reviews by DHHS (HIPAA)
entity must keep records regarding its compliance with
HIPAA regulations. Such documentation
- records related
to any internally-handled complaints.
must permit access by DHHS "during normal business hours"
to any information, including protected health information,
relevant to determining compliance.
If an investigation
pursuant to a general compliance review (or a specific individual
complaint) indicates organizational violations, the Secretary
must notify the institution (and any complainants) in writing.
direct the Secretary to "attempt to resolve [problems]
by informal means whenever possible." If informal resolution
is not possible, the Secretary must issue formal, written
findings, which presumably would raise the possibility of
further investigation, and legal or financial sanctions.