Department of Health and Human Services' Office for Civil Rights - which enforces HIPAA - isn't likely to launch a comprehensive investigation following the report of a small privacy incident, for example, major breaches and mishaps will attract scrutiny from the federal regulators, she warns.
"I do think OCR has made it pretty clear that if you have a more significant issue, or one of a multitude of issues you've reported to them, you've increased your likelihood of having them come and investigate you and do a deeper dive of the practices of the covered entity or business associate," Arvin says in an interview with Information Security Media Group.
Among mistakes that entities make is not providing OCR with updated, accurate contact information in case the regulator needs to notify the organization about an investigation or compliance review, says Arvin, vice president of audit strategy at the consulting firm CynergisTek.
"If that letter [from OCR] goes to somebody in the organization who doesn't recognize the need for [a] prompt response, then that can become an issue if OCR asks you to respond within a certain time frame and the organization doesn't get the letter to the right person to initiate that response," she says. "A 'do' is to meet [OCR's] timeline in their requests - and if you can't meet the timeline for whatever reason ... they're generally pretty reasonable if you contact them."
Cooperating with federal regulators in a timely manner is also important when it comes to hammering out potential settlements or other enforcement actions following a breach investigation, she notes.
In the interview (see audio link below photo), Arvin also discusses:
- Advice for what healthcare sector entities can expect during OCR breach investigations and potential onsite HIPAA compliance audits, as well as security-related reviews by other HHS agencies, including the Office of Inspector General, as well as state regulators;
- Why some organizations that have a decentralized system for keeping privacy and security records potentially find it more difficult to respond quickly to OCR requests for documentation following a breach or as part of another review;
- A new "compliance program effectiveness assessment" service that she's heading up at CynergisTek.
Arvin has more than three decades of operational and executive leadership experience in the fields of compliance, research and regulatory oversight in academic medical and traditional hospital care settings. As vice president of audit strategy at CynergisTek, Arvin leads strategic business development on compliance services. She previously served as the chief compliance officer for Regional Care Hospital Partners, UCLA Health System and David Geffen School of Medicine.