9 steps to take during an OCR data breach investigation

By Rick Kam
09:18 AM

Dealing with sensitive protected health information (PHI) is no simple task. At any point along the spectrum of patient care—from initial diagnosis to billing—PHI is vulnerable to unauthorized disclosure. So, what’s an organization to do when faced with a privacy incident?

Before firing off a press release, it’s important to assess the situation. Remember, all breaches begin as incidents, but not all incidents turn into breaches—a critical distinction. An incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI. A breach, on the other hand, is the acquisition, access, use, or disclosure of PHI that poses a significant risk of financial, reputational, or other harm.

It is that “significant risk” that puts an organization in the U.S. Department of Health and Human Services Office for Civil Rights (OCR)’s line of sight. Every incident (or breach) is different, but the nine steps to take during an OCR investigation are the same. Especially if you seek a positive outcome:

1. Learn your HIPAA status: Only organizations subject to HIPAA regulations—covered entities and business associates—are of interest to OCR. For smaller providers or downstream contractors, it’s not always easy to determine HIPAA status. Legal advice is a must. One thing to keep in mind: because the HITECH Act extends the HIPAA regulations to business associates, the scope of culpability has widened to seemingly unrelated businesses or providers. Know where your organization stands.

2. Get HIPPA/HITECH compliant. The laws surrounding PHI data privacy are complex and evolving. Organizations must have policies and procedures in place that help them adhere to these regulations before, during, and after an incident. This creates a defensible position in the face of an OCR investigation. (In the breach world, we call this establishing a burden of proof.) Some tips:

Create or purchase a software tool for documenting all events—incident or breach—consistently.
Document the methodology for determining if an incident is indeed a breach and if notification is required.
Indicate in your policies and procedures what determines a breach. It should be clearly documented what triggers a “notifiable” event. Maybe there are certain data elements particularly vulnerable or sensitive that are specific to your business.
Create an incident response plan (IRP). An IRP serves as the baseline for a defensible response, allowing providers to react to complaints or data breaches in a timely, methodical, and documented way.

3. Get help. This is no time to go it alone. Smart executives call in appropriate legal counsel before saying a word to investigators. Attorneys should be current on data breach notification laws and have practical experience in dealing with HIPAA and HITECH matters. An integrated services provider can help orchestrate an appropriate response that assures compliance with the HITECH Breach Notification Interim Final Rule and other laws.

Expert help is especially crucial when it comes to the who and how of notification. Affected patients, HHS/OCR, the media, state Attorneys General, and other state regulatory authorities have specific notification requirements. An integrated services provider can manage the communication and notification strategies, ensuring the right audience receives the right message at the right time.

A plan for mitigating harm to affected patients is another factor. Deciding who to help and how to help them can be tricky. Is credit monitoring enough? What about medical identity monitoring? Identity recovery services? Remember the possible civil AND criminal consequences—and plan accordingly.

4. Determine who is financially responsible. Data breaches are costly, but an organization can find ways to offset expenses. For instance:

Have legal counsel look for applicable provisions in agreements that shift the risk to a business associate or other party. Other laws or indemnity may also apply.

Seek cyber liability and data breach insurance, but carefully review what is covered and how services are delivered. Some underwriters provide you with a great deal of flexibility in managing a data breach incident and vendor selection. Others will require that you use their team and that they control the process. So carefully review your organization’s culture and requirements along these lines before selecting a policy.
• If, after due diligence, an organization will still have to “pay up,” it should consider the present costs of remediation vs. potential future costs: OCR complaints and penalties, lawsuits, actions by states’ Attorneys General, and bad PR. Expensive as the immediate price tag seems, a poorly executed response can be much worse.

5. Aim for an “informal resolution” in an OCR investigation. An informal resolution means the OCR closes a case with no corrective action and removes an organization from immediate scrutiny. Organizations can achieve this through “voluntary compliance,” or what the OCR calls having a “culture of compliance”—cooperating with investigators and demonstrating the defensible position we discussed earlier. A formal resolution, on the other hand, subjects a covered entity or business associate to a possible corrective action plan (CAP), which can cause years of headache and expense.

6. Create a defensible response strategy. In the article, 3 tips for surviving an OCR data breach investigation, we discussed the importance of working with your OCR investigators. Making their lives easier helps everyone. In particular, OCR likes to see:

Consistency, especially in the way an organization documents its incident assessments. Privacy offices have so many incidents that paperwork is piling up, putting organizations at risk for investigative action. Incident assessment and documentation software can bring that consistency to an organization—and cut down on the paperwork.
A service provider with an integrated system of components for a data breach response, including printed notification letters, FAQs, call centers, a website, and digitized recordkeeping.
Cooperation. While the investigation will focus on the incident that triggered the investigation, it also may include review of the entire compliance program and much of its implementation. This is legitimate; don’t resist a broader investigation.

7. Don’t flunk the “attitude test.” In other words, defensible is good; defensive is not. This includes:

Communicating in a professional manner
Being responsive and timely
Using legal counsel as a conduit for communication and production
• Working toward compliance during the investigation
Communicating concerns and questions to the assigned investigator. They can be an invaluable resource.

8. Make a clean finish. What an organization does post-incident depends on the outcome of the investigation, but a few essentials include:

Debrief and analyze policies and procedures, making needed changes.
Evaluate relationship(s) with external parties—counsel, service providers, etc. Determine what went well, what didn’t. Sever the relationships that don’t work, keep the ones that do.

9. Exceed OCR’s expectations if a settlement is required. The bare minimum is never appreciated. Your organization is now on OCR’s radar screen, and they keep the fines they assess. Additionally, OCR is training state Attorneys General on how to “get in on the action.”

Data breaches are a fact of life for many organizations, from the largest covered entity to the smallest business associate. When the OCR comes calling—and it will at some point—preparing a defensible response in the spirit of “voluntary compliance” can help ensure the most positive outcomes for your organization and the patients you care for.


Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Christine Arevalo is director of healthcare identity management and a founding employee of ID Experts. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for healthcare organizations.