Sally Scott drove up to her office building for work on a comfortably warm, sunny, and crisply quiet morning in September. The sky was deep blue, not a cloud in sight. Sally was happy. She had just been promoted to office manager for Acme Medical Group. Sally was unprepared for the angst of the next few hours.

She collected the mail for the office and began to sort it. One envelope looked somewhat official. A bit nervous, she slid the letter opener under the back flap and sliced along the top edge. She pulled out the stack of thick pages and starting reading the cover letter. Her heart sank into her stomach. The letterhead read “Department of Health and Human Services, Office of the Secretary, Office for Civil Rights,” and the letter started “Dear Ms. Scott, Please be advised….”

Sally panicked, she knew the Office for Civil Rights (OCR) were the federal enforcement agents for the privacy and security standards under the Health Insurance Portability and Accountability Act (HIPAA). She felt the tingling of her nervousness extend out and down her arms. The letter went on to state that a patient of Acme had filed a compliant with OCR alleging that Acme had violated a HIPAA privacy standard.

She did not know what to do. “How can this be?” she thought. “We are so careful. I am going to get fired. We will go out of business.”

The day before, Sally happened to read about a Massachusetts health care provider that had been assessed a $1.5 million dollar fine by OCR for self-reporting the loss of an unencrypted laptop computer. Sally thought the amount of the fine was astronomical. The fact that the provider self-reported the issue and still got fined seemed a little odd to her and very punitive.

Since the federal Stimulus Bill of 2009, HIPAA has shifted from a standards-based to a penalty-based law. The Stimulus Bill dramatically raised the fines for HIPAA violations. What that means is that OCR is in the early stages of learning how to be a hammer-in-hand enforcement agency. Some of the hefty penalties they assess on covered entities will seem more about sending a message to the public. Hopefully, both providers and OCR will learn from these early cases and work toward keeping providers in the game but in a more compliant manner versus just purely punishing providers.

The details of HIPAA coupled with the myriad of state privacy laws sets up a pretty big risk area for providers. Obviously, that is not much of an excuse to folks at agencies like OCR.

As Sally quickly learned in her new job, she had to step back from her panic mode, take a breath and approach the letter like she would any compliance matter. First, she took some time to understand the nature of the complaint. Was this really Acme’s patient, etc.? Because the complaint was applicable to Acme, she conducted an internal investigation into the allegations. Were the allegations accurate, etc.? Finally, she worked up an appropriate response to the letter and ran that by Acme’s health care counsel. She asked her counsel the right question as well, that is, whether her draft response exactly followed what was asked in the letter.

Is it a good idea to run these issues by legal counsel? Sure, but the basic compliance work needed to respond to the letter can and should be handled by the provider like Acme’s internal staff. If a more serious issue is raised in an internal investigation, counsel probably should be involved along with a security expert. In Sally’s case, she already had convinced her bosses that more work was needed to develop their HIPAA compliance program. That work allowed Sally to stop panicking fairly quickly, develop an appropriate and cost-effective response, and avoid further investigation.

Letters like the one Sally received likely will become fairly common for health care providers as OCR continues to ramp up its responses to HIPAA complaints as well as undertake compliance audits of covered entity providers. Providers waiting on the fence of HIPAA compliance should begin to assess whether they can still afford to wait or implement some internal checks and balances that can better prepare them if they ever do receive a letter similar to Sally’s.