Office for Civil Rights (OCR) Self Reporting – Should you do it?

 

By Aris Medical Solutions

 

If you have a minor breach (under 500 records) you are required to self report this breach within 60 days after the end of the calendar year in which the disclosure occurred. If you report it, you run the risk of being investigated. So many times I hear organizations say… why would I “report” myself, that would be insane! If you do not report it and it is discovered at a later date, the fines will be increased and they will investigate heavily to determine if you have concealed any other breaches. So, the answer is YES; you should self report.

Understand that the different agencies like the Office for Civil RIghts (OCR) who enforces HIPAA, Federal Trade Commission (FTC), Department of Justice (DOJ), and Centers for Medicare and Medicaid (CMS) more than likely communicate with each other. If you are audited or investigated by one agency, they are looking at your organization as a whole and may report their findings to other agencies. In one scenario that we recently were made aware of the organization was expecting an investigation from the Office for Civil Rights and the Department of Justice showed up! These agencies can decide how and what to investigate based on the information they have received.

The best way to protect your organization is to make sure you have a complete and thorough risk analysis. This will uncover potential vulnerabilities and give you the opportunity to mitigate them BEFORE something happens. Next, make sure you have a risk management plan that dates/documents what you have implemented/corrected based on your risk analysis. Policies, procedures, and documentation are the foundation of all organizations. Your employees need clear and concise procedures so they understand what they need to do. This always insulates you from misunderstanding. Above all, it demonstrates your compliance efforts!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

Cyber Security – how to prepare!

September 18, 2017

Mobile Devices in Healthcare

November 14, 2017
©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC