Patricia Wagner, a Member of the Firm in the Health Care and Life Sciences and Litigation practices; Carrie Valliant, a Member of the Firm in the Health Care and Life Sciences practice; and Robert Hudock, Counsel in the Health Care and Life Sciences practice, all in the Washington, DC, office, were quoted in an article titled "Attorneys' Advice to Covered Entities: Comply With HIPAA Complaint Investigations."

Following is an excerpt:

As the federal government steps up enforcement of the Health Insurance Portability and Accountability Act and launches audits of compliance with HIPAA rules, health care attorneys advised Sept. 8 that covered entities and business associates fully cooperate with federal investigations of HIPAA violation complaints.

Health care attorneys with Epstein Becker and Green P.C. in Washington said during a firm-sponsored webinar on HIPAA enforcement that penalties for failing to cooperate with a HIPAA investigation could be higher than the penalties for an actual HIPAA violation.

One recent case—involving insurer Cignet Health—was evidence that HHS's Office for Civil Rights will impose such higher penalties for failure to cooperate, they said. In February, OCR imposed its first-ever civil monetary penalty on a HIPAA-covered entity—Cignet—for violating the HIPAA Privacy Rule (see previous article). A bulk of the $4.3 million penalty—$3 million—was assessed for Cignet's failure to cooperate with the OCR investigation, attorney Patricia Wagner said.

Wagner said OCR's process for investigating possible HIPAA rule violations typically starts with a letter from the agency asking for specific information, such as data privacy and security policies and procedures, audit logs, and the history of any internal investigations of the complaints.

Attorney Carrie Valiant said that health care organizations, when they are made aware of HIPAA violation complaints, should conduct internal investigations to determine whether a data breach actually occurred.

In fact, Valiant noted, federal regulators do not expect incidents that do not rise to the status of data breaches to be reported to patients.

Valiant said internal investigations should document what happened, why it happened, who or what function was responsible for the incident, how the problem was fixed, and the steps taken to prevent the problem from occurring again.

Attorney Robert Hudock recommended covered entities and business associates utilize data breach risk assessment tools that help frame breach analyses and determine the risk of harm to patients.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.