OCR Investigator: Goal Is to Uncover ‘Root Cause,’ Remedy Harm From Violations

Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights takes annually, the odds are exceedingly slim that an organization will find itself in a formal sanctions process with OCR.

On the other hand, OCR does investigate every breach affecting more than 500 individuals as well as other complaints that come in, particularly egregious situations, and if things don’t go well, an organization could find itself dogged by the agency’s investigators.

So, wouldn’t it be nice to get inside the mind of an OCR investigator? Enter John Haskell, an investigator in OCR’s Mid-Atlantic Region, who joined the agency approximately 18 months ago. Since that time he has handled “close to 400 complaints,” gaining experience with a range of privacy issues and organizations, both “large and small.”

Among the insights Haskell has gleaned: OCR really doesn’t like when it receives repeat complaints, and it is especially unhappy when a CE or BA is unresponsive to its entreaties. He also gave some tips on how to draft a successful response to an OCR data inquiry and when it might be okay to give him a phone call.

Haskell, whose jurisdiction involves Pennsylvania, Virginia, West Virginia, the District of Columbia, Maryland and Delaware, chatted with Scott Intner, chief compliance officer for GW Medical Faculty Associates, at a recent conference[1] sponsored by the Health Care Compliance Association, which publishes RPP. Intner said he had “worked through a couple of incidents together” with Haskell and wanted others to understand an investigator’s perspective and world view.

Haskell said his case load averages “in the mid-80s,” with about 25% comprising right-of-access complaints, a volume he expects will “trend up” because of the attention stemming from OCR’s enforcement settlements on this issue[2] and perhaps as a result of the pandemic. He reported seeing a marked increase in access complaints in the past five or six months.

OCR’s goal is to resolve a “typical” privacy complaint within six months, Haskell said. Cases may need more time because of the pandemic. Haskell noted that he “can’t force a privacy officer to go into the office to get all the materials that we need, so that has kind of lengthened it a little.”

Describing the process of vetting complaints, Haskell first noted that OCR hears concerns from a variety of sources, including via its online portal and, “still surprisingly,” by mail, Haskell said. All go through a “standard review process” to determine if there is a “credible allegation of a violation due to conduct” by a CE or BA, and whether OCR has jurisdiction.

This is “always key because we get a lot of complaints that are filed against noncovered entities,” he said, and OCR has no authority to pursue them.

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field