Breach incident management: Providers should anticipate an OCR investigation

By Jan Elezian is Director, SunHawk Consulting LLC in Denver, CO, and Nancy Lipman is Vice President of Compliance at Chicanos Por La Causa Inc. in Phoenix, AZ.

With the implementation of the Breach Notification Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA),[1] the healthcare industry has experienced an increased risk of enforcement action by the Office for Civil Rights (OCR). Separate from the Breach Notification Rule, there are two additional factors compounding this risk. The first is individuals’ ability to file a complaint directly with the OCR.[2] The OCR accepts all HIPAA violation complaints, from any source, about any covered entity or their business associate, regardless of the size or nature of the potential breach. The second is individuals’ heightened awareness about the value of their personal information and the need to protect it. The OCR, in conjunction with law enforcement, investigates incidents involving theft of HIPAA protected information and fraud. Of the 91 reported breach incidents under investigation by the OCR during the first two months of 2020, 65 involved hacking or other information technology incidents, including those with potential malintent such as malware, ransomware, and phishing schemes. [3] Given any of these risk factors, it is practical to assume that there will be an OCR complaint filed for each compliance investigation conducted in response to an alleged breach. This article will discuss some key steps in managing a breach incident response.

Recent examples

Three recent OCR settlements highlight the critical need for organizations to be knowledgeable and prepared to manage their response when a data breach is discovered.

  • On May 6, 2019, the Tennessee-based Touchstone Medical Imaging entered into a $3 million settlement with the OCR when issues with risk analysis and management and timely breach notification to the Department of Health and Human Services, among other violations, were discovered during an OCR investigation. [4]

  • On October 23, 2019, Jackson Health paid a $2.15 million civil monetary penalty when an OCR investigation revealed that multiple HIPAA violations were discovered within the health system, including a failure of risk management processes and failure to provide timely and accurate breach notification to the Department of Health and Human Services. [5]

  • On November 27, 2019, Sentara Hospitals paid a $2.175 civil monetary penalty and agreed to a corrective action plan to settle HIPAA violations that included failure to accurately and timely report a data breach. [6]

While fines may be . . . click here for Full Article.

1 45 C.F.R. §§ 164.400-414 . 2 45 C.F.R. § 160.306 . 3 “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information,” Office for Civil Rights, U.S. Department of Health and Human Services, accessed April 2, 2020, 4 Jessica Davis, “OCR Settles with Touchstone Medical for $3M After Health Data Breach,” Health IT Security, May 6, 2019, 5 Jessica Davis, “Jackson Health Pays OCR $2.15M Penalty for Multiple HIPAA Violations,” Health IT Security, October 23, 2019, 6 Jessica Davis, “Sentara Pays $2.2M for Failing to Properly Report Data Breach to OCR,” Health IT Security, November 27, 2019,

Copyright 2020 Society of Corporate Compliance and Ethics (SCCE). All rights reserved. Unless permitted under this website’s Terms of Use, this content may not be reproduced, duplicated, copied, downloaded, stored, further transmitted, disseminated, transferred or otherwise exploited without SCCE’s prior written consent.

Copyright 2020 Compliance Today Magazine, a publication of the Health Care Compliance Association (HCCA).

Ramping Up Virtual Project Management / Team Facilitation in Response to COVID-19? SunHawk Can Help

Our skilled leaders and professionals at SunHawk are experts at managing complex and time sensitive projects in a virtual on-line world.  In these disruptive times, we can jump in to help your organization with regulatory and compliance management needs including: · Organizing a short-term crisis management/response team, · Facilitating or assume leadership of a new compliance initiative, or · Provide leadership to an established team or add additional expertise. Do you have work that needs to be done? Do you not have the immediate bandwidth or resources to see such projects to fruition given other priorities? We can help, please reach out to Jim Rough or James Rose for assistance: SunHawk Consulting is a team of highly skilled and experienced subject matter experts in the Healthcare, Life Sciences, and Insurance Industries who understand that the client’s needs and budgets come first. SunHawk provides Crisis Management Response, Compliance Consulting, Disputes & Investigations, and Staff Augmentation services for Boards of Directors, internal/external legal counsel, company management and employees, special committees, bankruptcy trustees and receivers, and government agencies.