HIPAA Q&A: Internal risk assessments
HIPAA Weekly Advisor, August 30, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q. Our managed care organization’s HIPAA department investigates privacy and security breaches. Is it a conflict of interest for us to conduct our own risk assessments for these potential breaches?
A. Conducting your own risk assessment for potential breaches is acceptable—possibly even preferable. If staff members who investigate breaches are doing the risk assessment, they can probably do a more thorough job than an external auditor because they know where the organization’s risks are based on any prior breaches you may have experienced.
Further, the interim final rule on breach notification, published August 24, 2009, in the Federal Register, allows entities to conduct their own assessment of potential breaches to determine the level of harm.
Editor’s note: Mary D. Brandt, president of Brandt & Associates, Inc., a healthcare consulting firm in Bellaire, TX, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched