One investigation involved a former employee of the hospital who claimed his medical records were accessed inappropriately. OCR's investigation took about five to six months. Federal officials resolved that there was no such inappropriate access.
During the investigation, Young retained all his hospital's communications between the former employee and OCR in an electronic file. And he kept the audit access logs on the employee's medical records, for which OCR asked for copies.
"It was reasonable, and I shared everything with them," Young says. "We documented the incident report and the e-mail exchanges. I created an electronic folder and put copies of emails, phone calls and notes, into it and had an investigative log in there that has the timeline of all related events. They wanted me to produce audits of the complainant's record, and they ended up agreeing with us."
Another OCR investigation with Mammoth involved a patient who claimed a co-worker should not have been allowed in the treatment room; though it could not be corroborated the patient ever expressed that during the stay, Young says.
The end result came when OCR asked Mammoth to change its policies and procedures and be more proactive to ensure patients know they can refuse certain folks' presence in their hospital room.
"OCR wants to see you are taking these things seriously," Young says. "If you don't, they don't hesitate to inform you there are really going to be consequences."
Today, Young is as proactive as ever about training. One big part is issuing commendations. In fact, he awards folks for good privacy and security practices by distributing one-page commendations to individual employees, their managers and human resources.
It's little things like this that help employee morale – and help when OCR or state auditors come knocking.
"It's great for the employees," Young says. "And now, maybe they see that Greg is not just looking for the bad guys, he's looking for the good guys, too. And we're using the commendations as a tool for any regulatory agency that wants to audit us. It shows historically we encourage people to report things and then proactively respond by immediately addressing the risk before it becomes something reportable."