Provided by:  Jennifer Kirschenbaum, Esq.
     December 1, 2020

Question:

Hi Jennifer, 

I believe I have some obligations under HIPAA now that we are nearing the end of the year.  Is that right?  Can you please outline?  

Thank you in advance.  
Dr. O 

Answer:

Dr. O, you are correct!  Now is the time for two important HIPAA compliance reminders – 

1.    Security Risk Assessment - The practice has an obligation to complete a Security Risk Assessment, which we recommend be done annually.   Security Risk Assessment is an assessment of your HIPAA compliance in 3 areas – technical, administrative and physical safeguards protecting PHI.   The government has developed a questionnaire tool to be used in the practice’s assessment, available here - https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool.  Your IT provider should be contacted to conduct this assessment for you, if you have not already done so for this year.   

2.    Annual Voluntary Disclosure - In conjunction with the Security Risk Assessment, it is time to account for any disclosures the practice may have to report to the Office for Civil Rights.   As a reminder, all covered entities (medical practices included) must report to the Office for Civil Rights any disclosures of protected health information  affecting less than 500 individuals within 60 days of the end of the calendar year.  Any disclosures this year impacting more than 500 individuals should have been dealt with at the time of the disclosure.  While the report itself is not long, the content you are providing is extremely important as this is your opportunity to explain what happened and what actions were taken by your practice to rectify the situation and prevent the breach from occurring in the future.   The link to electronically submit a report (one per breach) is https://ocrnotifications.hhs.gov/.  
 
Happy to discuss.   If you want to schedule a call, you can click here to lock down a time - https://app.acuityscheduling.com/schedule.php?owner=21356550.   If your IT provider doesn’t have experience with Security Risk Assessment, let us know because we know a few vendors that do have experience and can step in for this purpose.