Printer Friendly, PDF & Email

The Fine Art of Responding to an OCR Data Request

The HHS Office for Civil Rights (OCR) tries to resolve complaints and concerns about possible HIPAA violations through informal means, a process that can involve providing technical assistance (TA) to a covered entity (CE) or business associate (BA).

But if the issue is serious or complicated—or if TA fails to resolve the concern and noncompliance continues—the next step is for OCR to issue a data request letter. And, according to an OCR investigator, the quality of an organization’s response to that letter will influence whether the agency stops there or moves to actual enforcement, which can include a financial penalty and a corrective action plan.

Speaking at a recent conference[1] sponsored by the Health Care Compliance Association, publisher of RPP, OCR investigator John Haskell broadly described how the agency handles complaints (see related story, p. 1).[2]

Haskell also addressed the fine art of writing a response letter, with the hope that his suggestions would help “expedite” the process of closing cases.

Whether sent to a CE or BA, a data request letter will contain a recitation of the allegations, a description of OCR’s authority, a list of documents and information requested, “an instruction sheet,” and a “penalty fact sheet,” Haskell said.

In his letter, Haskell typically requests a “narrative response with any relevant supporting documentation” that addresses allegations of a violation of the privacy, security or breach notification rules.

CEs need to be thorough and clear in their responses, include material that is cited, and ensure that the investigator can find the exact reference, he added.

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field