Mohawk DI-r: Privacy Breach Management Procedure Version 2.0. April 2011

Similar documents
TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2

PRIVACY BREACH POLICY

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Administrative Procedures Memorandum A1452

PRIVACY BREACH! WHAT NEXT?

Privacy Incident and Breach Management Policy

How To Ensure Health Information Is Protected

Procedure for Managing a Privacy Breach

Access & Correction Policy

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Helpful Tips. Privacy Breach Guidelines. September 2010

Issue #5 July 9, 2015

Electronic Health Record Privacy Policies

Privacy Breach Protocol

Sample Business Associate Agreement Provisions

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

Closing or Moving a Physician Practice

Health Care Provider Guide

Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act. Ann Cavoukian, Ph.D. Commissioner October 2005

3. Consent for the Collection, Use or Disclosure of Personal Information

BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Contract. Definitions

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

BUSINESS ASSOCIATE AGREEMENT

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Data Processing Agreement for Oracle Cloud Services

HIPAA Privacy Rule Policies

Personal Health Information Privacy Policy

Business Associate Agreement

Data Security Breach Management Procedure

Common Privacy Framework CCIM Assessment Projects

Protection of Privacy

Responsibilities of Custodians and Health Information Act Administration Checklist

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Exhibit 2. Business Associate Addendum

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance

BUSINESS ASSOCIATE AGREEMENT

Integrated Incident Management process v3 1

EHR Contributor Agreement

SCHEDULE "C" ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL

Table of Contents. Acknowledgement

SaaS. Business Associate Agreement

Data Security Incident Response Plan. [Insert Organization Name]

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

How To Write A Community Based Care Coordination Program Agreement

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

COMPLIANCE ALERT 10-12

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

STANDARD ADMINISTRATIVE PROCEDURE

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July Hong Kong

Encrypting Personal Health Information on Mobile Devices

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

deas Improving & Driving Excellence Across Sectors

The Manitoba Child Care Association PRIVACY POLICY

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

Data Breach Management Policy and Procedures for Education and Training Boards

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

CAROLINA DENTAL Notice of Privacy Practices

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

The potential legal consequences of a personal data breach

CHAPTER 7 BUSINESS ASSOCIATES

Use & Disclosure of Protected Health Information by Business Associates

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. Recitals

PHIA GENERAL INFORMATION

Information Governance Policy

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

New Developments in Safeguarding Protected Health Information During 2014

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

PROTECTION OF PERSONAL INFORMATION

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Business Associates, HITECH & the Omnibus HIPAA Final Rule

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Auditing data protection a guide to ICO data protection audits

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Credit Union Code for the Protection of Personal Information

Louisiana State University System

HIPAA BUSINESS ASSOCIATE AGREEMENT

Taking care of what s important to you

HIPAA Privacy and Business Associate Agreement

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy and Electronic Communications Regulations

Your Agency Just Had a Privacy Breach Now What?

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Disclaimer: Template Business Associate Agreement (45 C.F.R )

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Transcription:

Mohawk DI-r: Privacy Breach Management Procedure Version 2.0 April 2011

Table of Contents 1 Purpose... 3 2 Terminology... 5 3 Identifying a Privacy Breach... 5 4 Monitoring for Privacy Breaches... 6 5 How to Report Privacy Breaches... 7 6 How to Contain Privacy Breaches... 8 7 How to Investigate Privacy Breaches... 8 8 How to Notify Individuals of Privacy Breaches... 9 9 How to Remediate Privacy Breaches... 10 Appendix A: Breach Management Report Template... 12 2

1 Purpose The purpose of this Privacy Breach Management Procedure is to assist the hospitals in Waterloo Wellington (WW) Local Health Integration Network (LHIN 3) and the Hamilton Niagara Haldimand Brant (HNHB) Local Health Integration Network (LHIN 4), Mohawk Shared Services (Mohawk) and Regional Shared Services (RSS) and individuals functioning on their behalf in responding quickly and effectively to privacy breaches relating to the Mohawk Diagnostic Imaging Repository (DI-r) by describing how organizations and individuals participating in the DI-r should identify, monitor, report, contain, investigate, notify and remediate privacy breaches that involve the DI-r data set (i.e. personal health information, including diagnostic images, reports, health numbers and patient identifying information). This procedure governs the privacy breach management activities of Mohawk, RSS and health information custodians participating in the DI-r in relation to actual or suspected privacy breaches that may involve personal health information they collect, use or disclose via the Mohawk DI-r. The following diagram provides an overview of the breach management process. 3

