I hope that you have read my previous blog posts, particularly those recounting that the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) civil money penalties and settlements in lieu thereof have been based on failure to conduct a HIPAA risk analysis, failure to have necessary HIPAA policies and procedures, and failure to properly train the workforce on HIPAA. If those posts did not convince you, here is another, somewhat different, piece of evidence of the importance of having necessary policies and conducting necessary training.
I just completed preparing and submitting a response to an OCR Data Request for a complaint investigation that it was pursing. Unlike the breaches that resulted in the fines and civil money penalties mentioned above, such as the loss of unencrypted laptops, this one was not a security breach. This one involved an alleged privacy breach (and in my opinion, it was not a breach at all) involving alleged failure to afford alternate communications. Thus, failure to conduct a risk analysis of the security of any PHI involved was not at issue (and my client had done a risk analysis). But the relevant parts of the Data Request indicated the importance of policies and training:
- The name, title, and contact information of the person from your organization who will be working with OCR to resolve this matter.
- Your written response to the complaint allegations along with any corroborating documentation.
- Clarification of your process for [redacted to preserve client confidentiality but generally speaking of how the covered entity communicated with individuals].
- A copy of the facility’s HIPAA policies and procedures regarding the safeguarding of protected health information.
- Documentation of all HIPAA training completed by any involved workforce members for the last two years to include copies of training materials used and evidence of completion.
- Any applicable mitigation efforts and corrective actions taken in this incident, including but not limited to sanctioning and/or retraining of the involved workforce member(s).
- A copy of any applicable breach notification efforts.
- Any additional information which would assist OCR in investigating this complaint.
Even though I do not consider the complaint to be a valid privacy violation, thank God my client had implemented HIPAA policies and procedures and had trained its workforce on HIPAA (and had kept records of that training). If OCR disagrees with my no violation analysis, it certainly was not a breach due to willful neglect, which carries the highest civil money penalties (which cannot be waived), and it would seem that such a penalty would be unlikely, especially as no harm resulted from the alleged violation of the right to alternate communication and my client fully cooperated with the investigator.
But what if the client had not been able to provide the HIPAA policies and training records? So here, we have a non-breach, but the covered entity nonetheless had to produce HIPAA policies and procedures and HIPAA training records. Could a lack of HIPAA policies and procedures and HIPAA training records lead to a civil money penalty even though no privacy breach occurred? Or an Office of the Inspector General (“OIG”) audit? Do you want to take that chance? Under HIPAA, you must keep HIPAA documentation for six years. Could you produce all of the required HIPAA documentation today if you had to? If you are not sure what to keep under HIPAA, please see Chapter 6, “HIPAA Retention Rules,” in Jonathan P. Tomes, Michael I. Spak, and Richard D. Dvorak, Medical Records Retention Guide, 4th ed., Overland Park, KS: Veterans Press, Inc. (2011), which is available for you to read on the Premium Member section of the Veterans Press website.
Again, as a reminder, if you bought the HIPAA Compliance Library that includes my 5th edition of the Compliance Guide to HIPAA and the DHHS Regulations, you received with it a one-year free subscription to the Premium Member section. If you need help setting up your account to access the Premium Member section, please call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at patrick@veteranspress.com.