Provided by: Jennifer Kirschenbaum, Esq.
December 12, 2019
Thank you for Tuesday's reminder that reporting is coming up. You talked about evaluating breaches and when to report. Who should do that? Me or you? Also, sounds like breaches can happen a lot.
What do you think?
Good questions. Yes, for many practices breaches happen. Hopefully not a lot. Anywhere we have HIPAA information we may potentially have unauthorized disclosures. A great example I love to use (because no one thinks about it) is copy machines - they retain everything. When you return it, you have to wipe it. Our biggest area is exposure lies with our human resources - our people responsible for proper HIPAA compliance. Every practice around (or hospital etc) has some unauthorized disclosures throughout the year. How those disclosures are addressed and the circumstances of the disclosure will determine whether the disclosure is tantamount to a breach (fingers crossed, not). Depending on the nature of the unauthorized disclosure, you may want counsel to get involved and write up an independent assessment. The primary reason for asking counsel to do so is to avoid the optics of a self-serving self-assessment. Arguably a third party, even one you are paying, and especially one with a fiduciary duty, will advise in line with the law. It may be safer to have your counsel write up the assessment. Of course, there is always a chance the Office of Civil Rights performs an assessment and finds the outside assessment inadequate somehow; provided, however, the fact you have an outside assessment and a HIPAA protocol in place will, in itself, protect you from government HIPAA exposure.
The reality is every practice needs HIPAA help - no matter the size. Every practice needs some guidance on Security Risk Assessment and mitigation upon unauthorized disclosure, or assistance with self reporting. We are here to help with all of the above. Call or email if you wish to discuss or if you need assistance assessing a disclosure.
Common disclosures -
1. incorrect patient receives materials (email communication, record, invoice, appointment reminder, etc)
2. wrong referral doctor receives information
3. business associate receives access without a proper business associate agreement in place