Mohawk DI-r Privacy Breach Management Process Overview Lead Custodian Identification of potential privacy breach through audit log monitoring, staff or patient complaint or other means (See Part 4) Did an actual privacy breach occur? (See Part 2) No Yes Commence breach containment (see part 5) Follow internal incident management protocol No Did the breach involve personal health information accessed via the DI-r Yes Notify Mohawk Privacy Lead of breach Conduct investigation (see Part 6) and develop breach investigation report (see Appendix A) Take any additional steps required to contain breach Notify individuals whose privacy was breached (see Part 7) Submit breach investigation report, including remediation plan, to Mohawk Privacy Lead Implement remediation plan Mohawk Notify RSS of suspected breach Again confirm, did an actual privacy breach occur? (See Part 2) No Yes Follow up with Privacy Officer that identified potential breach Notify affected custodians of the breach, identify Lead Custodian (generally the Privacy Officer that identified the breach) of breach scope Share breach investigation report with other affected custodians and RSS, where appropriate. Obtain sign off from all affected custodians Share relevant information from breach investigation report with custodians participating in the DI-r RSS Work with Mohawk to run audit report and identify affected custodians Did the breach involve custodians from LHINs 1 or 2 Provide audit report information to Mohawk Privacy Lead Coordinate breach response with Mohawk Yes Other Affected Custodian(s) Assist Mohawk and Lead Custodian with breach investigation, as required Review, revise and sign off on breach investigation report 4

2 Terminology Term Lead Custodian Mohawk Shared Services (Mohawk) Regional Shared Service (RSS) Definition In order to prevent multiple parties from reporting a breach to affected individuals or organizations multiple times, the parties involved in the breach will identify a single organization to lead the breach management activities, including containment, investigation, notification, and resolution. Unless there is justification for an alternative approach, the lead organization will be the health information custodian that identified the breach or suspected breach. A not-for-profit organization that serves clients in the health care, public and volunteer sectors with business support solutions that standardize processes, increase efficiencies and contain costs. It operates four independent business streams that focus on supply chain services, central laundry, employee assistance services and a diagnostic imaging repository. The Regional Shared Service is a program of London Health Sciences Centre that provides direction and support for implementing a shared IT solution at sites throughout Southwestern Ontario. RSS is Governed through a Memorandum of Understanding between participating organizations in LHINs 1 & 2. RSS provides the diagnostic imaging technical infrastructure and support services used by Mohawk in support of the Mohawk DI-r. 3 Identifying a Privacy Breach A privacy breach occurs when a health information custodian, Mohawk or RSS, or individuals acting on their behalf: have contravened or are about to contravene a provision of the Personal Health Information Protection Act, 2004 (PHIPA) or the PHIPA Regulation; 1 believes or has reason to believe that personal health information involved with the Mohawk DI-r has been lost, stolen, or has been used, accessed, disclosed, copied,modified or destroyed in an unauthorized manner; 2 1 2 Information and Privacy Commissioner/Ontario. What to do When Faced with a Privacy Breach: Guidelines for the Health Sector. PHIPA. Section 12(1). 5

collects, uses or discloses personal health information for purposes other than those described in their DI-r Service Agreement or Purchased Service Agreement; provides access to the Mohawk DI-r data set to an individual that is not qualified to access the DI-r data set; or contravenes the applicable privacy provisions of the DI-r Service Agreement between hospitals participating in the DI-r and Mohawk or the Purchased Services Agreement between Mohawk Shared Services and Regional Shared Services. 4 Monitoring for Privacy Breaches Each health information custodian (e.g. hospital) participating in the Mohawk DI-r must monitor their agents activities to ensure that the DI-r data set is collected, used, and disclosed within the terms and conditions of the DI-r Service Agreement and in compliance with PHIPA. Mohawk, with the assistance of RSS, will undertake audits on behalf of health information custodians to identify any unauthorized accesses and will provide these reports to health information custodians on a regular basis for follow up and review. In addition, health information custodians may request specific audit log reports by patient or by authorized DI-r user to assist them in conducting audits. For additional information on audit process and frequency, refer to Mohawk DI-r Audit Procedure. Monitoring activities that may be completed by Mohawk, with the assistance of RSS, include: reviewing the DI-r audit log reports on a regular basis to confirm appropriateness for unusual or unauthorized activities, specifically in relation to access requests across health information custodians (e.g. a health care provider accessing the personal health information of a patient with whom they have no readily apparent clinical relationship); reviewing the list of authorized agents with access to the Mohawk DI-r data set to ensure the list is up to date (e.g. users have made an access request within the past 12 months); and assisting health information custodian privacy officers in investigating privacy complaints to ensure a privacy breach has not occurred. Monitoring activities may be completed by health information custodians include: promptly (e.g. within two weeks of receipt) reviewing audit log reports provided by Mohawk to ensure that all identified users accesses to personal health information are for authorized purposes; and 6

