[ Thursday, April 10, 2014 ]


Right Now: I'm listening to Kristen Rosati talk on "Anatomy of a Health Care Data Breach at the UT's Health Law CLE seminar.  A couple of key points on hands-on dealing with a breach:

Look at your BAAs and make sure notice responsibility from BAs is clear, including who go report to (regular "notice" provision probably isn't right, you want them notifying the Privacy Officer).  Also, BA reporting time is subsumed into CE's reporting, so it should definitely be shorter than 60 days (hopefully within time for CE to meet the 30-day response for an affirmative defense).  BA's might want to keep a matrix of their reporting obligations under all of their different BAAs.

OCR reviews the 500+ breach reports daily and regional offices confirm that entity actually submitted the report.  If you get that call from OCR, you should already be working with your response team.  Even though OCR folks are nice, it is a formal investigation, so keep a record of your communications with OCR.

State AG penalties are capped at the old $25,000 level, not the new $1.5 million level.  Each individual and each day of violation count as separate violations (you get to $1.5 million quickly), and one act can violate more than one requirement.

On the flight down, I read HCCA's monthly magazine, and saw a Privacy Officer refer to "LoProCo" as shorthand for "low probability of compromise;" I will use that handle.


Jeff [12:16 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template