TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2

Similar documents
Privacy Incident and Breach Management Policy

Mohawk DI-r: Privacy Breach Management Procedure Version 2.0. April 2011

Integrated Incident Management process v3 1

PRIVACY BREACH POLICY

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Procedure for Managing a Privacy Breach

Administrative Procedures Memorandum A1452

Iowa Health Information Network (IHIN) Security Incident Response Plan

Electronic Health Record Privacy Policies

HIPAA Breach Notification Policy

TABLE OF CONTENTS. University of Northern Colorado

Data Security Incident Response Plan. [Insert Organization Name]

Privacy Breach Protocol

Privacy and Security Incident Management Protocol

EHR Contributor Agreement

How To Ensure Health Information Is Protected

Access & Correction Policy

Common Privacy Framework CCIM Assessment Projects

STANDARD ADMINISTRATIVE PROCEDURE

Personal Health Information Privacy Policy

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Standard: Information Security Incident Management

PRIVACY BREACH! WHAT NEXT?

The potential legal consequences of a personal data breach

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

Health Care Provider Guide

Data Protection Breach Management Policy

Your Agency Just Had a Privacy Breach Now What?

Data Processing Agreement for Oracle Cloud Services

HIPAA Privacy Rule Policies

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

PRIVACY BREACH MANAGEMENT POLICY

COMPLIANCE ALERT 10-12

HIPAA BUSINESS ASSOCIATE AGREEMENT

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Applying the legislation

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Personal Information Protection Act Information Sheet 11

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

SaaS. Business Associate Agreement

Business Associate Agreement

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Data Security Breach Management Procedure

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Breach Notification Policy

Computer Security Incident Reporting and Response Policy

HIPAA Business Associate Agreement

Issue #5 July 9, 2015

BUSINESS ASSOCIATE AGREEMENT

Privacy and Electronic Communications Regulations

VMware vcloud Air HIPAA Matrix

BUSINESS ASSOCIATE AGREEMENT ( BAA )

The ReHabilitation Center Buffalo Street. Olean. NY

Corporate Information Security Policy

Malpractice & Maladministration Procedure

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

NEXT REVIEW MAY 01, 2017

Corporate Policy and Procedure

PHI- Protected Health Information

Credit Union Code for the Protection of Personal Information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

3. Consent for the Collection, Use or Disclosure of Personal Information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

PBGC Information Security Policy

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

POLICY AND PROCEDURE MANUAL

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

BUSINESS ASSOCIATE AGREEMENT

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Information Security Incident Management Guidelines

Privacy Policy and Notice of Information Practices

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

BUSINESS ASSOCIATE AGREEMENT

Estée Lauder Companies Global Jobs Website Privacy Policy

PRIVACY POLICY. Consent

Table of Contents INTRODUCTION AND PURPOSE 1

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

HIPAA BUSINESS ASSOCIATE AGREEMENT

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

XIT CLOUD SOLUTIONS LIMITED

HIPAA BUSINESS ASSOCIATE AGREEMENT

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Transcription:

TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2 1.0 Purpose/Background The purpose of this policy is to establish the protocol to be followed in the event of a Privacy Event within the CBI Environment. 2.0 Scope/Application This Policy only deals with Privacy Events that relate to the CBI Project. Therefore, if a Privacy Event occurs at an or a Third Party Service Provider that does not involve the CBI Project, this Policy does not apply. This Policy does not set out the details of the internal protocols/policies to be followed by s or other entities in their respective organizations following a Privacy Event. Please see the Glossary and Overview for further details on applicability. 3.0 Definitions Privacy Breach or Breach means an unauthorized collection, use, access, copying, modification, disclosure, retention or disposal of PHI. Any person can become aware of a Privacy Breach and the Breach may be deliberate or inadvertent, and may be a breach of privacy law, including PHIPA, contract and/or policy (examples: staff of the have accessed or used the PHI for a purpose other than for the CBI Project, or have disclosed PHI other than as permitted under the A or there has been inappropriate access of PHI by unauthorized users). Privacy Event or Event means either of a Privacy Incident or Privacy Breach. Privacy Incident or Incident means a situation, event or action resulting from the unauthorized use, access, copying, modification, disclosure, retention, disposal and/or collection of PHI to unauthorized persons. A privacy incident includes accidental disclosures such as misdirected e-mails or faxes. The situations include a contravention of a policy, procedure, duty or contractual obligation. Incidents may (but do not necessarily) lead to a Privacy Breach. Any person can become aware of a Privacy Incident and the Incident may be deliberate or inadvertent. Please see Glossary and Overview for additional Definitions. 4.0 Policy The Parties recognize the sensitivity of PHI and the importance of maintaining Client and stakeholder trust in their protection of PHI, obligation to be in compliance with PHIPA. The Parties will use reasonable means to protect the PHI in their custody and control and to respond promptly, effectively and sensitively and in accordance with all applicable laws and requirements to any Privacy Event. All Parties and their Personnel shall cooperate to address Privacy Events and prevent their recurrence. 1 Version 1 Approved June 8, 2015

