webinarsbreadcrumb separatorhipaa-ecommerce-guidelines-and-resources-part-13-breach-notifications

Chris Reddick (President and CEO at Clarity Ventures) and Ron Halversen (Vice-President of Sales and Marketing at Clarity) finish their discussion about eCommerce guidelines and the next steps you can take.

Part 13 of a 13-part series (Return to Part 12)

CHRIS: There isn't a guarantee that there will be any consequence financially from this. But, generally speaking, whenever you're submitting one of these, you can see if you go back to the reporting...it's sort of putting something on the radar of the OCR. And that's sort of the whole point here. You need to self-report if you have an issue, because it's not going to be  very easy or viable for them to go in and do all of this reporting themselves without having overall access to everyone's stuff. So you're required to report HIPAA violations on yourself. 

what is hipaa

CHRIS: My general recommendation, and you can again see this in their recommendation and encouragement, is make sure that you include what your HIPAA documentation is around what you did to prevent it, what you thought the risks were, how you proactively worked to address those. You also want to document what you're doing to address the breach and what your understanding is about the breach, and then how you're going about reconciling it quickly. 

If you do those things, you can at least minimize the damage and reduce the damage so that it doesn't reoccur. And if there was a potential HIPAA breach, was it possible for folks to actually use that data? If not, that really makes it a lot better of a situation if folks couldn't actually use the data or if it was de-identified properly. 
 
RON: So really the only difference between whether it affects 500 or more or 500 and fewer is the time in which you must report. So on this one, it's no later than 60 calendar days from the discovery. And if it's less than that, it's within 60 days of the end of the calendar year in which it was discovered. 

It does talk about, though, you can report if there's multiple breaches. Let's say you're working with a vendor and you accidentally give them access to a couple of different test records and didn't realize it was real patient data while they were working on something. You don't have to report those individually. You can pool them together.

what is hipaa

RON: It says you can report multiple breaches, all its HIPAA breaches affecting fewer than five on one date. But you must complete a separate notice for each breach incident. So you would have to go in within 60 days of the end of that year and list out every single time that a breach potentially occurred. So it's probably better to just stay ahead of it. 
 
Each time there's a breach, no matter the size, just get them what's fresh in your mind. Make sure you’re documenting it. Make sure you submit the notification and the number of records and then make a change to help prevent that.  

Anything else you want to cover on the breach notification before we tie off today's webinar? 
 
CHRIS: No, I think that's really good. And ultimately, like you said, Ron, we want to encourage folks to work with a specialist in this area. Depending on the scope and the nature of your projects that have HIPAA data security, work with specialists that can own and help you with different aspects of your HIPAA and your compliance with HIPAA, as well as dealing with changes and adjustments that you're making.  

Just create a culture within your organization, and that of any vendors you work with, that they are encouraged to comply with HIPAA. And there's just a theme of being in compliance overall and understanding that it is a cultural thing within your organization and within your vendor relationships to actually collaborate and focus on HIPAA and HIPAA compliant websites as a long-term thing. It's not just a quick fix. It's not a one-time thing. It's an ongoing effort and it's very serious and critical. 
 
We hope that helps. We’re always are open to the opportunity to provide a complimentary discovery and review with you. And with that said, we appreciate you taking a look at this video. We hope it is really helpful. If it was, if you would be so HIPAA as to smash the Like button. I don't know if that's even slightly funny, but thank you for smashing the button and subscribing. We look forward to seeing you in the next video. 
 
RON: All Thanks, everyone. Bye, Chris. Bye for now. 
 
CHRIS: Thanks. Bye for now. 

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps