The following terms are used in this procedure.
Term |
Definition |
Protected Health Information (PHI) |
Health information that identifies an individual. (e.g. medical diagnosis and name)
Note: Health information by itself without any of the 18 identifiers is not considered to be PHI. |
HIPAA |
|
PHI Identifier |
Data that identifies an individual or information that can be used to identify an individual related to that health information. The 18 defined health identifiers are:
|
Breach |
|
This document defines the notification process followed if an oral, written, or electronic breach of PHI occurs at the Research Foundation (RF) central office or at a campus.”
The RF Compliance Office, in coordination with Information Security experts will coordinate a risk assessment. The purpose is to assess whether the breach resulted in “significant risk of financial, reputational, or other harm to the individual.” Risk assessment factors include identification of:
Step |
Responsible Party |
Action |
||||||||
1 |
Persons who identify possible breach of PHI. |
Notify the following depending on location:
|
||||||||
2 |
Management |
Minimize the further release of information by taking the following precautionary measures:
|
||||||||
3 |
The OM or VP |
Notifies one of the following personnel:
|
||||||||
4 |
Campus |
|
||||||||
5 |
Central office Information Security personnel |
Notify the following personnel that a suspected breach has occurred:
Works with appropriate technical and other personnel to analyze the situation for a true breach. (see Breach Assessment above)
|
||||||||
6 |
Central office Administration and Human Resources |
Performs the following:
|
||||||||
7 |
Central office General Counsel |
Performs the following:
|
||||||||
8 |
Central office Information Security personnel |
Communicates status information to OM or VP as appropriate. |
||||||||
9 |
Central office Corporate Communications |
Performs the following:
|
If breach occurs, the notification requirements are:
The... |
Is/Are notified... |
By... |
If... |
Affected individual(s) |
As soon as possible, but no later than 60 calendar days from discovery of the breach |
written notice by first class mail to the individual or next of kin if deceased* electronic mail if specified in advance by the individual
|
Information was available to unauthorized individuals that results in “significant risk of financial, reputational, or other harm to the individual.” |
The United States Department of Health and Human Services (DHHS) Secretary |
Annually |
submitted log |
Fewer than 500 individuals are impacted no later than 60 calendar days after calendar year end |
The United States Department of Health and Human Services (DHHS) Secretary |
Concurrent with the notification to the affected individuals |
via letter |
500 or more individuals are impacted no more than 60 calendar days after breach is discovered |
Prominent Media Outlet Servicing NYS or Jurisdiction |
As soon as possible, but no later than 60 calendar days from discovery of the breach |
Corporate Communications |
500 or more individuals are impacted; individual notification must still be made |
Note: If insufficient or outdated contact information exists, a substitute form of notice may be used such as a Web site posting.
The required information included in the notifications:
Under the provisions of the American Recovery and Reinvestment Act (H.R.1-46 Improved Privacy provisions and Security Provision, Sec 13401), the RF is required to provide notification to each individual when an breach in PHI occurs that results in information being available to unauthorized individuals that results in “significant risk of financial, reputational, or other harm to the individual.”
Related resources for the breach notification team to complete the process or that provide other relevant information or instructions are located on the central office network at R:\HIPAA Breach Notification\ Supporting Documentation.
Resources |
Confidentiality of Health Information Policy
Privacy and Security of Protected Health Information
Workforce Confidentiality Agreement
RF Confidential Information Policy
|
Date |
Change History |
January 19, 2010 |
New Document |
Effective Date: 22-December-2009
Responsible Party: Office of Information Services, Information Security
Contact Information: 518-434-7281
Document Type: Procedure
Version: 1.0
Copyright © 2010 The Research Foundation of State University of New York
Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.
Copyright © 2011 The Research Foundation of State University of New York