requesting audit logs by patient or authorized DI-r user upon patient request or as part of existing organizational auditing practices. 5 How to Report Privacy Breaches Agents of health information custodians (e.g. physicians, nurses, technicians, etc.) are responsible for immediately reporting privacy breaches or suspected privacy breaches involving the Mohawk DI-r to their Privacy Officer. Where the breach may involve personal health information collected from multiple sites, the Privacy Officer must notify Mohawk who will work with RSS to determine the extent of the breach and notify other affected custodians (e.g. custodians that have either collected personal health information that may have been breached or those with users who may have perpetrated a breach). All Privacy Officers at hospitals participating in the Mohawk DI-r must assist in breach investigations. Mohawk Privacy Lead may be contacted by telephone at 1-866-790-4642 ext. 2704 or by email at: dlarwood@mohawkssi.com. Health information custodian Privacy Officers must report the following information to Mohawk at the first reasonable opportunity (Note: a sample reporting template is included as Appendix A to this policy): the date and time the actual or suspected privacy breach occurred; a general description of the privacy breach; and the immediate steps that will or have been taken to contain and remedy the breach (see steps under Contain and Remediate respectively, below). The Mohawk Privacy Lead will be responsible for leading Mohawk DI-r breach responses where the breach occurs due to the actions of an individual or organization acting on behalf of Mohawk. In such cases, the Mohawk Privacy Lead is responsible for ensuring the following breach management activities occur: containment, investigation, notification, and resolution. However, in such circumstances, affected health information custodians will be responsible for notifying those individuals whose privacy has been breached. Where the breach is the result of activities of a health information custodian or its agent and relates to personal health information in the custody or control of the health information custodian and does not involve the Mohawk DI-r, the health information custodian will be responsible to manage the breach in compliance with their information practices. The Mohawk Privacy Lead will consult with the affected health information custodians prior to reporting a breach to the following parties: 7

the IPC; law enforcement, if theft or other crime is suspected; technology vendors or suppliers that may need to assist in breach containment and resolution; or professional or regulatory bodies responsible for disciplining individuals involved in the breach and/or that require notification. 3 6 How to Contain Privacy Breaches The organization responsible for a privacy breach involving the Mohawk DI-r must take steps to determine the scope of the breach and contain it. Containment means preventing additional records of personal health information from being affected as well as ensuring affected records are not further compromised by: retrieving hard or electronic copies of the information that was inappropriately used or disclosed; receiving confirmation that the information was destroyed in lieu of retrieving hard or electronic copies; permanently or temporarily disabling access to the Mohawk DI-r; and/or 4 taking immediate action to contain a privacy breach and to alleviate its consequences. Containment is complete when personal health information that is the subject of the privacy breach is no longer at risk of the inappropriate collection, use, disclosure or access that resulted or may have resulted in the breach. 7 How to Investigate Privacy Breaches The organization(s) affected by the privacy breach must conduct an investigation to: determine the cause of the privacy breach; ensure containment was successful; evaluate the adequacy of administrative, technical, and physical safeguards; and 3 4 Information and Privacy Commissioner/British Columbia. Breach Notification Assessment Tool. December 2006. Office of the Federal Privacy Commissioner of Canada. Key Steps for Organizations Responding to Breaches. 8

