HIPAA Breach Notification Policy

Transcription

1 HIPAA Breach Notification Policy Purpose: To ensure compliance with applicable laws and regulations governing the privacy and security of protected health information, and to ensure that appropriate notice is given and corrective action is taken when a breach of the privacy and/or security of such information occurs. Scope: This policy applies to all personnel at the University of Missouri Medical and Dental Benefits Plan. Process: 1) Protected health information (PHI) is individually identifiable information concerning the health of an individual. This includes demographic and clinical information. For purposes of this policy, PHI will also include individually identifiable financial information of a beneficiary of the Plan. 2) All employees of the Plan are responsible for protecting the privacy and security of Protected Health information in their possession and will be held accountable for any unauthorized or improper use or disclosure of such information. 3) A breach is defined as any use or disclosure of PHI not required or permitted by applicable laws, without an authorization signed by the patient or the patient s legal representative, or an order of a court with jurisdiction. The following are some examples of breaches (this list is not exhaustive): Employees discussing patient information in any public area where those with no need to know the information can and do overhear. A copy (paper or electronic) of patient medical information is left in a public area. A computer is left unattended in an accessible area with medical information displayed. Failure to log off a computer terminal that contains patient information. Sharing or exposing a password. Improperly accessing, reviewing or releasing PHI of patients, including friends or relatives, or requesting another to do so. 1

2 Improperly accessing, reviewing or releasing PHI of a public personality for any reason unrelated to assigned job responsibilities. 4) All employees have an affirmative obligation to report any suspected breach of PHI. 5) All reports of suspected breaches must be made to one of the following: To the reporting individual s immediate supervisor. To the reporting individual s department head or manager. To the Plan Privacy Officer. 6) The individual to whom the report is made must immediately report a suspected breach to the Privacy Officer. 7) Upon receipt of a credible report of a suspected breach, the Privacy Officer shall immediately begin a detailed investigation, commensurate with the level of the suspected breach and the specific facts. This investigation may include, but is not limited to, interviewing the individual(s) accused of the breach, interviewing other individuals, including potential witnesses, and reviewing pertinent documentation and technical reports. The Privacy Officer may seek the advice and participation of the Office of the General Counsel at any time. 8) The Privacy Officer will determine the necessary steps to take to mitigate the breach. 9) Report of Breach: A report of the suspected breach shall be prepared by the Privacy Officer. This report shall contain at least the following information: A detailed summary of the suspected breach, including the date of the breach; The date of discovery of the breach; A description of the information allegedly disclosed or used improperly; Any steps taken to mitigate the breach shall be set forth in the report. The Report shall contain a Risk Assessment as set forth below. This Breach Report, together with all supporting documentation, shall be retained by the Plan for a period of six (6) years from the date of the determination. 2

3 10) Risk Assessment: All breaches of PHI are considered reportable breaches, unless, after conducting a Risk Assessment, the Privacy Officer has determined and can demonstrate that there is a low probability that the PHI has been compromised. The Risk Assessment shall include a consideration the following issues: a. To/by whom was the PHI improperly used, disclosed or accessed? Was the PHI actually acquired or viewed by an unauthorized person? b. What was the nature, type and amount of PHI that was improperly disclosed or accessed? What patient identifiers were in the PHI, and what is the likelihood of re identification? c. Were the efforts at mitigation successful or did such efforts reduce the risk of harm to the individual(s) affected? d. Were social security numbers, bank account information or credit card numbers disclosed? e. Did any of the disclosed information constitute highly sensitive information, such as information related to HIV, Aids, mental health or substance abuse/ treatment? f. Was this a targeted access to the PHI? 11) If the Privacy Officer determines that there is a low probability that the PHI has been compromised, this determination and the basis for the determination must be documented in the Breach Report. 12) Unless there is a determination that the breach poses a low probability that the PHI has been compromised, then the matter constitutes a reportable breach, and the following steps must be taken: a. Written notice shall be given to each individual whose PHI has been breached. Such notice shall be provided promptly and no later than sixty (60) days after the Plan discovers the breach. b. The written notice shall be sent by first class mail to the affected individual s last known mailing address. Notice may be sent electronically, but only if the affected individual has agreed to receive electronic notice and this agreement has not been revoked. c. The notice must be written in plain language and contain the following information: 3

4 i. A brief description of the incident, including the date of the breach and the date of discovery, if different; ii. A description of the types of PHI involved in the breach; iii. A description of the steps taken by the Plan to investigate and mitigate the breach, and to protect against future occurrences; iv. Any steps the affected individual should take to protect himself or herself from potential harm resulting from the breach; and v. Contact information for the affected individual to ask questions or learn additional information, to include a toll free phone number, an address, a website, or a postal address. d. Substitute notice must be given if the Plan does not have sufficient or current contact information for the affected individual. Substitute notice shall be reasonably calculated to reach the individual. If more than ten individuals are affected by the breach and substitute notice is required for such individuals, notice shall be in the form of either a conspicuous posting for ninety (90) days to the Plan s website home page or a conspicuous posting for ninety (90) days in major or broadcast media in the relevant geographic areas where the affected individuals are likely to be found, and include a toll free number that remains active for ninety (90) days which the affected individual can call to find out if his/her information was involved. e. Notice of the breach shall be given to the Department of Health and Human Services as follows: i. If the breach involved less than 500 individuals, the Plan shall maintain all documentation of the breach and shall notify HHS no later than sixty (60) days after the end of the calendar year in the manner set forth by HHS on its website. ii. If the breach involves 500 or more individuals, notice shall be required to be given to HHS immediately, and no later than sixty (60) days after discovery of the breach, in the manner set forth by HHS on its website. f. If the breach involves more than 500 residents of a state or jurisdiction, the Plan shall also notify prominent media outlets serving that state or jurisdiction, immediately and no later than sixty (60) days of discovery of the breach. This notice shall contain the same information as the notice to the affected individuals. 4

5 g. If a law enforcement official informs the Plan that notice to the affected individuals, HHS or the media would impede a criminal investigation or cause damage to national security, the Plan shall: i. If the statement is in writing and specifies a time for which the delay is required, delay the notification for the specified time; or ii. If the statement is oral, document the statement, including the identity and position of the official, and delay the notification for no longer than thirty (30) days from the date of the oral statement, unless during that thirty (30) day period, the official provides written statement requiring a different time period. 13) All documentation related to the provision of notice to affected individuals, HHS, media and any communication from law enforcement shall be retained, together with the Breach Report, for a period of six (6) years from the date notice was provided. 5