Question: If our clinic reports every small HIPAA breach throughout the year instead of waiting until the end of the year, will this trigger an audit?
Answer: Whether you report each small breach as they occur or report them all at once at the end of the year, this should not make much of a difference in terms of triggering an audit, answers Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, VT.
For small breaches, you only need to report them to the U.S. Department of Health & Human Services (HHS) within 60 days of the end of the year, instead of as they happen like for larger breaches, Sheldon-Dean explains. But certainly some people wonder whether reporting small breaches to HHS in a single batch at the end of the year (along with all the other small breaches from providers) is “less noticeable” than sending the breach notifications throughout the year.
Red flag: What HHS is really looking for — and what may trigger an audit — is whether your practice has similar small breaches that could indicate a systemic problem, Sheldon-Dean warns. HHS will “take a look at all the potential issues and then make decisions as to whether they need to do any kind of compliance investigation.”
