Nonprofit Compliance

1.  Issue/Incident Reporting

Posted 6 days ago
Hello, Colleagues!  I am in need of your insight regarding what constitutes an issue or incident that is reportable to the compliance department.

  • What is the "trigger point" that necessitates that the issue or incident be reported?
  • What issues or incidents merit Board of Trustee attention?
  • Should the issues or incidents be compliance risk related in order to be reported?

Also, do you have any communication materials that you could share related to providing guidance to staff on what constitutes an issue or incident that is reportable to the compliance department?

Thank you!

Greg Dugas
Contracts Manager & Corporate Compliance Officer
CRISTA Ministries
Shoreline, WA

2.  RE: Issue/Incident Reporting

Posted 3 days ago
Edited by Carl Russell 2 days ago
If you have PHI where there was an impermissible acquisition, access, use, or disclosure, then it should be reported to your compliance department, even if it pertains to only a single individual. Then the compliance department can sort out whether or not there is a breach and what if anything needs to be done.

After saying that, I do realize that staff also become a little complacent about reporting when one of the breach exceptions applies, particularly when the impermissible is among fellow employees. This is a lost opportunity for training.

Carl Russell
Compliance Analyst
Delta Dental of Idaho

Anything I say is my sole opinion and not of my company.

3.  RE: Issue/Incident Reporting

Posted 2 days ago

We have over 500 employees. I prefer to determine what qualifies as an issue, incident or breach myself.  All staff are required to report the following to the Compliance Department immediately and in no less than 24 hours:

  • ALL break-ins and theft to the Compliance Dept immediately
  • Any lost or stolen electronic devices including personal devices
  • Any lost or stolen documents
  • Misdirected faxes and mail (open or unopened)
  • Monitors left unattended that show PHI (they've been instructed to lock the computer and report it to me)
  • Computers and monitors left on and unattended regardless of visible PHI
  • Documents left in copiers and printers that have PHI

This allows me to monitor areas of risk and trends so I know what to emphasise for our annual trainings.

Also, if there is a recurring problem at one site or in one department I can address it with them directly before it becomes a large incident.

This statement is included in the Breach Reporting Procedure that is posted in all departments.

A breach occurs when protected health information (PHI) is lost or sent to, overheard, seen, or stolen by someone who does not have authorization to see, hear, or possess the information.

If you think or know a breach occurred you must contact the Compliance Dept. immediately.

Company Property

Whether items were stolen or not, you must contact Compliance Dept immediately after any break-in at a clinic, office, mobile unit, or company vehicle.

Personal Property

If someone has stolen or broken-in to your personal vehicle and PHI or Company property was in the vehicle you must contact the Compliance Dept. immediately.

I hope this helps.


Wendi Hodgen
Compliance Director/Privacy Officer
Gardner Family Health Network Inc
Gardner Family Care Corporation
Anything I say is my sole opinion and not of my company.

4.  RE: Issue/Incident Reporting

Posted 2 days ago

How many incidents do you triage each day (average, guess, etc)?  Just trying to get an idea.


◘ Jan - Organize Email Inbox and Folders ◘
-----------Frank Ruelas------------