Find a Provider

Breach Notification

Name:  Breach Notification Policy

Document Type:   Policy    Procedure    X Standard     X Training/Work Instructions

 

Standard: To outline the process for notifying affected individuals of a breach of protected information under the Privacy Act, unsecured protected health information (PHI) for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and/or state breach notification purposes.

 

Scope

This applies to all employees, volunteers, and other individuals working under contractual agreements with SHS.

 

A. Definitions

State Breach – Unauthorized acquisition or reasonable belief of unauthorized acquisition of Personal Information that compromises the security, confidentiality, or integrity of the Personal Information.
Personal Information – means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social Security number
  2. Driver’s license number or State identification card number
  3. Account number or credit or debit card number, or
  4. An account number of credit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records. (Source 815 ILCS 530/5) Sec. 5. Definitions).

HIPAA Breach – Unauthorized acquisition, access, use, or disclosure of unsecured PHI.

Personally Identifiable Information (PII) – Information in any form that consists of a combination of an individual’s name and one or more of the following: Social Security Number, driver’s license or state ID, account numbers, credit card numbers, debit card numbers, personal code, security code, password, personal ID number, photograph, fingerprint, or other information which could be used to identify an individual.

Individually Identifiable Health Information (IIHI) – PII which includes information related to the past, present or future condition, treatment, payment or provision of health care to the identified individual.

Privacy Act Breach – Unauthorized acquisition or reasonable belief of unauthorized acquisition of personal information protected by the Privacy Act. This information includes, but is not limited to Social Security Number, government issued ID numbers, financial account numbers or other information posing a risk of identity theft.

Private Information – Information protected by the Privacy Act, Personally Identifiable Information, Personal Information and Protected Health Information collectively.

Protected Health Information (PHI) – Individually identifiable health information except for education records covered by FERPA and employment records.

B. Procedure

  1. Reporting a Possible Breach
    1. Notify supervisor & HIPAA Officer: Any employee who becomes aware of a possible breach of privacy involving Private Information in the custody or control of SHS will immediately inform their supervisor/manager, and the HIPAA Officer. Notification should occur immediately upon discovery of a possible breach or before the end of your shift if other duties interfere, however, in no case should notification occur later than twenty-four (24) hours after discovery. The supervisor/manager will verify the circumstances of the possible breach and inform the HIPAA Officer and the division Director within twenty-four (24) hours of the initial report.
    2. Notify HIPAA Officer – notification methods:
      1. An Unusual Occurrence Report will be completed and faxed to the Risk Manager, 618-985-6860
      2. You may call the HIPAA Officer directly at 618-956-9506.
      3. Provide the HIPAA Officer with as much detail as possible.
      4. Be responsive to requests for additional information from the HIPAA Officer.
      5. Be aware that the HIPAA Officer has an obligation to follow up on any reasonable belief that Private Information has been compromised.
    3. The HIPAA Officer will notify the Executive Director as appropriate by taking into consideration the seriousness and scope of the breach.
  2. Containing the Breach
    The Privacy/Compliance Officer will work with department(s) to immediately contain the breach to limit the scope and effect of the breach. Examples include, but are not limited to:

