Internal Investigation

Resource: Sample Investigation Checklist

By Melissa Andrews[1]

1. Notify Appropriate Individuals

Privacy Officer

Director

VP

CEO

Compliance Committee

Board of Directors

Other:

2. Timeline

Acknowledge Receipt of Complaint

Identify Involved Parties

Interview Complainant

Inform Accused Supervisor

Prepare Interview

Notify Human Resources

Inform Accused

Patient Notification

OCR Breach Notification

3. Investigation Documentation

Interviews

Screen Shots

Photographs

Audits

Baseline/Behavior Analytics

Electronic Medical Record (EMR) Documentation

Business Associate Agreement

Department Processes/Procedures

Employee HIPAA Training

Breach Analysis/Risk Assessment

4. Patient Notification Documentation

Breach Letter

No Breach Letter

Media/Web Notice

No Contact Letter

5. Mitigation Documentation

Discipline

Training/Retraining

Process/Procedure Changes

Technical Changes

Corrective Action Plan

6. Standard [Facility] Privacy Policies

Minimum Necessary Standard

Use and Disclosure of Protected Health Information with Authorization

Use and Disclosure of Protected Health Information Without Authorization

Use and Disclosure of Protected Health Information for Facility Directory

Use and Disclosure of PHI to Individuals involved in the Patient’s Care and for Notification

Sanctions for Failure to Comply with Privacy Standards

Breach Notification

7. Other Request Documentation

Incident Discovery

Similar Cases

Previous Discipline for Similar Cases

Previous Training for Similar Cases

Previous Training for Department

Privacy Incident Investigation Process

Communications

Complete File

8. TIPS

Make sure everyone knows what to do if they receive an Office for Civil Rights (OCR) letter.

Do Not Mix Cases.

Consider whether Attorney-Client Privilege is necessary.

Define Scope of Investigation early and follow it.

Do not label an incident a Breach until after Breach Analysis/Risk Assessment is completed.

Collect documentation early at time of investigation.

Treat every investigation as an OCR investigation.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings