If you have a minor breach (under 500 records) you are required to self report this breach within 60 days after the end of the calendar year in which the disclosure occurred. If you report it, you run the risk of being investigated. So many times I hear organizations say… why would I “report” myself, that would be insane! If you do not report it and it is discovered at a later date, the fines will be increased and they will investigate heavily to determine if you have concealed any other breaches. So, the answer is YES; you should self report.
Understand that the different agencies like the Office for Civil RIghts (OCR) who enforces HIPAA, Federal Trade Commission (FTC), Department of Justice (DOJ), and Centers for Medicare and Medicaid (CMS) more than likely communicate with each other. If you are audited or investigated by one agency, they are looking at your organization as a whole and may report their findings to other agencies. In one scenario that we recently were made aware of the organization was expecting an investigation from the Office for Civil Rights and the Department of Justice showed up! These agencies can decide how and what to investigate based on the information they have received.
The best way to protect your organization is to make sure you have a complete and thorough risk analysis. This will uncover potential vulnerabilities and give you the opportunity to mitigate them BEFORE something happens. Next, make sure you have a risk management plan that dates/documents what you have implemented/corrected based on your risk analysis. Policies, procedures, and documentation are the foundation of all organizations. Your employees need clear and concise procedures so they understand what they need to do. This always insulates you from misunderstanding. Above all, it demonstrates your compliance efforts!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on longstanding and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
Any health program or activity any part of which received funding from HHS
Any health program or activity that HHS itself administers
Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
Section 1557 has been in effect since its enactment in 2010 and the HHS Office for Civil Rights has been enforcing the provision since it was enacted.
This provision goes much further than most practices are aware of including the fact this rule became effective July 18, 2016.
Take steps to ensure 1557 has been addressed:
Assign a Civil Rights Coordinator;
Revise your policies and procedures;
Incorporate a general assessment evaluation;
Review the patient intake process;
Track all requests for auxiliary aids and services;
Monitor performance of interpreter services to ensure effective communication;
Review your complaint process;
Post a Notice of Nondiscrimination;
Post a Nondiscrimination Statement; and
Conduct mandatory training for all staff.
Title II of the Americans with Disabilities Act of 1990 (Title II), Section 504 of the Rehabilitation Act of 1973 (Section 504) and Section 1557 of the Affordable Care Act of 2010 (Section 1557) requires an entity to take steps to ensure communication with individuals with disabilities is as effective as communication with others through the use of appropriate auxiliary aids and services. This includes people with as well as language barriers.
OCR has modified the notice requirement in § 92.8 to exclude publications and significant communications that are small in size from the requirement to post all of the content specified in § 92.8; instead, covered entities will be required to post only a shorter nondiscrimination statement in such communications and publications, along with a limited number of taglines. OCR also is translating a sample nondiscrimination statement that covered entities may use in fulfilling this obligation.
In addition, with respect to the obligation in § 92.8 to post taglines in at least the top 15 languages spoken nationally by persons with limited English proficiency, OCR has replaced the national threshold with a threshold requiring taglines in at least the top 15 languages spoken by limited English proficient populations statewide.