{"id":1599,"date":"2011-09-28T00:00:00","date_gmt":"2011-09-28T00:00:00","guid":{"rendered":"http:\/\/otava.test\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/"},"modified":"2011-09-28T00:00:00","modified_gmt":"2011-09-28T00:00:00","slug":"ocr-audit-requirements-following-a-self-reported-hipaa-breach","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/","title":{"rendered":"OCR Audit Requirements Following a Self-Reported HIPAA Breach"},"content":{"rendered":"<p>A business partner of mine was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported <a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/2011-hipaa-violations-and-audits\/\">HIPAA breach<\/a>. I thought you would find some of their requests and the timing interesting.<\/p>\n<p><strong>Documentation<\/strong><\/p>\n<ul>\n<li>Documentation of the covered entity\u2019s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations<\/li>\n<li>Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.<\/li>\n<li>Documentation of the covered entity\u2019s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:<\/li>\n<li>Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity\u2019s current policies and procedures, and as required by the Privacy Rule.<\/li>\n<li>Re-training of appropriate workforce members.<\/li>\n<li>Mitigation of the harm alleged, as required by the Privacy Rule.<\/li>\n<\/ul>\n<p><strong>HIPAA Policies and Procedures<\/strong><\/p>\n<ul>\n<li>A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.<\/li>\n<li>A copy of the policies and procedures implemented to safeguard the CE\u2019s facility and equipment.<\/li>\n<\/ul>\n<p><strong>Physical Safeguards<\/strong><\/p>\n<ul>\n<li>Evidence of physical safeguards implemented for computing devices to restrict access to PHI.<\/li>\n<li>Business Associate Agreements and\/or policies and procedures implemented to ensure Business Associates have implemented the appropriate safeguards (if applicable).<\/li>\n<\/ul>\n<p><strong>Risk Assessment<\/strong><\/p>\n<ul>\n<li>A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.<\/li>\n<li>Evidence of security awareness training for involved workforce members including training on workstation security.<\/li>\n<li>Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.<\/li>\n<\/ul>\n<p><strong>Breach Notification<\/strong><\/p>\n<ul>\n<li>A copy of the written notification of the breach provided to the affected individuals.<\/li>\n<li>A copy of the written notification given to the media. This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.<\/li>\n<\/ul>\n<p>Initially, this request was in response to a self-reported breach. The OCR is asking for a great deal of information in a relatively short time. Practically, this means that an organization would generally not have enough time to fill in missing gaps in its documentation and safeguards.<\/p>\n<p>The key message here is that the OCR does not only get involved in this type of activity during a \u201crandom\u201d audit. An incident, for which a Covered Entity and\/or Business Associate are bound by law to report, can also generate this activity.<\/p>\n<hr style=\"background: none repeat scroll 0% 0% #000000; height: 2px;\" \/>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0 15px 0 5px;\" src=\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg\" alt=\"Brian_Foley_Head_Shot_Thumb\" width=\"100\" height=\"138\" \/><\/p>\n<p><strong>Joe Dylewski, President, <a href=\"https:\/\/www.atmpgroup.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">ATMP Group<\/a><\/strong><\/p>\n<p>Joseph Dylewski is a twenty-three year Information Technology Professional veteran, with eight years spent exclusively in the Healthcare Industry. In addition to holding positions as a Project Manager and Director of Information Technology, Joseph has also served as a Healthcare IT Services Practices Director and Account Manager with a proven track-record of successfully delivering end-to-end IT application and infrastructure project services. Joseph also currently serves as an Assistant Professor at Madonna University.<\/p>\n<hr style=\"background: none repeat scroll 0% 0% #000000; height: 2px; margin-top: 20px;\" \/>\n","protected":false},"excerpt":{"rendered":"<p>A business partner of mine was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach. I thought you would find some of their requests and the timing interesting. Documentation Documentation of the covered entity\u2019s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft. Documentation of the covered entity\u2019s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable: Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity\u2019s current policies and procedures, and as required by the Privacy Rule. Re-training of appropriate workforce members. Mitigation of the harm alleged, as required by the Privacy Rule. HIPAA Policies and Procedures A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1599","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>OCR Audit Requirements Following a Self-Reported HIPAA Breach | OTAVA<\/title>\n<meta name=\"description\" content=\"A business partner of ours was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OCR Audit Requirements Following a Self-Reported HIPAA Breach\" \/>\n<meta property=\"og:description\" content=\"A business partner of ours was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2011-09-28T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"OCR Audit Requirements Following a Self-Reported HIPAA Breach\",\"datePublished\":\"2011-09-28T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\"},\"wordCount\":533,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\",\"url\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\",\"name\":\"OCR Audit Requirements Following a Self-Reported HIPAA Breach | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg\",\"datePublished\":\"2011-09-28T00:00:00+00:00\",\"description\":\"A business partner of ours was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OCR Audit Requirements Following a Self-Reported HIPAA Breach\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"OCR Audit Requirements Following a Self-Reported HIPAA Breach | OTAVA","description":"A business partner of ours was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/","og_locale":"en_US","og_type":"article","og_title":"OCR Audit Requirements Following a Self-Reported HIPAA Breach","og_description":"A business partner of ours was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach.","og_url":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/","og_site_name":"OTAVA","article_published_time":"2011-09-28T00:00:00+00:00","og_image":[{"url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg","type":"","width":"","height":""}],"author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"OCR Audit Requirements Following a Self-Reported HIPAA Breach","datePublished":"2011-09-28T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/"},"wordCount":533,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"image":{"@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/","url":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/","name":"OCR Audit Requirements Following a Self-Reported HIPAA Breach | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage"},"image":{"@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg","datePublished":"2011-09-28T00:00:00+00:00","description":"A business partner of ours was provided a copy of a letter that the Office of Civil Rights sent to an organization following a self-reported HIPAA breach.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#primaryimage","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/joe-dylewski-100.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/ocr-audit-requirements-following-a-self-reported-hipaa-breach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"OCR Audit Requirements Following a Self-Reported HIPAA Breach"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1599"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1599\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1599"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}