Covered Entity Hires Me to Respond to OCR Investigation—No Violation, Case Closed! HIPAA & HITECH Act Blog by Jonathan P. Tomes


A covered entity hired me to respond to an Office for Civil Rights (“OCR”) Complaint Investigation that alleged that the entity was not in compliance with HIPAA by making an impermissible disclosure of protected health information (“PHI”) in violation of 45 C.F.R. §§ 164.502(a) and 530(c).

The covered entity had done a good job in conducting an internal investigation into what had happened. That internal investigation gave me the information that I needed to respond to OCR that this incident was not an impermissible disclosure for two reasons. First, the information was not PHI. Second, even assuming that the information was PHI, it was a permissible disclosure to a family member who was involved in the patient’s care.

OCR agreed that the information disclosed did not constitute PHI. Consequently, it did not address the alternate ground that, it if it had been PHI, it would have been a permissible disclosure to a family member. It determined that the covered entity had not violated HIPAA and closed the case.

In the OCR investigation, however, OCR reviewed copies of the covered entity’s policies and procedures related to the allegation and its HIPAA training materials and documentation of having conducted the required training and encouraged it to continue to review its policies and ensure completion of future annual training.

One cannot know whether the compliance that I detailed in my response, which also included completion of a risk analysis, contributed to the favorable finding, but I doubt that it hurt any. The take-away from this report of that finding is that you need to perform/update your risk analysis, implement in writing all of the policies and procedures that you will need to achieve HIPAA compliance, and conduct and document HIPAA training, both initial training and refresher training.

If you need help with implementing policies and procedures, please see my forthcoming newest book, The Complete HIPAA Policies and Procedures Guide with accompanying CD of sample policies and procedures. If you need help with performing or updating a risk analysis, please start with our Gap Analysis Survey Questionnaire with confidential report and phone consultation. If you have already done a Gap Analysis, see our new Risk Analysis online, which we hope to have up on our website for you by the end of the month. If you need help with HIPAA training, please see my forthcoming Basic HIPAA Training Video and Workbook, 6th edition. If you have questions about buying any of these items, please contact our marketing director, Patrick Head, at or toll-free at 855-341-8783.

seo by: k.c. seo