The OCR asks for a great deal of information in a relatively short time. This means that an organization would generally not have enough time to fill in missing gaps in its documentation and safeguards. The key message here is that the OCR does not only get involved in this type of activity during a “random” audit. An incident, for which a Covered Entity and/or Business Associate are bound by law to report, can also generate this activity.
Check to see if you already have these in place or if you're prepared to provide the following:
- Documentation of the covered entity’s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations
- Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.
- Documentation of the covered entity’s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:
- Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity’s current policies and procedures, and as required by the Privacy Rule.
- Re-training of appropriate workforce members.
- Mitigation of the harm alleged, as required by the Privacy Rule.
HIPAA Policies and Procedures
- A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.
- A copy of the policies and procedures implemented to safeguard the CE’s facility and equipment.
- Evidence of physical safeguards implemented for computing devices to restrict access to PHI.
- Business Associate Agreements and/or policies and procedures implemented to ensure Business Associates have implemented the appropriate safeguards (if applicable).
- A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.
- Evidence of security awareness training for involved workforce members including training on workstation security.
- Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.
- A copy of the written notification of the breach provided to the affected individuals.
- A copy of the written notification given to the media. This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.