TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2

Transcription

1 TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No Purpose/Background The purpose of this policy is to establish the protocol to be followed in the event of a Privacy Event within the CBI Environment. 2.0 Scope/Application This Policy only deals with Privacy Events that relate to the CBI Project. Therefore, if a Privacy Event occurs at an or a Third Party Service Provider that does not involve the CBI Project, this Policy does not apply. This Policy does not set out the details of the internal protocols/policies to be followed by s or other entities in their respective organizations following a Privacy Event. Please see the Glossary and Overview for further details on applicability. 3.0 Definitions Privacy Breach or Breach means an unauthorized collection, use, access, copying, modification, disclosure, retention or disposal of PHI. Any person can become aware of a Privacy Breach and the Breach may be deliberate or inadvertent, and may be a breach of privacy law, including PHIPA, contract and/or policy (examples: staff of the have accessed or used the PHI for a purpose other than for the CBI Project, or have disclosed PHI other than as permitted under the A or there has been inappropriate access of PHI by unauthorized users). Privacy Event or Event means either of a Privacy Incident or Privacy Breach. Privacy Incident or Incident means a situation, event or action resulting from the unauthorized use, access, copying, modification, disclosure, retention, disposal and/or collection of PHI to unauthorized persons. A privacy incident includes accidental disclosures such as misdirected s or faxes. The situations include a contravention of a policy, procedure, duty or contractual obligation. Incidents may (but do not necessarily) lead to a Privacy Breach. Any person can become aware of a Privacy Incident and the Incident may be deliberate or inadvertent. Please see Glossary and Overview for additional Definitions. 4.0 Policy The Parties recognize the sensitivity of PHI and the importance of maintaining Client and stakeholder trust in their protection of PHI, obligation to be in compliance with PHIPA. The Parties will use reasonable means to protect the PHI in their custody and control and to respond promptly, effectively and sensitively and in accordance with all applicable laws and requirements to any Privacy Event. All Parties and their Personnel shall cooperate to address Privacy Events and prevent their recurrence. 1 Version 1 Approved June 8, 2015

2 PHIPA requires that health information custodians notify their clients, as applicable at the first reasonable opportunity if their PHI is stolen, lost or accessed by unauthorized persons (s. 12 (2)).Each shall have its own internal policies and procedures to deal with Privacy Events. 5.0 Procedures/Protocols/Roles 5.1 Steps to address a Privacy Event There are five basic steps to address a Privacy Event: 1. Report 2. Contain 3. Investigate and Remediate 4. Communicate/Notify 5. Log and Retain Documents (1) Report Each Party is to immediately report a CBI related Privacy Event to its organization. The report is to include the person who became aware of the Privacy Event, a description of the Privacy Event, whether the Privacy Event appears to be inadvertent or intentional, and immediate steps taken, if any, to contain the Privacy Event. A template Form is set out in Appendix A to this Policy. Forms and Incident Update Reports should not contain any PHI or any other unnecessary personal information. If the Party is not the, the Party must report the Privacy Event at the first reasonable opportunity to the. If the Privacy Event is identified as a systemic issue involving the CBI Environment, the will inform the Lead Agency who will facilitate communication with the Privacy Sub- Group and CBI Working Group and may assist in the communication with s and other Parties as required. (2) Containment Containment is the first priority when a Privacy Event is suspected or reported. The containment phase of the Privacy Event includes investigating suspected a Privacy Event, preventing affected PHI from being further disclosed, accessed or used, preventing additional PHI from being affected, minimizing adverse impacts to the CBI Project and restoring normal operations as soon as possible. (3) Investigation and Remediation A Privacy Event will be contained and investigated by the Party where the Event occurred to identify the cause of the Privacy Event as well as the PHI, individuals/organizations and IT systems and hardware involved in the Privacy Event. The Party may involve other persons in the investigation, as it deems appropriate. Based on the findings of the investigation, the Party shall determine short-term and longterm remediation strategies to be documented in the Form and to set out possible recommendations to avoid recurrences of the Event. 2 Version 1 Approved June 8, 2015

3 (4) Communication and Notification After containment of the Privacy Event by the Party that committed such Event, the Party to which the Privacy Event relates (if any) shall be notified at the first reasonable opportunity. The Party s own internal incident management process shall be triggered when the Party is notified and all appropriate persons shall be informed of the Event in accordance with such incident management process. If required under PHIPA, each shall contact the Client to whom the Privacy Event relates, in accordance with PHIPA for notification of a Privacy Event. The only person that shall have contact with a Client regarding a Privacy Event shall be the who has collected the PHI. If the Party is not the, the Party where the Privacy Event occurred shall contact the to advise that the Privacy Event has been dealt with and to provide a report on how the Privacy Event was dealt with, and a summary of the reactions, if any to the Event, along with recommendations to prevent recurrences. A template Incident Update Report is set out in Appendix B. The shall provide regular updates or reports on any Privacy Events relevant to the CBI Project to the Lead Agency and the Privacy Sub-Group for review. The Lead Agency may facilitate communications between Parties as needed. (5) Logging and Document Retention The shall maintain a log of Privacy Events and the recommendations emanating from investigations of these Privacy Events. The log will be used to provide regular reports to the Privacy Sub-Group and the CBI Working Group. A template Log is set out in Appendix C to this Policy. All documentation related to identification, containment, investigation & remediation, communication and notification of Privacy Events shall be securely retained by the and the original creator of the documentation. Enforcement All Privacy Events related to the CBI Environment will be monitored and dealt with by the as per this Policy as well as the Audit and Access Log Review Policy. Privacy Sub-Group The Privacy Sub-Group will review reports of Access Audit Logs and Privacy Events within the CBI Environment on a regular basis, and if there is unauthorized access may recommend appropriate action to the CBI Working Group for decision. 3 Version 1 Approved June 8, 2015

4 5.2 PROCEDURES/ROLES If a Privacy Event is suspected or detected, the and Lead Agency may be contacted at: Lead Agency: Stephanie Carter Privacy Officer, Reconnect office mobile Privacy.officer@reconnect.on.ca : Claudio Rocca - Director, DATIS office ext mobile Claudio.Rocca@camh.ca Set out below is a list of the procedures to be followed for: A) Privacy Event at B) Privacy Event Discovered by C) Privacy Event at Third Party Service Providers, and D) Privacy Event at s. A. PRIVACY EVENT AT THE No Task/Step Owner Requirement 1. to confirm that there was a Privacy Event (e.g. PHI is sent outside the CBI Project, user Confirmation of Privacy Event account and password compromised) 2. to contain the Privacy Event (containment is Containment the first priority) 3. to investigate the Privacy Event and determine if other Parties are involved (e.g. ). If an is involved, then is to report to the Privacy Officer listed on the CBI Website at If communication is required with multiple s, the Lead Agency may facilitate this communication at the request of the. Telephone Notification followed by a written 4. If is involved, then Privacy Officer documents the incident and initiates internal processes to handle the Event, including notifying Client, if required 5. and to document and complete Incident Update Report regarding the Event resolution. Incident Update Reports are to be forwarded to the where they will be maintained according to the Data Retention and Destruction Policy 6. As appropriate, the Lead Agency and Privacy Sub-Group will be informed and involved. 7. to provide Access Audit Log and Privacy Event summary reports on a regular basis to the Lead Agency and the Privacy Sub-Group for review. and to follow its own processes and comply with PHIPA Incident Update Report (Appendix B) Telephone notification followed by written Access Audit Log and Privacy Event reports/updates provided at minimum every 3 months 4 Version 1 Approved June 8, 2015

5 B. PRIVACY EVENT DISCOVERED BY In its role as monitoring access to the CBI Environment through Access Audit Logs, the may uncover unauthorized access, use or disclosure of PHI by an or Third Party Service Provider. In that event, the protocol below is to be followed. No Task/Step Owner Requirement 1. to confirm that there was a Privacy Event (e.g. or Third Party Service Provider accessed Confirmation of Privacy Event PHI in an unauthorized manner) 2. to contain the Privacy Event (containment is Containment the first priority) 3. to contact the Third Party Service Provider or, as required, so that the Third Party Service Provider or will investigate the Event as set out in C or D below (as appropriate). If a Third Party Service Provider is involved, then is to contact the Privacy Officer as set out in the Third Party Service Agreement. If an is involved, then is to report to the Privacy Officer listed on the CBI Website at If communication is required with multiple s, the Lead Agency may facilitate this communication at the request of the. 4. Follow the actions required as per: C if the Event involves a Third Party Service Provider AND/OR D if the Event involves an or s Telephone Notification followed by a written 5 Version 1 Approved June 8, 2015

6 C. PRIVACY EVENT AT THIRD PARTY SERVICE PROVIDER No Task/Step Owner Requirement 1. Third Party Service Provider to confirm that there was a Privacy Event (e.g. unauthorized Personnel access PHI) Third Party Service Provider 2. Third Party Service Provider to immediately contain the Privacy Event and to alert that there has been an Event 3. Third Party Service Provider to investigate the Privacy Event and determine if other Parties are involved (e.g. ). If an is involved, then to contact Privacy Officer at the listed at the CBI Project website at 4. If is involved, then Privacy Officer documents the incident and initiates internal processes to handle the Event, including communicating with Client, if required Third Party Service Provider Third Party Service Provider, Telephone Notification, followed by written Telephone Notification, followed by written to follow its own processes and comply with PHIPA in communication about a Privacy Event Incident Update Report (Appendix B) 5. Third Party Service Provider to document and report to regarding the Event resolution Third Party Service Provider 6. to report to regarding the Event Resolution Incident Update Report (Appendix B) 7. As appropriate, the Lead Agency and Privacy Sub-Group will be informed and involved. 8. to provide Access Audit Log and Privacy Event summary reports on a regular basis to the Lead Agency and the Privacy Sub-Group for review. Access Audit Log and Privacy Event reports/updates provided at minimum every 3 months D. PRIVACY EVENT AT No Task/Step Owner Requirement 1. to confirm that there was a Privacy Event (e.g. unauthorized Personnel at access PHI) 2. to immediately contain the Privacy Event (containment is the first priority) and to notify that there has been an Event 3. Privacy Officer documents the incident and initiates internal processes to handle the Event, including communicating with Client, if required 4. to document and report to regarding the Event resolution 5. As appropriate, the Lead Agency and Privacy Sub-Group will be informed and involved 6. to provide Access Audit Log and Privacy Event summary reports on a regular basis to the Lead Agency and the Privacy Sub-Group for review. Telephone Notification followed by written to follow its own processes and comply with PHIPA in communication about a Privacy Event Incident Update Report (Appendix B) Access Audit Log and Privacy Event reports/updates provided at minimum every 3 months 6 Version 1 Approved June 8, 2015

7 6.0 References PHIPA A, accessible at Revision History Policy No./Title 2- Privacy Incident and Breach Management Policy Revision Date (YYY-MM-DD) Level of Change (Minor/Major/N/A) Revision Comments Approved By/Date N/A N/A New Policy June 8, Status of Policy Policy No./Title 2. Privacy Incident and Breach Management Policy Author Lead Agency (Reconnect) on behalf of the Privacy, Security and Data Access Sub-Group Stakeholders (Centre for Addiction and Mental Health) Consulted Privacy Security and Data Access Sub-Group Toronto Central LHIN Recommended Privacy, Security and Data Access December 10, 2014 By/Date Sub-Group CBI Working Group December 12, 2014 CAMH April 21, 2015 Approved By/Date TC LHIN June 8, 2015 Revision Dates Related Policies/ Forms/Agreements Next Review Date Level of Audit and Access Log Review Policy Data Retention and Destruction Policy A Appendices A, B and C to this Policy Upon a significant change to the CBI Project or within five years of the approval of the Policy 9.0 Copyright Notice/Disclaimer Reconnect Mental Health Services on behalf of the Toronto Central LHIN Community Business Intelligence Project, June 8, All Rights Reserved. A printed copy of this Policy may not reflect the current electronic version on the Toronto Central LHIN Community Business Intelligence Project Website. The current electronic version is the official version. Change 7 Version 1 Approved June 8, 2015

8 Appendix A Template The form is to be completed by each Party involved in a CBI related Privacy Event to record the details of the Privacy Event, how it was managed, and short-term and long-term remediation strategies as well as possible recommendations to avoid recurrences of the Event. Upon completion, a copy of the Form should be forwarded to the for review and storage. TC LHIN Central Business Intelligence Project Fax No: 1. Contact Information To be completed by the individual submitting this report First Name Last Name Date (dd/mm/yyyy) Phone No. Organization Title / Position Address (street, city, province, postal code) 2. Incident Description Describe the incident below. Date of Incident (dd/mm/yyyy) Involves PHI? Reported By Description / Details 3. Incident Management Incident # Internal Reference # Date of Incident (dd/mm/yyyy) Assigned to Incident Receipt Date (dd/mm/yyyy) Containment Action Follow-up Action Most Responsible (Primary) Organization Follow-up Date (dd/mm/yyyy) Other Organizations (if any) Resolution Status Resolution Date (dd/mm/yyyy) Notes 8 Version 1 Approved June 8, 2015

9 Appendix B Incident Update Report Template The and/or the Party where the Privacy Event occurred shall provide a report to the on how the Event was dealt with using the Incident Update Report template. The update shall include a short description of how the Event has been dealt with, and a summary of the reactions, if any to the Event, along with recommendations to prevent recurrences. The will review and store the Incident Update Report. TC LHIN Central Business Intelligence Project Fax No: 1. Contact Information To be completed by the individual submitting this update First Name Last Name Date (dd/mm/yyyy) Phone No. Organization Title / Position 2. Incident Information Incident # Internal Reference # Client Contacted? Date of Contact Update Notes 9 Version 1 Approved June 8, 2015

10 Appendix C Toronto Central LHIN CBI Project Event Registry Template The shall maintain a log of Privacy Events and the recommendations emanating from investigations of Privacy Events. The log will be used to provide regular reports to the Privacy Sub-Group and the CBI Working Group. Incident # Reported By Incident Date (dd/mm/yyyy) Most Responsible Party Other Parties Involved PHI Involved? (Y/N) Actions Taken Action Dates (dd/mm/yyyy) Client notified? (Y/N) Incident Resolution Status Incident Resolution Dates (dd/mm/yyyy) 10 Version 1 Approved June 8, 2015