November 19, 2015


If you missed our HIPAA Breach Notification Webinar, watch it on your time by clicking here

Question:


Jennifer, 

Our group has gone through doing an internal risk analysis.  How do we need to show the risk analysis was done?

Thanks, S

Answer:

The risk assessment should be documented in writing.  Was a survey done?  If a third party was used, get a report.  Hopefully if you retained a third party it was through counsel so privilege attaches…

Question:

Jennifer, 

Does the duty to report to OCR apply only to electronic information that is breached or could there be a verbal breach that must be reported to OCR?

Thanks, C

Answer: 

Yes. 

Question: 

Jennifer, 

Do you think erring on the side of reporting something as a "breach" is better than conducting a risk assessment where you conclude it is not technically a breach, so you don't need to report it? If reasonable minds differ as to whether it’s a breach, is it better to report it or does that open your exposure to an audit?

Thanks, C

Answer: 

No.  Any government involvement with the practice is bad, regardless if potentially innocuous.  You do not want to have to report if there is no need.  However, you most certainly need disclosures addressed, through a proper assessment process and response.  Where a "breach" is identified, reporting would be required. 

 

 

 

Looking for HIPAA and compliance forms?  
Click here to visit our website.
Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.

November 18, 2015