When a HIPAA violation is identified by a member of a Covered Entity´s or Business Associate´s workforce, the reporting process is determined by the organization´s HIPAA policies and procedures. Similarly, the HHS´ Office for Civil Rights – the HIPAA enforcement agency – has three reporting processes through which organizations, members of the workforce, and patients can report a HIPAA violation. For example, the failure to send periodic security reminders (an implementation specification of 45 CFR § 164.308) is a HIPAA violation, but it is unlikely to have as serious consequences as the theft of an unencrypted laptop containing the unsecured ePHI of twenty thousand patients.Ĭonsequently, a single Covered Entity or Business Associate may have several HIPAA violation reporting processes depending on the nature and potential severity of the event. There are many different types of HIPAA violations, but some are not as serious as others. There is no one-size-fits-all HIPAA compliance violation reporting process because different organizations have different policies and procedures for reporting HIPAA violations, while the process for reporting violations to HHS´ Office for Civil Rights varies according to the nature of the violation and who is making the report.
0 kommentar(er)