PHIPA requires that health information custodians notify their clients, as applicable at the first reasonable opportunity if their PHI is stolen, lost or accessed by unauthorized persons (s. 12 (2)).Each shall have its own internal policies and procedures to deal with Privacy Events. 5.0 Procedures/Protocols/Roles 5.1 Steps to address a Privacy Event There are five basic steps to address a Privacy Event: 1. Report 2. Contain 3. Investigate and Remediate 4. Communicate/Notify 5. Log and Retain Documents (1) Report Each Party is to immediately report a CBI related Privacy Event to its organization. The report is to include the person who became aware of the Privacy Event, a description of the Privacy Event, whether the Privacy Event appears to be inadvertent or intentional, and immediate steps taken, if any, to contain the Privacy Event. A template Form is set out in Appendix A to this Policy. Forms and Incident Update Reports should not contain any PHI or any other unnecessary personal information. If the Party is not the, the Party must report the Privacy Event at the first reasonable opportunity to the. If the Privacy Event is identified as a systemic issue involving the CBI Environment, the will inform the Lead Agency who will facilitate communication with the Privacy Sub- Group and CBI Working Group and may assist in the communication with s and other Parties as required. (2) Containment Containment is the first priority when a Privacy Event is suspected or reported. The containment phase of the Privacy Event includes investigating suspected a Privacy Event, preventing affected PHI from being further disclosed, accessed or used, preventing additional PHI from being affected, minimizing adverse impacts to the CBI Project and restoring normal operations as soon as possible. (3) Investigation and Remediation A Privacy Event will be contained and investigated by the Party where the Event occurred to identify the cause of the Privacy Event as well as the PHI, individuals/organizations and IT systems and hardware involved in the Privacy Event. The Party may involve other persons in the investigation, as it deems appropriate. Based on the findings of the investigation, the Party shall determine short-term and longterm remediation strategies to be documented in the Form and to set out possible recommendations to avoid recurrences of the Event. 2 Version 1 Approved June 8, 2015

(4) Communication and Notification After containment of the Privacy Event by the Party that committed such Event, the Party to which the Privacy Event relates (if any) shall be notified at the first reasonable opportunity. The Party s own internal incident management process shall be triggered when the Party is notified and all appropriate persons shall be informed of the Event in accordance with such incident management process. If required under PHIPA, each shall contact the Client to whom the Privacy Event relates, in accordance with PHIPA for notification of a Privacy Event. The only person that shall have contact with a Client regarding a Privacy Event shall be the who has collected the PHI. If the Party is not the, the Party where the Privacy Event occurred shall contact the to advise that the Privacy Event has been dealt with and to provide a report on how the Privacy Event was dealt with, and a summary of the reactions, if any to the Event, along with recommendations to prevent recurrences. A template Incident Update Report is set out in Appendix B. The shall provide regular updates or reports on any Privacy Events relevant to the CBI Project to the Lead Agency and the Privacy Sub-Group for review. The Lead Agency may facilitate communications between Parties as needed. (5) Logging and Document Retention The shall maintain a log of Privacy Events and the recommendations emanating from investigations of these Privacy Events. The log will be used to provide regular reports to the Privacy Sub-Group and the CBI Working Group. A template Log is set out in Appendix C to this Policy. All documentation related to identification, containment, investigation & remediation, communication and notification of Privacy Events shall be securely retained by the and the original creator of the documentation. Enforcement All Privacy Events related to the CBI Environment will be monitored and dealt with by the as per this Policy as well as the Audit and Access Log Review Policy. Privacy Sub-Group The Privacy Sub-Group will review reports of Access Audit Logs and Privacy Events within the CBI Environment on a regular basis, and if there is unauthorized access may recommend appropriate action to the CBI Working Group for decision. 3 Version 1 Approved June 8, 2015

5.2 PROCEDURES/ROLES If a Privacy Event is suspected or detected, the and Lead Agency may be contacted at: Lead Agency: Stephanie Carter Privacy Officer, Reconnect office 416-248-6557 mobile 416-316-8548 Privacy.officer@reconnect.on.ca : Claudio Rocca - Director, DATIS office 416-535-8501 ext 33259 mobile 647-302-7278 Claudio.Rocca@camh.ca Set out below is a list of the procedures to be followed for: A) Privacy Event at B) Privacy Event Discovered by C) Privacy Event at Third Party Service Providers, and D) Privacy Event at s. A. PRIVACY EVENT AT THE No Task/Step Owner Requirement 1. to confirm that there was a Privacy Event (e.g. PHI is sent outside the CBI Project, user Confirmation of Privacy Event account and password compromised) 2. to contain the Privacy Event (containment is Containment the first priority) 3. to investigate the Privacy Event and determine if other Parties are involved (e.g. ). If an is involved, then is to report to the Privacy Officer listed on the CBI Website at http://pmservices.reconnect.on.ca/communitybusiness-intelligence/hspimplementation/schedule-a/ If communication is required with multiple s, the Lead Agency may facilitate this communication at the request of the. Telephone Notification followed by a written 4. If is involved, then Privacy Officer documents the incident and initiates internal processes to handle the Event, including notifying Client, if required 5. and to document and complete Incident Update Report regarding the Event resolution. Incident Update Reports are to be forwarded to the where they will be maintained according to the Data Retention and Destruction Policy 6. As appropriate, the Lead Agency and Privacy Sub-Group will be informed and involved. 7. to provide Access Audit Log and Privacy Event summary reports on a regular basis to the Lead Agency and the Privacy Sub-Group for review. and to follow its own processes and comply with PHIPA Incident Update Report (Appendix B) Telephone notification followed by written Access Audit Log and Privacy Event reports/updates provided at minimum every 3 months 4 Version 1 Approved June 8, 2015

B. PRIVACY EVENT DISCOVERED BY In its role as monitoring access to the CBI Environment through Access Audit Logs, the may uncover unauthorized access, use or disclosure of PHI by an or Third Party Service Provider. In that event, the protocol below is to be followed. No Task/Step Owner Requirement 1. to confirm that there was a Privacy Event (e.g. or Third Party Service Provider accessed Confirmation of Privacy Event PHI in an unauthorized manner) 2. to contain the Privacy Event (containment is Containment the first priority) 3. to contact the Third Party Service Provider or, as required, so that the Third Party Service Provider or will investigate the Event as set out in C or D below (as appropriate). If a Third Party Service Provider is involved, then is to contact the Privacy Officer as set out in the Third Party Service Agreement. If an is involved, then is to report to the Privacy Officer listed on the CBI Website at http://pmservices.reconnect.on.ca/communitybusiness-intelligence/hspimplementation/schedule-a/ If communication is required with multiple s, the Lead Agency may facilitate this communication at the request of the. 4. Follow the actions required as per: C if the Event involves a Third Party Service Provider AND/OR D if the Event involves an or s Telephone Notification followed by a written 5 Version 1 Approved June 8, 2015

C. PRIVACY EVENT AT THIRD PARTY SERVICE PROVIDER No Task/Step Owner Requirement 1. Third Party Service Provider to confirm that there was a Privacy Event (e.g. unauthorized Personnel access PHI) Third Party Service Provider 2. Third Party Service Provider to immediately contain the Privacy Event and to alert that there has been an Event 3. Third Party Service Provider to investigate the Privacy Event and determine if other Parties are involved (e.g. ). If an is involved, then to contact Privacy Officer at the listed at the CBI Project website at http://pmservices.reconnect.on.ca/communitybusiness-intelligence/hspimplementation/schedule-a/ 4. If is involved, then Privacy Officer documents the incident and initiates internal processes to handle the Event, including communicating with Client, if required Third Party Service Provider Third Party Service Provider, Telephone Notification, followed by written Telephone Notification, followed by written to follow its own processes and comply with PHIPA in communication about a Privacy Event Incident Update Report (Appendix B) 5. Third Party Service Provider to document and report to regarding the Event resolution Third Party Service Provider 6. to report to regarding the Event Resolution Incident Update Report (Appendix B) 7. As appropriate, the Lead Agency and Privacy Sub-Group will be informed and involved. 8. to provide Access Audit Log and Privacy Event summary reports on a regular basis to the Lead Agency and the Privacy Sub-Group for review. Access Audit Log and Privacy Event reports/updates provided at minimum every 3 months D. PRIVACY EVENT AT No Task/Step Owner Requirement 1. to confirm that there was a Privacy Event (e.g. unauthorized Personnel at access PHI) 2. to immediately contain the Privacy Event (containment is the first priority) and to notify that there has been an Event 3. Privacy Officer documents the incident and initiates internal processes to handle the Event, including communicating with Client, if required 4. to document and report to regarding the Event resolution 5. As appropriate, the Lead Agency and Privacy Sub-Group will be informed and involved 6. to provide Access Audit Log and Privacy Event summary reports on a regular basis to the Lead Agency and the Privacy Sub-Group for review. Telephone Notification followed by written to follow its own processes and comply with PHIPA in communication about a Privacy Event Incident Update Report (Appendix B) Access Audit Log and Privacy Event reports/updates provided at minimum every 3 months 6 Version 1 Approved June 8, 2015

6.0 References PHIPA A, accessible at http://pmservices.reconnect.on.ca/community-business-intelligence/hspimplementation/ 7.0 Revision History Policy No./Title 2- Privacy Incident and Breach Management Policy Revision Date (YYY-MM-DD) Level of Change (Minor/Major/N/A) Revision Comments Approved By/Date N/A N/A New Policy June 8, 2015 8.0 Status of Policy Policy No./Title 2. Privacy Incident and Breach Management Policy Author Lead Agency (Reconnect) on behalf of the Privacy, Security and Data Access Sub-Group Stakeholders (Centre for Addiction and Mental Health) Consulted Privacy Security and Data Access Sub-Group Toronto Central LHIN Recommended Privacy, Security and Data Access December 10, 2014 By/Date Sub-Group CBI Working Group December 12, 2014 CAMH April 21, 2015 Approved By/Date TC LHIN June 8, 2015 Revision Dates Related Policies/ Forms/Agreements Next Review Date Level of Audit and Access Log Review Policy Data Retention and Destruction Policy A Appendices A, B and C to this Policy Upon a significant change to the CBI Project or within five years of the approval of the Policy 9.0 Copyright Notice/Disclaimer Reconnect Mental Health Services on behalf of the Toronto Central LHIN Community Business Intelligence Project, June 8, 2015. All Rights Reserved. A printed copy of this Policy may not reflect the current electronic version on the Toronto Central LHIN Community Business Intelligence Project Website. The current electronic version is the official version. Change 7 Version 1 Approved June 8, 2015

Appendix A Template The form is to be completed by each Party involved in a CBI related Privacy Event to record the details of the Privacy Event, how it was managed, and short-term and long-term remediation strategies as well as possible recommendations to avoid recurrences of the Event. Upon completion, a copy of the Form should be forwarded to the for review and storage. TC LHIN Central Business Intelligence Project Fax No: 1. Contact Information To be completed by the individual submitting this report First Name Last Name Date (dd/mm/yyyy) Email Phone No. Organization Title / Position Address (street, city, province, postal code) 2. Incident Description Describe the incident below. Date of Incident (dd/mm/yyyy) Involves PHI? Reported By Description / Details 3. Incident Management Incident # Internal Reference # Date of Incident (dd/mm/yyyy) Assigned to Incident Receipt Date (dd/mm/yyyy) Containment Action Follow-up Action Most Responsible (Primary) Organization Follow-up Date (dd/mm/yyyy) Other Organizations (if any) Resolution Status Resolution Date (dd/mm/yyyy) Notes 8 Version 1 Approved June 8, 2015

Appendix B Incident Update Report Template The and/or the Party where the Privacy Event occurred shall provide a report to the on how the Event was dealt with using the Incident Update Report template. The update shall include a short description of how the Event has been dealt with, and a summary of the reactions, if any to the Event, along with recommendations to prevent recurrences. The will review and store the Incident Update Report. TC LHIN Central Business Intelligence Project Fax No: 1. Contact Information To be completed by the individual submitting this update First Name Last Name Date (dd/mm/yyyy) Email Phone No. Organization Title / Position 2. Incident Information Incident # Internal Reference # Client Contacted? Date of Contact Update Notes 9 Version 1 Approved June 8, 2015

Appendix C Toronto Central LHIN CBI Project Event Registry Template The shall maintain a log of Privacy Events and the recommendations emanating from investigations of Privacy Events. The log will be used to provide regular reports to the Privacy Sub-Group and the CBI Working Group. Incident # Reported By Incident Date (dd/mm/yyyy) Most Responsible Party Other Parties Involved PHI Involved? (Y/N) Actions Taken Action Dates (dd/mm/yyyy) Client notified? (Y/N) Incident Resolution Status Incident Resolution Dates (dd/mm/yyyy) 10 Version 1 Approved June 8, 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information