Notification for Breach of Privacy of Protected Health Information

Definitions

The following terms are used in this procedure.

Term	Definition
Protected Health Information (PHI)	Health information that identifies an individual. (e.g. medical diagnosis and name) Note: Health information by itself without any of the 18 identifiers is not considered to be PHI.
HIPAA	Health Insurance Portability and Accountability Act of 1996
PHI Identifier	Data that identifies an individual or information that can be used to identify an individual related to that health information. The 18 defined health identifiers are: Name Address (street, city, county, precinct, zip code, geographical code) Telephone number Fax number Social Security number Medical record number Dates (except for just year) related to an individual, including birth date, admission date, discharge date, date of death E-mail addresses Health plan beneficiary numbers Account numbers (e.g. credit card numbers, bank account numbers) Certificate/license numbers (i.e. driver’s license number, passport number) Vehicle identifiers and serial numbers (e.g., VIN, license plate numbers) Medical device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers (e.g. finger or voice prints) Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code
Breach	An unauthorized acquisition, access, use or disclosure of protected health information/PHI via oral, written, or electronic means.

Process

This document defines the notification process followed if an oral, written, or electronic breach of PHI occurs at the Research Foundation (RF) central office or at a campus.”

Breach Assessment

The RF Compliance Office, in coordination with Information Security experts will coordinate a risk assessment. The purpose is to assess whether the breach resulted in “significant risk of financial, reputational, or other harm to the individual.” Risk assessment factors include identification of:

The type of PHI disclosed
Whether or not the disclosed PHI was encrypted
Whether or not the disclosed PHI was used in a harmful way
The recipient of the disclosed PHI

Process Steps

Step

Responsible Party

Action

Persons who identify possible breach of PHI.

Notify the following depending on location:

Campus	The campus operations manager (OM)
Central Office	His/her respective RF department vice president (VP)

Management

Minimize the further release of information by taking the following precautionary measures:

If possible, ensure the suspected breach is immediately remediated.
Do not include the suspected breached PHI data in email.
Inform only staff that is required to know as part of their job duties.

The OM or VP

Notifies one of the following personnel:

Corporate Information Security Manager	(518) 434-7281
Corporate Information Security Analyst	(518) 434-7281
Corporate Information Security Officer	(518) 434-7281

Campus

Campus will determine if the investigation of a suspected breach will be addressed by central office or by campus representatives. Campus internal procedures must be in accordance with the HIPAA regulation. Campus will inform Information Security contact of their decision.
If a breach has occurred, OM or designee will participate on breach notification team.

Central office Information Security personnel

Notify the following personnel that a suspected breach has occurred:

Office of Administration and Human Resources	(518) 434-7080
Office of General Counsel	(518) 434-7045

Works with appropriate technical and other personnel to analyze the situation for a true breach. (see Breach Assessment above)

If a breach has not occurred, document the incident.
If a breach is suspected after analysis, go to step 6.
If a breach has occurred, security team member participates on breach notification team.

Central office Administration and Human Resources

Performs the following:

Approves breach notification process in consultation with the following:

Privacy Officer

(518) 434-7080

Notifies the DHHS Secretary if breach impacts 500 or more individuals.
Enters breach in log if impacts less than 500 individuals and sends to DHHS Secretary annually.
If a breach has occurred, Privacy Officer and or designee participate on breach notification team.
Maintain internal log and other breach documentation for six years.
The privacy officer communicates to the following personnel as required:

President's Office

(518) 443-5362

Office of Internal Audit

(518) 434-7125

Office of Corporate Communications

(518) 434-7010

Central office General Counsel

Performs the following:

Provides legal guidance to breach notification team and coordinates law enforcement involvement when necessary on the situation.
If a breach has occurred, legal team member participates on breach notification team.

Central office Information Security personnel

Communicates status information to OM or VP as appropriate.

Central office Corporate Communications

Performs the following:

Develops a notification message to the affected individuals in consultation with the following:

President’s Office

(518) 443-5362

Office of Administration and Human Resources

(518) 434-7080

Office of General Counsel

(518) 434-7045

Determines which office sends the notification and coordinates media notification if required.

If a breach has occurred, VP of Corporate Communications and or designee participate on breach notification team.

Notification Requirements

If breach occurs, the notification requirements are:

The...	Is/Are notified...	By...	If...
Affected individual(s)	As soon as possible, but no later than 60 calendar days from discovery of the breach	written notice by first class mail to the individual or next of kin if deceased* electronic mail if specified in advance by the individual	Information was available to unauthorized individuals that results in “significant risk of financial, reputational, or other harm to the individual.”
The United States Department of Health and Human Services (DHHS) Secretary	Annually	submitted log	Fewer than 500 individuals are impacted no later than 60 calendar days after calendar year end
The United States Department of Health and Human Services (DHHS) Secretary	Concurrent with the notification to the affected individuals	via letter	500 or more individuals are impacted no more than 60 calendar days after breach is discovered
Prominent Media Outlet Servicing NYS or Jurisdiction	As soon as possible, but no later than 60 calendar days from discovery of the breach	Corporate Communications	500 or more individuals are impacted; individual notification must still be made

Note: If insufficient or outdated contact information exists, a substitute form of notice may be used such as a Web site posting.

Notification Components

The required information included in the notifications:

Description of what occurred
Date of the breach and discovery of the breach
Description of the specific PHI that was involved in the breach
Steps individuals should take to protect themselves
Description of employer remediation steps
Employer contact information which includes one or more of the following: toll free number, email address, Web site or postal address.

Basis for Process

Under the provisions of the American Recovery and Reinvestment Act (H.R.1-46 Improved Privacy provisions and Security Provision, Sec 13401), the RF is required to provide notification to each individual when an breach in PHI occurs that results in information being available to unauthorized individuals that results in “significant risk of financial, reputational, or other harm to the individual.”

Related Resources

Related resources for the breach notification team to complete the process or that provide other relevant information or instructions are located on the central office network at R:\HIPAA Breach Notification\ Supporting Documentation.

Resources

Policy on Disciplinary Action Regarding a Breach of Confidentiality of Protected Health Information (PHI)

Confidentiality of Health Information Policy

Privacy and Security of Protected Health Information

Workforce Confidentiality Agreement

RF Confidential Information Policy

Change History

Date	Change History
January 19, 2010	New Document

Effective Date: 22-December-2009
Responsible Party: Office of Information Services, Information Security
Contact Information: 518-434-7281

Document Type: Procedure

Version: 1.0

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.