Case Study 2: Hospital & Health System

When an OCR investigation was imminent, a national hospital and health system contacted Apgar & Associates to assure they could respond timely and thoroughly.

A former physician had taken patient files off-premise and stored the PHI in a house that was in the midst of property transfer when the sensitive healthcare data was discovered.

The healthcare provider, alerted to the PHI breach of patient’s exposed medical records, immediately acted. Following breach notification requirements, they alerted both patients and OCR.

To prepare them for the upcoming OCR investigation, Apgar and Associates conducted an OCR mock breach investigation. Just like the OCR would, we notified the client and allowed them twenty calendar days to provide the requested evidence.

The client was able to gather and submit evidence documentation within the allotted time frame, but was concerned as to whether the assembled evidence would satisfy the agency. Based on our knowledge of OCR breach investigation processes, the circumstances surrounding the breach, and how the client handled the breach notification, we:

  • Evaluated the submitted evidence
  • Identified adequate vs inadequate responses
  • Recommended and reviewed mitigating action plan

By the end of the engagement, the hospital and health system client felt confident in their ability to respond quickly and accurately to any OCR inquiry and breach investigation and were taking the recommended breach mitigation actions.