Responding to External Investigations and Inquiries
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Responding to External Investigations and Inquiries
Policy Number: IM-10
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Drexel University (DU) requires, through our HIPAA Compliance Program, meaningful and open communication. To this end, we require that employees report conduct that a reasonable person would, in good faith, believe to be inappropriate or irresponsible in permitting or facilitating the release of protected health information (PHI).
Failure to report inappropriate or irresponsible conduct is a personnel violation (under our HIPAA Compliance Program). It is the policy of DU to encourage disclosure and to discuss areas for improvement. To this end, there shall be no retribution for reporting conduct that a reasonable person acting in good faith would have believed to be inappropriate or irresponsible.
It is the policy of DU to attempt to respond fully and accurately to all general inquiries about all of our HIPAA compliance and Information Management activity. We affirm our intent to fulfill the reasonable expectations of our patients regarding their privacy. As such, all external inquiries for Privacy Program related records, inquires about our policies and practices and the like, shall be addressed to the Privacy Officer at 267.359.5598. Speed and discretion in discussing these inquiries will be paramount.
Specific inquiries, in the form of requests by patients and/or more formal inquiries or searches by government investigators, have become more frequent. Many of these inquiries are routine and reveal no evidence of wrongdoing. While we have implemented a HIPAA Compliance Plan to assure our compliance with protocols and our privacy policies, the procedures that follow document our protocol(s).
1. Patient Inquiries
If any patient calls or appears in any office, requesting his/her own or any one else's (child, spouse, parent, etc.) record, or if a written request for such information comes into the office, then follow these steps:
- If the patient or representative of the patient appears in person, the front desk staff should have the individual complete the Request for Access to Medical Information form. If the request is received by mail, no further forms are required.
- Front desk personnel shall review the request form for completeness and forward the correspondence to the treating clinician for approval.
- The Office staff shall seek proof of identification and relationship to the patient whose PHI is in question. If additional information is needed (for example, if correspondence does not sufficiently identify the records being sought), the Office staff shall contact the patient to obtain the information.
- The Office staff shall file all documents in the patients file.
- Within 15 days, the treating clinician or designee shall determine the extent of the record to be released to the patient or personal representative. Staff shall calculate the cost of inspection and/or reproduction. The patient shall be notified of the cost and an appointment to inspect the records shall be arranged, unless patient requests copies of the record to be mailed.
- As soon as is practicable thereafter, but not later than 30 days from the date of the request (60 days if the records are maintained off-site, other than in an electronic health record), the Practice shall provide the requested information. If unforeseeable circumstances cause a delay, the Practice may extend the time to provide the records for an additional thirty days, provided that it notifies the patient, in writing, of the reason for the delay and provides the date by which the Practice will comply with the request. In no event shall the Practice take more than 60 days (90 days, if the records are maintained offsite, other than in an electronic health record) from the date of the request to provide the records.
- The Practice may provide a summary rather than the full records, if the patient agrees that this is acceptable in advance. The patient shall be notified of the cost of preparing the summary and must agree to the cost in advance. The same time limits shall apply whether the Practice is providing the actual records or a summary.
2. Government Investigations
If an investigator arrives at any location of our Practice with either a request to review records or a search warrant or other legal process, follow these steps:
- Immediately contact your immediate supervisor or the office manager and the Privacy Officer. The Privacy Officer may contact the legal counsel as needed.
- Request and copy proof of identification from the investigator.
- Do not accept business cards. If that is all that is/can be provided, call the investigator’s supervisor to prove the "investigation." If none, contact the Privacy Officer.
- Document (in writing) the name(s) and position(s) of the investigators instituting the search and any follow up thereto and copy any documentation they provide.
- If a search warrant is provided, a copy of it should be forwarded (faxed immediately) to your general counsel at 267.359.6271.
- Attempt to schedule the search for another time when no patients are in the office, and your attorney can be available. If not, confer away from the public areas.
- Observe all aspects of the search and take detailed notes concerning which specific file cabinets, offices, and records are searched. Be as specific as possible.
- Record any statements made by the investigators, and limit your discussion with them. Do not volunteer any information or "chat" with the investigator.
- Do your best not to permit original records to be removed.
- Copy any document item or material to be "taken" in the search, before it is removed from the Practice. Also obtain a written inventory listing of all property or records seized by the investigators in the search which they plan to remove from the office (sign and date the inventory and have the investigator(s) present). In include the time, date, full name, title, address, telephone number, and supervisor's name. Attach his/her business card and the subpoena, if there is one.
- If the investigators seek to seize any information on the computer or in electronic equipment, back up all data before allowing the information equipment to be removed and maintain a copy. Advise the investigators that if they have a valid warrant for the information that you will make them a back up tape.
- Do not permit the "search" to expand beyond the specific stated limits when the investigator announced his/her intent or to expand beyond the specific limits of the warrant.
- Search warrants seek production of things, documents and/or items, not thought. Do not answer any questions of a substantive nature about such item(s). That is beyond the scope of the order to produce. Decline to answer these questions until you are in the presence of legal counsel.
- If the search cannot be rescheduled and the intrusion is going to be substantial, close the office. Send remaining patients home.
- Comply with the warrant and attempt to expedite this process; do not impede the person(s) serving/executing the warrant, but also do not "make him/her comfortable" and/or lengthen this process.
- Refer any further inquiries (from the investigators or otherwise) to Privacy Officer at 267.359.5598 or General Counsel for the University at 267.359.5810.
Back to Top