[ Friday, November 17, 2006 ]
The OCR Complaint and Investigation Process:
I had the pleasure of seeing an OCR representative, health lawyer Iliana Peters, give a presentation at lunch the other day, and had the opportunity to get a peek behind the curtain at how they do things there in regard to investigations and complaints. As with all government speakers, she had to caution us that she was giving her own opinions and HHS and OCR aren't bound by them. But, that caveat aside, she made a few very interesting points:
Jeff [9:09 AM]
- Dumpster-diving issues and complaints are big business for OCR right now. HIPAA covered entities have an obligation to safeguard PHI, and there are other federal and state laws requiring businesses who deal with personal information (such as credit card numbers and social security numbers) to protect that information, including destroying it before discarding it. If you aren't shredding your paper trash, you should be. At the least, hire Iron Mountain or somebody to do it for you. If that stuff just goes out into the dumpster, you're dramatically increasing your risks of a HIPAA complaint.
- The vast majority of complaints that OCR refers to DOJ are where PHI is used for personal benefit. Identity theft, use or disclosure of PHI in family law matters, use or disclosure in personal disputes, outright theft of records, those are the types of things that turn an OCR investigation and possible "counselling" session into a visit by the US Marshalls and an opportunity to get fingerprinted.
- Finally, note the subpoena power of the OCR in 45 CFR 160.312. The enforcement rule isn't something you really need to know to be able to comply with HIPAA, but if you're being investigated and you don't want to cooperate, you better know the enforcement rule. And well.
- OCR still wants to work things out and make everyone happy. They are much more interested in slapping you on the wrist than handcuffing you. They are relatively easy to please, so make the effort to please them. It will be worth it in the long run.
- OCR will treat the person who makes the complaint as the complainant, NOT the person whose PHI was misused or improperly disclosed. If you are a lawyer and want to file the complaint "on behalf of" your client, be aware that OCR will be calling you with questions, requests for clarification or further information, etc. Also, the complainant does not have any right or "interest" in the matter of the complaint; as we all know, there's no private cause of action for a HIPAA violation, and while OCR will likely keep the complainant in the loop, the complainant does not get to dictate the action or have any approval rights over whatever OCR decides to do.
Blogger: HIPAA Blog - Edit your Template