DHHS and HIPAA compliance reviews for covered entities
Every covered entity must keep records as to how it ensures its compliance with HIPAA regulations. Such records must be kept in the form of documentation which would include the policies and procedures related to the collection, use or disclosure of PHI, designations of organizations and persons with responsibilities for HIPAA compliance (e.g., the privacy officer, security officer), records of the handling of patient requests for health record access, amendment/correction, disclosure accounting, additional protections and confidential communications and also records related to any internally-handled complaints.
Permission for access must be provided by covered entities to DHHS “during normal business hours” to any information, including protected health information, relevant to determining compliance.
If an investigation pursuant to a general compliance review (or a specific individual complaint) indicates organizational violations, the Secretary must notify the institution (and any complainants) in writing.
The regulations direct the Secretary to “attempt to resolve [problems] by informal means whenever possible.” If informal resolution is not possible, the Secretary must issue formal, written findings, which presumably would raise the possibility of further investigation, and legal or financial sanctions.
Subscribe to the comments for this post