OCR: What Do You Really Have to Fear?
We read this morning that Touchstone Medical Imaging of Tennessee entered into a $3M Office of Civil Rights (OCR) corrective action plan. It's easy to experience anxiety when we read headlines like this, as they are a reminder of what COULD happen as a result of an OCR investigation. But if we perform a quick analysis, we can conclude that OCR only enters a handful of CAPs or Civil Monetary Penalties (CMP) each year, despite investigating almost 205,000 cases since 2003. Notably, OCR may elect not to enter into a CAP or CMP if state Attorneys General prosecute a case and OCR has referred more than 700 cases to the US Department of Justice.
If we look at Touchstone's case, OCR notes (we added Security Rule citations for you):
an incorrectly configured server 164.308(a)(8)
no timely security incident response 164.308(a)(6)(i)-(ii)
no thorough risk analysis 164.308(a)(1)(ii)(A)
no Business Associate agreements 164.308(b)(1)
a late report to individuals affected 164.404(a)
As you can see, Touchstone didn't really have a HIPAA Security program - which is probably why they earned a CAP - and this is our point. What a company or agency needs to fear from the OCR, if they are trying in earnest to comply with the HIPAA Rules and have implemented reasonable and appropriate security controls, is maybe some OCR technical assistance. We cannot guarantee whether every situation will fall into an assist or something more painful - but we can coach you to understand your requirements and even provide policy and procedures, some program templates, training and support.