HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • HITECH Act updates
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • CD-Rom, books on privacy and security
  • Business associate training
  • Videos with real-life HIPAA scenarios

More»

Oct
28

Q&A: Notification of compliance breach

Email This Post Print This Post

 Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?

 A: The CE has sole responsibility for notifying individuals when required. The CE must notify HHS immediately if a breach involves 500 or more individuals and/or at the end of the calendar year with respect to all breaches, regardless of whether the CE or the BA caused the breach.
 
A review of the breach notification interim final rule, which is final and was published in the Federal Register August 24, is a good idea. Visit www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
 
Chris Apgar, CISSP, answered this question in the Octobert 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
Categories : Compliance Monitor

Leave a Reply

Search this site

Subscribe!

Get blog updates in your e-mail
Subscribe to our e-zine

Want to start a conversation?

Click here to learn how!

Links

Archives

Categories

Recent Comments

HIPAA Handbooks