A HIPAA investigation is a mystery until it happens to you. Prepare now for a good outcome by learning why investigations happen, how they unfold, and how to respond.
Investigations and audits can be time consuming and expensive. If the Office for Civil Rights (OCR) finds violations they may impose civil money penalties and require corrective actions. If OCR determines that a case involves a knowing violation they may refer it to the Department of Justice for criminal investigation. Both covered entities and business associates may be investigated.
What Triggers a HIPAA Investigation
An unhappy patient, a breach of protected health information (PHI), or chance can result in an investigation. There are three key triggers.
- Breach affecting more than 500 individuals (OCR investigates all breaches of this size)
- Random audit
OCR encourages anyone who believes that a HIPAA violation has occurred to file a report in its OCR Complaint Portal.
According to OCR, the most common violations that lead to investigations are:
- Impermissible disclosures of PHI
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to enter into a HIPAA-compliant business associate agreement with vendors before giving access to PHI
- Failure to provide patients with copies of their PHI on request
Regarding this last bullet point, OCR is clear that the patient Right of Access to medical records is an enforcement priority. Too many covered entities still are not providing access to records in accordance with the rule. There have been 41 settlements for right of access violations over the past three years since OCR began its Right of Access Initiative. Below is a quick review of the rules:
Key Elements of Right of Access
- Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
- Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
- Fees, if any, should be minimal. NOTE: a 2020 lawsuit (Ciox Health vs. Alex Azar) concluded that a higher fee may be charged when a patient requests records be sent to a third party.
- Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)
Not all complaints result in investigations. Each complaint is evaluated first to ensure it describes a true HIPAA violation and was filed within 180 days of the event. OCR also explains:
“Additionally, in 52,406 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.” (italics added for emphasis)
Potential outcomes range from mild to expensive and severe. For example, if an organization inadvertently violated HIPAA and follows OCR’s suggestions to improve its compliance, there may be no penalties. On the other hand, if an organization willfully neglects its HIPAA responsibilities and fails to correct the alleged problem promptly, the civil money penalties can be high and a resolution agreement and specific mandatory corrective actions may follow. Criminal penalties may include jail time.
Originally, civil money penalties were modest but OCR decided they needed to be increased to deter noncompliance. The HITECH Act of 2009 significantly increased penalties in the HIPAA Enforcement Rule.
According to a recent OCR report:
“To date, OCR settled or imposed a civil money penalty in 126 cases resulting in a total dollar amount of $133,519,272.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.”
Although the specific amounts are not final since penalties are currently in the rule making process, the following table shows the current penalty amounts for 2022, for cases assessed on or after March 17, 2022.
|Annual Penalty Limit
|Annual Penalty Limit
|Minimum Penalty per Violation
|Maximum Penalty per Violation
|Annual Penalty Limit
|Lack of Knowledge
|Willful neglect (not corrected within 30 days
OCR has stated that the maximum penalty per year should be reduced in three of the four penalty tiers, and the annual cap should be $25,000 for tier 1, $100,000 for tier 2, $250,000 for tier 3, and $1,500,000 for tier 4.
*Note the annual penalty limit is less than the maximum per violation, a discrepancy that will likely be clarified when the final rule is issued.
How to Respond to a HIPAA Investigation or Audit
Cooperate, don’t delay, provide answers and accept OCR’s advice in the form of “technical assistance”. Many cases that resulted in high penalties were avoidable because the penalties were increased for non-cooperation or delays.
If you are audited rather than investigated, The HIPAA E-Tool® has all 180 HIPAA compliance audit protocols (the possible questions, inquiries and document requests) and proposed answers from the E-Tool.
Prepare for Success and Avoid or Reduce Penalties
- Review your HIPAA policies to make sure they are up to date.
- Review the patient right of access rules.
- Conduct a HIPAA Risk Analysis, implement Risk Management steps and document everything.
- Review and refresh workforce training.
- Foster a culture of compliance throughout the organization.
If you have any questions about how to handle an investigation, ask The HIPAA E-Tool® .