HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Reporting breaches to OCR

Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: If a business associate (BA) commits a breach, should it notify OCR or should the covered entity (CE) do so?

A: CEs are responsible for reporting breaches to OCR. You can delegate the reporting, but you must do so in writing. If your BA fails to report the breach, OCR will call you and not the BA because it’s your regulatory responsibility. Also, the Breach Notification Rule requires BAs to report all breaches of unsecure PHI to CEs. CEs are responsible for completing a four-factor risk assessment to determine what must be reported. This also may be delegated, but it remains CEs’ regulatory obligation.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Leave a Reply