You've got questions. We've got answers!
HIM-HIPAA Insider, June 23, 2014
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.
Q: The hospital where I work entered into a business associate agreement (BAA) that requires the business associate (BA) to notify us of a potential breach no more than 60 days after it is discovered. This BA tried to tell us that we must notify our patients of a breach within 60 days from the time the BA notifies us. However, I always thought the clock started ticking for us the moment a breach is discovered. For example, if a BA notifies us of a breach 45 days after it was discovered then we have 15 days to perform a risk analysis and notify patients. Please explain the correct interpretation of the rule.
A: The outer limit is 60 days. A hospital must notify patients of a breach as soon as possible, and most certainly should not wait 60 days. This is also true for BAs. Put your energy into documenting that you notified patients as soon as you conducted your risk assessment.
If a BA cannot explain a 45-day delay, be sure to express your concerns about the delay in writing. Apart from compliance, delay in notification—even if legal—contributes significantly to public relations concerns that can accompany a breach; patients may rightly wonder why you took so long to notify them.
Editor’s note: Chris Simons, MS, RHIA, director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing newsletter.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Math can be tricky: TJC corrects ABHR storage requirement
- Air control equals infection control
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Five ways to safeguard your patients' valuables
- The consequences of an incomplete medical record
- Q&A: Primary, principal, and secondary diagnoses
- OB services: Coding inside and outside of the package
- Skills of effective case managers
- Practice the six rights of medication administration
- E-mailed
-
- Air control equals infection control
- OSHA HazCom updates include labeling, SDS requirements
- Plan of Care Supports Documentation of Homebound Status
- Note similarities and differences between HCPCS, CPT® codes
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Neurological checks for head injuries
- Modifiers and medical necessity
- Follow these tips to properly report bladder catheter codes
- Five ways to safeguard your patients' valuables
- Differentiate between types of wound debridement
- Searched