Article

Who decides if there is a HIPAA Breach and whether to report?

Provided by:  Jennifer Kirschenbaum, Esq.

December 12, 2019

 

Question:

Jennifer, 

Thank you for Tuesday's reminder that reporting is coming up.  You talked about evaluating breaches and when to report.  Who should do that?  Me or you?  Also, sounds like breaches can happen a lot.  

What do you think? 

Dr. L



Answer:

Good questions.  Yes, for many practices breaches happen.  Hopefully not a lot.  Anywhere we have HIPAA information we may potentially have unauthorized disclosures.    A great example I love to use (because no one thinks about it) is copy machines - they retain everything.  When you return it, you have to wipe it.  Our biggest area is exposure lies with our human resources - our people responsible for proper HIPAA compliance.  Every practice around (or hospital etc) has some unauthorized disclosures throughout the year.  How those disclosures are addressed and the circumstances of the disclosure will determine whether the disclosure is tantamount to a breach (fingers crossed, not).  Depending on the nature of the unauthorized disclosure, you may want counsel to get involved and write up an independent assessment.  The primary reason for asking counsel to do so is to avoid the optics of a self-serving self-assessment.  Arguably a third party, even one you are paying, and especially one with a fiduciary duty, will advise in line with the law.  It may be safer to have your counsel write up the assessment.  Of course, there is always a chance the Office of Civil Rights performs an assessment and finds the outside assessment inadequate somehow; provided, however, the fact you have an outside assessment and a HIPAA protocol in place will, in itself, protect you from government HIPAA exposure.  

The reality is every practice needs HIPAA help - no matter the size.  Every practice needs some guidance on Security Risk Assessment and mitigation upon unauthorized disclosure, or assistance with self reporting.  We are here to help with all of the above.  Call or email if you wish to discuss or if you need assistance assessing a disclosure. 

Common disclosures - 
1. incorrect patient receives materials (email communication, record, invoice, appointment reminder, etc)
2.  wrong referral doctor receives information
3.  business associate receives access without a proper business associate agreement in place  


Looking for the KK Healthcare Exchange?  Click Here. 

MISSED OUR RECENT WEBINARS?  CLICK HERE ANYTIME!
Looking for HIPAA and compliance forms?  
Click here to visit our website.
Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.
Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com
Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!
Who decides if there is a HIPAA Breach and whether to report?-December 12, 2019-Jennifer Krischenbaum

Article

Who decides if there is a HIPAA Breach and whether to report?

Provided by:  Jennifer Kirschenbaum, Esq.

December 12, 2019

 

Question:

Jennifer, 

Thank you for Tuesday's reminder that reporting is coming up.  You talked about evaluating breaches and when to report.  Who should do that?  Me or you?  Also, sounds like breaches can happen a lot.  

What do you think? 

Dr. L



Answer:

Good questions.  Yes, for many practices breaches happen.  Hopefully not a lot.  Anywhere we have HIPAA information we may potentially have unauthorized disclosures.    A great example I love to use (because no one thinks about it) is copy machines - they retain everything.  When you return it, you have to wipe it.  Our biggest area is exposure lies with our human resources - our people responsible for proper HIPAA compliance.  Every practice around (or hospital etc) has some unauthorized disclosures throughout the year.  How those disclosures are addressed and the circumstances of the disclosure will determine whether the disclosure is tantamount to a breach (fingers crossed, not).  Depending on the nature of the unauthorized disclosure, you may want counsel to get involved and write up an independent assessment.  The primary reason for asking counsel to do so is to avoid the optics of a self-serving self-assessment.  Arguably a third party, even one you are paying, and especially one with a fiduciary duty, will advise in line with the law.  It may be safer to have your counsel write up the assessment.  Of course, there is always a chance the Office of Civil Rights performs an assessment and finds the outside assessment inadequate somehow; provided, however, the fact you have an outside assessment and a HIPAA protocol in place will, in itself, protect you from government HIPAA exposure.  

The reality is every practice needs HIPAA help - no matter the size.  Every practice needs some guidance on Security Risk Assessment and mitigation upon unauthorized disclosure, or assistance with self reporting.  We are here to help with all of the above.  Call or email if you wish to discuss or if you need assistance assessing a disclosure. 

Common disclosures - 
1. incorrect patient receives materials (email communication, record, invoice, appointment reminder, etc)
2.  wrong referral doctor receives information
3.  business associate receives access without a proper business associate agreement in place  


Looking for the KK Healthcare Exchange?  Click Here. 

MISSED OUR RECENT WEBINARS?  CLICK HERE ANYTIME!
Looking for HIPAA and compliance forms?  
Click here to visit our website.
Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.
Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com
Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!