If you missed our HIPAA Breach Notification Webinar, watch it on your time by clicking here.
Question:
Jennifer,
Our group has gone through doing an internal risk analysis. How do we need to show the risk analysis was done?
Thanks, S
Answer:
The risk assessment should be documented in writing. Was a survey done? If a third party was used, get a report. Hopefully if you retained a third party it was through counsel so privilege attaches…
Question:
Jennifer,
Does the duty to report to OCR apply only to electronic information that is breached or could there be a verbal breach that must be reported to OCR?
Thanks, C
Answer:
Yes.
Question:
Jennifer,
Do you think erring on the side of reporting something as a "breach" is better than conducting a risk assessment where you conclude it is not technically a breach, so you don't need to report it? If reasonable minds differ as to whether it’s a breach, is it better to report it or does that open your exposure to an audit?
Thanks, C
Answer:
No. Any government involvement with the practice is bad, regardless if potentially innocuous. You do not want to have to report if there is no need. However, you most certainly need disclosures addressed, through a proper assessment process and response. Where a "breach" is identified, reporting would be required.
Interested in having Jennifer speak at an event or at a residency/fellowship program? Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com