    1. Stopping the unauthorized practice
    2. Recovering the records, if possible
    3. Shutting down the system that was breached
    4. Mitigating the breach, if possible
    5. Correcting weaknesses in security practices
    6. Notifying the appropriate authorities including the local Police Department if the breach involves, or may involve, any criminal activity
  3. Investigating and Evaluating the Risks Associated with the Breach
    1. To determine what other steps are immediately necessary, the HIPAA Officer in collaboration with the affected department(s) and administration, will investigate the circumstances of the breach, determine root cause(s), evaluate risks, and develop a resolution plan. The HIPAA Officer may consult with the health center staff, Executive Director and legal counsel to development of a resolution plan.
      1. Nature and Extent of PHI Involved: consider the nature and extent of the PHI involved including the types of identifiers and the likelihood or re-identification. Consider – how sensitive is the information (financial, clinical, direct identifiers).
      2. The unauthorized person who used the PHI or to whom the disclosure was made.
      3. Whether the PHI was actually acquired or viewed: low probability example – forensic analysis of stolen laptop indicates no breach; high probability of breach includes unauthorized recipient contacts covered entity to report having received PHI in error, having intermittently viewed the PHI.
      4. The extent to which the risk to the PHI has been mitigated: Shawnee makes efforts to mitigate risk in event of improper PHI transmittal such as assurances that recipient will destroy the PHI.
    2. Determine root cause(s), evaluate risk, and develop a resolution plan. The HIPAA Office may consult with the health center staff, Executive Director and/or legal counsel to develop a resolution plan.
    3. The HIPAA Officer, in collaboration with the Executive Director, will consider several factors in determining whether to notify individuals affected by the breach including, but not limited to:
      1. Contractual obligations
      2. Legal obligations – SHS Legal Counsel should complete a separate legal assessment of the potential breach and provide the results of the assessment to the Privacy/Compliance Officer and the rest of the breach response team
      3. Risk of identity theft or fraud because of the type of information lost such as social security number, banking information, identification numbers
      4. Risk of physical harm if the loss puts an individual at risk of stalking or harassment
      5. Risk of hurt, humiliation, or damage to reputation when the information includes medical or disciplinary records
      6. Number of individuals affected
  4. Notification
    1. The HIPAA Officer will work with the Executive Director to decide the best approach for notification and to determine what may be required by law.
      1. Direct Notification:   If required by law, notification of individuals affected by the breach will occur as soon as possible following the breach.
        Notices must be provided without reasonable delay and in no case later than sixty (60) days after discovery of the breach, unless instructed otherwise by law enforcement or other applicable state or local laws. Notices must be in plain language and include basic information, including:

        1. What happened
        2. Types of PHI involved
        3. Steps individuals should take
        4. Steps covered entity is taking
        5. Contact InformationNotices should be sent by first-class mail or if individual agrees electronic mail. If insufficient or out-of-date contact information is available, then a substitute notice through indirect notification is required as specified below.
      2. The required elements of notification vary depending on the type of breach and which law is implicated. As a result, the SHS HIPAA Officer and Executive Director should work closely to draft any notification that is distributed.
    2. Indirect notification: such as website information, posted notices, media will generally occur only where direct notification could cause further harm, or contact information is lacking.
    3. Breach of 500 or more individuals: If a breach affects five-hundred (500) or more individuals, or contact information is insufficient, SHS will notify a prominent media outlet that is appropriate for the size of the location with affected individuals, and notice will be provided in the form of a press release.
    4. Consideration of Multiple methods: Using multiple methods of notification in certain cases may be the most effective approach.
    5. Business associates must notify SHS if they incur or discover a breach of unsecured PHI. Business associates must cooperate with SHS in investigating and mitigating the breach.
    6. Notice to Health and Human Services (HHS) as required by HIPAA – If the HIPAA Officer determines that HIPAA notification is not required; this notice is also not required.
      1. Information regarding breaches involving five-hundred (500) or more individuals, regardless of location, must be submitted to HHS at the same time that notices to individuals are issued.
      2. If a breach involves fewer than five-hundred (500) individuals, SHS will be required to keep track of all breaches and to notify HHS within sixty (60) days after the end of the calendar year.
  5. Prevention
    1. Once immediate steps are taken to mitigate the risks associated with the breach, the HIPAA Officer will investigate the cause of the breach.
      1. If necessary, this will include a security audit of physical, organizational, and technological measures.
      2. This may also include a review of any mitigating steps taken.
    2. The HIPAA Officer will assist the responsible department to put into effect adequate safeguards against further breaches.
    3. Procedures will be reviewed and updated to reflect the lessons learned from the investigation and regularly thereafter.
    4. The resulting plan will also include audit recommendations, if appropriate.

Compliance and Enforcement: All managers and supervisors are responsible for enforcing these procedures. Employees who violate these procedures are subject to discipline up to and including termination in accordance with SHS’s Sanction Policy.

 

Document Information & Approvals:

Effective Date: 07-18-13 Approved By/Date: Leadership 07-18-13
Review Date:  

Revision History:

Date Revision No Reason for Change Sections Affected