A business partner of mine was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach. I thought you would find some of their requests and the timing interesting.
HIPAA Policies and Procedures
Initially, this request was in response to a self-reported breach. The OCR is asking for a great deal of information in a relatively short time. Practically, this means that an organization would generally not have enough time to fill in missing gaps in its documentation and safeguards.
The key message here is that the OCR does not only get involved in this type of activity during a “random” audit. An incident, for which a Covered Entity and/or Business Associate are bound by law to report, can also generate this activity.
Joe Dylewski, President, ATMP Group
Joseph Dylewski is a twenty-three year Information Technology Professional veteran, with eight years spent exclusively in the Healthcare Industry. In addition to holding positions as a Project Manager and Director of Information Technology, Joseph has also served as a Healthcare IT Services Practices Director and Account Manager with a proven track-record of successfully delivering end-to-end IT application and infrastructure project services. Joseph also currently serves as an Assistant Professor at Madonna University.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.