Nonprofit Compliance

Issue/Incident Reporting

  • 1.  Issue/Incident Reporting

    Posted 01-12-2018 05:51 PM
    Hello, Colleagues!  I am in need of your insight regarding what constitutes an issue or incident that is reportable to the compliance department.

    • What is the "trigger point" that necessitates that the issue or incident be reported?
    • What issues or incidents merit Board of Trustee attention?
    • Should the issues or incidents be compliance risk related in order to be reported?

    Also, do you have any communication materials that you could share related to providing guidance to staff on what constitutes an issue or incident that is reportable to the compliance department?

    Thank you!

    Greg Dugas
    Contracts Manager & Corporate Compliance Officer
    CRISTA Ministries
    Shoreline, WA

  • 2.  RE: Issue/Incident Reporting

    Posted 01-15-2018 09:54 AM
    Edited by Carl Russell 01-17-2018 12:35 PM
    If you have PHI where there was an impermissible acquisition, access, use, or disclosure, then it should be reported to your compliance department, even if it pertains to only a single individual. Then the compliance department can sort out whether or not there is a breach and what if anything needs to be done.

    After saying that, I do realize that staff also become a little complacent about reporting when one of the breach exceptions applies, particularly when the impermissible is among fellow employees. This is a lost opportunity for training.

    Carl Russell
    Compliance Analyst
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.

  • 3.  RE: Issue/Incident Reporting

    Posted 01-16-2018 05:56 PM

    We have over 500 employees. I prefer to determine what qualifies as an issue, incident or breach myself.  All staff are required to report the following to the Compliance Department immediately and in no less than 24 hours:

    • ALL break-ins and theft to the Compliance Dept immediately
    • Any lost or stolen electronic devices including personal devices
    • Any lost or stolen documents
    • Misdirected faxes and mail (open or unopened)
    • Monitors left unattended that show PHI (they've been instructed to lock the computer and report it to me)
    • Computers and monitors left on and unattended regardless of visible PHI
    • Documents left in copiers and printers that have PHI

    This allows me to monitor areas of risk and trends so I know what to emphasise for our annual trainings.

    Also, if there is a recurring problem at one site or in one department I can address it with them directly before it becomes a large incident.

    This statement is included in the Breach Reporting Procedure that is posted in all departments.

    A breach occurs when protected health information (PHI) is lost or sent to, overheard, seen, or stolen by someone who does not have authorization to see, hear, or possess the information.

    If you think or know a breach occurred you must contact the Compliance Dept. immediately.

    Company Property

    Whether items were stolen or not, you must contact Compliance Dept immediately after any break-in at a clinic, office, mobile unit, or company vehicle.

    Personal Property

    If someone has stolen or broken-in to your personal vehicle and PHI or Company property was in the vehicle you must contact the Compliance Dept. immediately.

    I hope this helps.


    Wendi Hodgen
    Compliance Director/Privacy Officer
    Gardner Family Health Network Inc
    Gardner Family Care Corporation
    Anything I say is my sole opinion and not of my company.

  • 4.  RE: Issue/Incident Reporting

    Posted 01-16-2018 08:45 PM

    How many incidents do you triage each day (average, guess, etc)?  Just trying to get an idea.


    ◘ Jan - Organize Email Inbox and Folders ◘
    -----------Frank Ruelas------------