HIPAA

 View Only
  • 1.  Business Associate Reporting

    Posted 15 days ago
    I have been updating our internal procedures and have been trying to find out specific information as to the obligations of reporting/notifying and follow up when a breach has happened by the Business Associate (BA).
    • Is it the BA's responsibility to report and notify when a breach has occurred?
      • or is that something that is discussed between the CE and BA and could go either way?
    • When a BA has notified you of a breach they discovered and are investigating, is it required that they follow up and tell you not only when their investigation turns up a reportable/notifiable breach but also when their investigation turns up a low-level breach that does not need to be reported/notified of?
    I appreciate any insights you may have.  Thanks!


    ------------------------------
    Jennifer Phoenix
    Privacy Specialist
    Olmsted Medical Center
    Rochester, MN
    ------------------------------
    Default Blank


  • 2.  RE: Business Associate Reporting

    Posted 15 days ago
    Jennifer...here's my feedback.  Let me know if any of it was helpful and certainly let's see what others have to share.

    • Is it the BA's responsibility to report and notify when a breach has occurred?
      • or is that something that is discussed between the CE and BA and could go either way?
    As stated in the regs (lines 2000 - 2001 of the Frank Version of the HIPAA regs v4...the BA shall report a breach when discovered. 164.410(a)(1).  In addition, it is required in the BAA or BAC that the BA will report to the CE.  Often times the reporting timeline is a point of negotiation...BUT...by regulation...it clearly states "without unreasonable delay and in no case later than 60 calendar days after discovery (lines 2010 - 2013)

    • When a BA has notified you of a breach they discovered and are investigating, is it required that they follow up and tell you not only when their investigation turns up a reportable/notifiable breach but also when their investigation turns up a low-level breach that does not need to be reported/notified of?
    On this question...what do you mean a "low level" breach?  I think this may be causing confusion.  All breaches of unsecured PHI require reporting/notification.  So referring to something as a "low level" breach could be very confusing so any clarification is helpful.  However...there is a requirement that many people overlook which I think is somewhat related to your question...which is related and speaks to non-breach types of incidents.

    See the following section also is required to be in the BAA or BAC...but people often only refer to breaches...and leave out an important component...as follows: (lines 1792 - 1794)

    So as not to confuse anyone...the numbers within asterisks are internal notations that point to the line number where the referenced section/citation can be found.

    OK...that's what I have.  There's certainly more that can be shared...but I think this hits the high points and also opens the door for others to share.


    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    • Study Group Sign up Form •
    https://forms.gle/WqzNp5WfaNGeyACh7
    • OIG CPG Part 7 Sign Up Form •
    https://forms.gle/kdjoXzjtaJ3eh7Ck7
    ► We don't fail unless we quit! ◄
    ------------------------------

    Default Blank


  • 3.  RE: Business Associate Reporting

    Posted 15 days ago
    Thank for your response Frank, that was helpful.

    I am showing my newness to this position so appreciate you pointing out my need to clarify the low-level breach verbiage I used.
    What I meant was because every incident is viewed as a breach until found not to be upon risk assessment completion, does the BA have an obligation to follow up with us as a covered entity if their risk assessment finds a low-level risk of PHI compromise?

    ------------------------------
    Jennifer Phoenix
    Privacy
    Olmsted Medical Center
    Rochester,MN
    ------------------------------

    Default Blank


  • 4.  RE: Business Associate Reporting

    Posted 14 days ago
    Keep in mind that if a CE...and this happens a lot and is written in many BAAs...only requires the BA to notify the CE when a breach occurs as determined by the BA...this creates a number of issues.  A few include:
    1. This is inconsistent with the required reporting identified in the regs
    2. This is inconsistent with what is required to be contained within a BAA or BAC
    3. This puts the CE at risk for potential breaches and not completing the required notifications as a function of the BA's risk assessment
    So as I mentioned...is this happening...oh yes.  This is why it is important to make sure that one recognizes what is required by the regs...but just as importantly to understand why the regs require what they do.   In other words...as I remind those who I work with who are prepping for the exams.  Knowing the regs is important...but also understanding the "why" and the "how" of the regs can help put them into action in an effective way.

    Hope this helps!

    Posted: 6:30 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    • Study Group Sign up Form •
    https://forms.gle/WqzNp5WfaNGeyACh7
    • OIG CPG Part 7 Sign Up Form •
    https://forms.gle/kdjoXzjtaJ3eh7Ck7
    ► We don't fail unless we quit! ◄
    ------------------------------

    Default Blank