How long a HIPAA investigation takes depends on factors such as the nature of the violation, the consequences of the violation, the covered entity’s willingness to cooperate with HHS’ Office for Civil Rights, and any other compliance issues that are identified during the course of the initial investigation.
Despite many healthcare organizations’ best efforts, HIPAA violations do occur. These can be made through honest mistakes or despite the best efforts of the Covered Entity (CE). In some scenarios, the violations may be the result of malicious actions undertaken for an individual’s benefit. Whatever the cause, after a violation has been detected, an investigation should be conducted into the circumstances of the violation. But how long does a HIPAA violation take? What are the procedures for a HIPAA investigation?
If an employee suspects that a HIPAA violation has occurred, they should first report their concerns to the CE’s HIPAA Compliance Officer. This is an individual whose duty it is to ensure that a CE is HIPAA compliant and oversees various aspects of implementing HIPAA in the workplace. Any patient or customer who has concerns relating to HIPAA can also contact the Compliance Officer.
Upon receiving the notification of a potential violation, the Compliance Officer should conduct an internal investigation into the incident. During this investigation, the Officer should assess the nature of the alleged violation, its scale, and whether any data was breached.
It is difficult to say how long this first investigation will take. It will depend on a variety of factors, including the type of violation that is alleged to have occurred, how many people were involved, how cooperative they were, and whether any PHI was breached.
At the end of the investigation, they may decide that no violation occurred. If this is the case, then no further action is required. Additionally, if the violation was minor – for example, an incidental violation of limited scope, or a PHI has been improperly, but accidentally, disclosed to someone within the organisation – then there may also be no further action.
More severe violations – particularly those during which PHI has been accessed by unauthorised individuals – may need to be reported to the Office for Civil Rights (which is part of the Department for Health and Human Services). Members of the public who also have concerns, or who are dissatisfied with the outcome of a CE’s internal investigation, may also submit a complaint directly to the OCR. Complaints must be submitted within 180 days of the HIPAA violation’s discovery, though there is some flexibility.
The first task of the OCR will be to assess whether a HIPAA violation actually occurred. If they believe a violation has occurred, and that the complaint was submitted within the correct timeframe, they will then launch an investigation. But how long does a HIPAA investigation take? Again, it is hard to say. The OCR treats all complaints with the utmost urgency, but there are a number of limiting factors. Complex cases, necessarily, will also take longer to investigate.
There are three possible outcomes of a HIPAA investigation if a violation was deemed to have occurred. The OCR often requires that the CE or BA undertake a compliance action plan to rectify any mistakes that led to the violation. They may also be subject to civil penalties. In some severe circumstances, the case may be referred to the Department of Justice for criminal investigation.
So, how long does a HIPAA investigation take? There is no clear answer. The investigation may take months, particularly if there were outside actors involved. The sooner HIPAA violations are reported, however, the sooner they can be resolved.