Notification for Breach of Privacy of Protected Health Information

Definitions

The following terms are used in this procedure.

Term

Definition

Protected Health Information (PHI)

Health information that identifies an individual.

(e.g. medical diagnosis and name)

 

Note: Health information by itself without any of the 18 identifiers is not considered to be PHI.

HIPAA

  1. Health Insurance Portability and Accountability Act of 1996

PHI Identifier

Data that identifies an individual or information that can be used to identify an individual related to that health information.

The 18 defined health identifiers are:

  1. Name
  2. Address (street, city, county, precinct, zip code, geographical code)
  3. Telephone number
  4. Fax number
  5. Social Security number
  6. Medical record number
  7. Dates (except for just year) related to an individual, including birth date, admission date, discharge date, date of death
  8. E-mail addresses
  9. Health plan beneficiary numbers
  10. Account numbers (e.g. credit card numbers, bank account numbers)
  11. Certificate/license numbers (i.e. driver’s license number, passport number)
  12. Vehicle identifiers and serial numbers (e.g., VIN, license plate numbers)
  13. Medical device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers (e.g. finger or voice prints)
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Breach

  1. An unauthorized acquisition, access, use or disclosure of protected health information/PHI via oral, written, or electronic means.

Process

This document defines the notification process followed if an oral, written, or electronic breach of PHI occurs at the Research Foundation (RF) central office or at a campus.”

Breach Assessment

The RF Compliance Office, in coordination with Information Security experts will coordinate a risk assessment. The purpose is to assess whether the breach resulted in “significant risk of financial, reputational, or other harm to the individual.” Risk assessment factors include identification of:

  1. The type of PHI disclosed
  2. Whether or not the disclosed PHI was encrypted
  3. Whether or not the disclosed PHI was used in a harmful way
  4. The recipient of the disclosed PHI

Process Steps

Step

Responsible Party

Action

1

Persons who identify possible breach of PHI.

Notify the following depending on location:

Campus

The campus operations manager (OM)

Central Office

His/her respective RF department vice president (VP)

 

2

Management

Minimize the further release of information by taking the following precautionary measures:

  • If possible, ensure the suspected breach is immediately remediated.
  • Do not include the suspected breached PHI data in email.
  • Inform only staff that is required to know as part of their job duties.

     

3

The OM or VP

Notifies one of the following personnel:

Corporate Information Security Manager

(518) 434-7281

Corporate Information Security Analyst

(518) 434-7281

Corporate Information Security Officer

(518) 434-7281

 

4

Campus

  • Campus will determine if the investigation of a suspected breach will be addressed by central office or by campus representatives. Campus internal procedures must be in accordance with the HIPAA regulation. Campus will inform Information Security contact of their decision.
  • If a breach has occurred, OM or designee will participate on breach notification team.

     

5

Central office Information Security personnel

Notify the following personnel that a suspected breach has occurred:

Office of Administration and Human Resources

(518) 434-7080

Office of General Counsel

(518) 434-7045

Works with appropriate technical and other personnel to analyze the situation for a true breach. (see Breach Assessment above)

  • If a breach has not occurred, document the incident.
  • If a breach is suspected after analysis, go to step 6.
  • If a breach has occurred, security team member participates on breach notification team.

     

     

6

Central office Administration and Human Resources

Performs the following:

  • Approves breach notification process in consultation with the following:

    Privacy Officer

    (518) 434-7080

    Notifies the DHHS Secretary if breach impacts 500 or more individuals.

  • Enters breach in log if impacts less than 500 individuals and sends to DHHS Secretary annually.
  • If a breach has occurred, Privacy Officer and or designee participate on breach notification team.
  • Maintain internal log and other breach documentation for six years.

    The privacy officer communicates to the following personnel as required:

    President's Office

    (518) 443-5362

    Office of Internal Audit

    (518) 434-7125

    Office of Corporate Communications

    (518) 434-7010

     

7

Central office General Counsel

Performs the following:

  • Provides legal guidance to breach notification team and coordinates law enforcement involvement when necessary on the situation.
  • If a breach has occurred, legal team member participates on breach notification team.

8

Central office Information Security personnel

Communicates status information to OM or VP as appropriate.

9

Central office Corporate Communications

Performs the following:

  • Develops a notification message to the affected individuals in consultation with the following:

    President’s Office

    (518) 443-5362

    Office of Administration and Human Resources

    (518) 434-7080

    Office of General Counsel

    (518) 434-7045

     

    Determines which office sends the notification and coordinates media notification if required.

    If a breach has occurred, VP of Corporate Communications and or designee participate on breach notification team.

Notification Requirements

If breach occurs, the notification requirements are:

The...

Is/Are notified...

By...

If...

Affected individual(s)

As soon as possible, but no later than 60 calendar days from discovery of the breach

written notice by first class mail to the individual or next of kin if deceased*

electronic mail if specified in advance by the individual

 

Information was available to unauthorized individuals that results in “significant risk of financial, reputational, or other harm to the individual.”

The United States Department of Health and Human Services (DHHS) Secretary

Annually

submitted log

Fewer than 500 individuals are impacted no later than 60 calendar days after calendar year end

The United States Department of Health and Human Services (DHHS) Secretary

Concurrent with the notification to the affected individuals

via letter

500 or more individuals are impacted no more than 60 calendar days after breach is discovered

Prominent Media Outlet Servicing NYS or Jurisdiction

As soon as possible, but no later than 60 calendar days from discovery of the breach

Corporate Communications

500 or more individuals are impacted; individual notification must still be made

Note: If insufficient or outdated contact information exists, a substitute form of notice may be used such as a Web site posting.

Notification Components

The required information included in the notifications:

Basis for Process

Under the provisions of the American Recovery and Reinvestment Act (H.R.1-46 Improved Privacy provisions and Security Provision, Sec 13401), the RF is required to provide notification to each individual when an breach in PHI occurs that results in information being available to unauthorized individuals that results in “significant risk of financial, reputational, or other harm to the individual.”

Related Resources

Related resources for the breach notification team to complete the process or that provide other relevant information or instructions are located on the central office network at R:\HIPAA Breach Notification\ Supporting Documentation.

Resources

Policy on Disciplinary Action Regarding a Breach of Confidentiality of Protected Health Information (PHI)

 

Confidentiality of Health Information Policy

 

Privacy and Security of Protected Health Information

 

Workforce Confidentiality Agreement

 

RF Confidential Information Policy

 

Change History

Date

Change History

January 19, 2010

New Document

Effective Date: 22-December-2009
Responsible Party: Office of Information Services, Information Security
Contact Information: 518-434-7281

Document Type: Procedure

Version: 1.0

Copyright © 2010 The Research Foundation of State University of New York

 

 

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Copyright © 2011 The Research Foundation of State University of New York