determine remediation plans to prevent future breaches. 5 Where a privacy breach occurs at a health information custodian and involves the Mohawk DI-r, the Privacy Officer conducting the investigation must provide a written report to Mohawk once the investigation is complete or within one month following the incident, whichever is sooner (see Appendix A for a breach management report template). The written report should include: a description of the privacy breach; the circumstances under which the breach occurred; the steps the health information custodian is taking to address the breach and minimize the risk of recurrence; and any other information reasonably requested by Mohawk in order to minimize the risk of similar breaches occurring again in the future. Where a privacy breach occurs at Mohawk, the Mohawk Privacy Lead will provide a written report to the affected health information custodians participating in the Mohawk DI-r (or in the case of severe privacy breach, to all health information custodians participating in the Mohawk DI-r) once the investigation is complete or within one month following the incident, whichever is sooner. Where the breach involves health information custodians in LHINs 1 & 2, the report will be provided to RSS for notification of affected custodians within those LHINs. Where the breach occurs at RSS and involves health information custodians in WW and HNHB LHINs, RSS will develop the written report and provide it to Mohawk. The written report will include: a description of the unauthorized access, use or disclosure; the circumstances under which the unauthorized access, use or disclosure occurred; and the steps that Mohawk and/or RSS is taking to address the unauthorized access, use or disclosure and minimize the risk of recurrence. Mohawk and RSS may work with other health information custodians affected by the breach to investigate and resolve the incident. 8 How to Notify Individuals of Privacy Breaches Health information custodians are required to notify an individual whose personal health information was stolen, lost, or accessed by unauthorized persons, as well as collected, used or 5 Information and Privacy Commissioner/Ontario. What to do When Faced with a Privacy Breach: Guidelines for the Health Sector. 9

disclosed in a manner or for a purpose not permitted by PHIPA. 6 The notification should provide sufficient information about what happened and the nature or potential or actual risks to them, and should include: the date (or timeframe) of the breach; a general description of what happened; a generic description of the types of personal health information involved including if any unique identifiers or sensitive information was involved; a brief description of the steps taken to control or reduce the harm and steps planned to prevent further privacy breaches; the contact information of the individual who can provide further information or assistance; and how to contact the IPC. 7 The organization responsible for leading the privacy breach response (i.e. where the breach was identified) should work with the IPC, if and as needed, to determine and develop appropriate notifications. 9 How to Remediate Privacy Breaches The organization(s) affected by the privacy breach must determine a remediation plan to address the cause of the privacy breach and ensure the breach or similar breaches do not recur. The remediation plan should include: a detailed description of the remediation activity (e.g. a review of relevant information management systems, any amendments or reinforcements to existing policies and/or practices, development and implementation of new security or privacy measures, testing and evaluating remedial plans and training of staff); the individual responsible for implementing the remediation activity; and the implementation schedule (i.e. when the implementation will be complete). Remediation plans should be reviewed, approved, and monitored by the Privacy Officer of the organization leading the breach investigation and resolution. 6 7 The requirements for breach notification identified in this protocol build upon the statutory requirements under section 12(2) of PHIPA, but are broader in nature and encompass inappropriate collection, use or disclosure, all of which require patient notification. Information and Privacy Commissioner/British Columbia. Breach Notification Assessment Tool. December 2006. 10

The organization(s) affected by the privacy breach must report the completion of the remediation activities to the Mohawk Privacy Lead, who will track all privacy breaches involving the Mohawk DI-r in order to determine system enhancements that can improve the protection of personal health information. Reports concerning privacy breaches and remediation plans will be made available to all health information custodians participating in the Mohawk DI-r in a manner that does not involve the organizations and parties involved. 11

Appendix A: Breach Management Report Template Privacy Breach Timeline, Overview, and Response The following table identifies the steps taken to contain the breach and identify its scope, investigate the breach, notify the patients involved and investigate the circumstances of the breach and develop a remediation plan. Date/Time [Insert date and time] Breach Management Stage Breach Identification Description of Actions Taken [Insert overview of breach identification and description of actions taken.] [Insert date and time] [Insert date and time] [Insert date and time] Breach Containment and Scope Identification Notification of Clients Impacted by the Breach and IPC (where applicable) Remediation Plan [Insert overview of breach containment and scope identification, and description of actions taken.] [Insert a description of the notification process and the content of the notice. See section 7 for breach notification content requirements. Where a letter or script is used, it should be appended to the breach management report.] [Insert description of remediation action required. See remediation action plan table below.] Privacy Breach Remediation Action Plan The following table sets out the remediation action required to reduce the probability of similar privacy breaches from occurring again in the future and the remediation strategies and implementation timelines to address them. Remediation Action Immediate Remediation Strategies and Actions Taken Status and Expected Date of Completion 12

Remediation Action [Insert overview of remedial action of privacy issue identified] Immediate Remediation Strategies and Actions Taken [Insert description of remedial action steps to be taken.] Status and Expected Date of Completion [Insert status of remedial action: complete/partially complete/incomplete and the expected date of completion.] 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information