Whom should HIPAA grievances be addressed inside the protected unit? Any healthcare worker who thinks he has seen a HIPAA breach should inform the case internally. Usually, the individual to inform the breach is your Secrecy Officer, if your business has hired one.
Informing Possible HIPAA Breaches Internally
In the course of your HIPAA coaching, you must have been informed whom should HIPAA grievances be addressed to inside the protected unit, and the processes to follow for making grievances concerning possible HIPAA breaches. Commonly speaking, the HIPAA breach must be informed to the individual in your business who is accountable for HIPAA conformity, which is usually your Privacy Officer or CISO. You might feel comfier informing the case to your manager.
All HIPAA breaches, even HIPAA breaches that appear comparatively trivial, must be informed. They might be suggestive of a wider problem, therefore it’s vital they are probed internally. Unintentional HIPAA breaches must also be informed. It’s better to own up a trivial HIPAA breach than for the breach to be informed by a coworker or to be found during an internal check, or worse, by watchdogs.
A protected unit should probe possible HIPAA breaches and make a decision whether HIPAA Laws have been breached, and if so, whether the case is reportable to the Division of Health and Human Services’ OCR according to requirements of the HIPAA Violation Notice Law. Not all violations are reportable events (See this page for further information). To make that decision, a risk evaluation will have to be carried out to decide whether a formal breach notice is essential.
The HIPAA Breach Notice Law requires protected units (as well as their business associates) to inform HIPAA breaches to OCR and there is a precise timetable for doing so. All breaches affecting over 500 people should be informed as soon as probable, and definitely no later than 60 days after the detection of the breach. Smaller breaches affecting fewer than 500 people can be informed yearly, however no later than 60 days following the culmination of the calendar year during which the breach was found. Nevertheless, breach notices must be delivered to impacted patients within 60 days, irrespective of how many people have been affected by the breach.
When Must HIPAA Breaches be Informed to OCR?
Although all HIPAA breaches must be informed internally, a grievance can be made to OCR concerning a HIPAA breach or possible HIPAA breach. You must note that a probe will only be carried out by OCR if the accuser is named. OCR doesn’t probe nameless grievances.