When HIPAA Comes Knocking

By Linda Harvey, RDH, MS

Knock, Knock
Who’s there?
OCR, who?
Oh see, are your HIPAA Policies up to date?

According to the 2011 Second Annual Benchmark Study on Patient Privacy & Data Security by The Ponemon Institute, data breaches are on the rise—and most of them are caused by employee mishaps. Recently, I worked with an office that was under informal investigation by the Office of Civil Rights (OCR) for a privacy violation. It’s a situation everyone wants to avoid, yet in today’s regulatory world, it’s a very real possibility.

We’ll call him Dr. Smith. One of his assistants burned a copy of Mrs. Jones’ X-rays onto a CD and personally handed it to Mrs. Jones. When Mrs. Jones discovered that the information on the CD was someone else’s, she filed a complaint with the US Department of Health and Human Services (DHHS).

Dr. Smith was stunned when he received the complaint from OCR (the civil and health privacy rights law enforcement agency of the DHHS). After all, his staff did their best to handle Mrs. Jones’ concern. The specific violations cited included:

      • The Privacy Rules states that a covered entity may not use or disclose protected healthcare information except as permitted or required by the Privacy Rule.
        45 C.F.R § 164.502 (a).
      • The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical and physical safeguards to protect the health information.
        45 C.F.R. § 164.530 (o)(1).
      • A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by Privacy Rule.
        45 C.F.R. §164.502 (d)(1).

The OCR required a long list of documents from Dr. Smith, including statements about his policies and procedures on impermissible uses and disclosure, safeguards for preventing such disclosure, his privacy complaint process, documentation of staff training including training materials, and signed acknowledgements from trainees. Now Dr. Smith is playing catch-up, since his HIPAA manual and staff training are not current.

What can you do to prevent this from happening in your practice?

There are several steps you can take to avert an OCR investigation:

        1. Privacy awareness and training must be an ongoing priority. Train all staff to recognize and report privacy complaints, and to stay alert for privacy breaches.
        2. Implement a checklist for copying data that includes having another staff member recheck the data before it’s released to the patient.
        3. If patients have privacy concerns offer them an in-office complaint form (this form should already be part of your HIPAA manual) and suggest they meet with your Privacy Officer.
        4. Develop scripts or tips staff can use when handling privacy complaints.
        5. Be sure your manual covers all the above procedures in detail.


The repercussions from this incident may be wide-spread and long-lasting. Dr. Smith needs legal representation, which may not be covered by his insurance. He and his staff are being diverted from their normal duties in order to update and collect the documents requested by the OCR. To further complicate the situation, the complaint may be released to the public under the Freedom of Information Act—which could mean that other patients in his practice may hear of it, resulting in a possible loss of reputation, patients and revenue.

It’s easy to become complacent or frustrated with the myriad of regulations that must be followed, but in the long run compliance is much more cost-effective.