HIPAA Breach Notification Policy



Similar documents
ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

POLICY AND PROCEDURE MANUAL

Checklist for HITECH Breach Readiness

STANDARD ADMINISTRATIVE PROCEDURE

The ReHabilitation Center Buffalo Street. Olean. NY

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Breach Notification Policy

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA Business Associate Agreement

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

COMPLIANCE ALERT 10-12

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

HIPAA BREACH RESPONSE POLICY

TEXAS COLON & RECTAL SURGEONS, LLP HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES ADOPTED EFFECTIVE APRIL 1, 2003

BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement

Disclaimer: Template Business Associate Agreement (45 C.F.R )

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Cooper Dental Group Notice of Privacy Practices

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

BUSINESS ASSOCIATE AGREEMENT

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

BUSINESS ASSOCIATE AGREEMENT

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Client Privacy Notice (HIPAA)

Business Associate Agreement Involving the Access to Protected Health Information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

The Institute of Professional Practice, Inc. Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Data Breach, Electronic Health Records and Healthcare Reform

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT TERMS

NOTICE OF PRIVACY PRACTICES

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

FirstCarolinaCare Insurance Company Business Associate Agreement

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

How To Notify Of A Security Breach In Health Care Records

Appendix : Business Associate Agreement

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

This form may not be modified without prior approval from the Department of Justice.

Business Associate Agreement

Health Insurance Portability and Accountability Policy 1.8.4

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

SaaS. Business Associate Agreement

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

Business Associate Agreement

Model Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

Notice of Privacy Practices

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

SDC-League Health Fund

Transcription:

HIPAA Breach Notification Policy Purpose: To ensure compliance with applicable laws and regulations governing the privacy and security of protected health information, and to ensure that appropriate notice is given and corrective action is taken when a breach of the privacy and/or security of such information occurs. Scope: This policy applies to all personnel at the University of Missouri Medical and Dental Benefits Plan. Process: 1) Protected health information (PHI) is individually identifiable information concerning the health of an individual. This includes demographic and clinical information. For purposes of this policy, PHI will also include individually identifiable financial information of a beneficiary of the Plan. 2) All employees of the Plan are responsible for protecting the privacy and security of Protected Health information in their possession and will be held accountable for any unauthorized or improper use or disclosure of such information. 3) A breach is defined as any use or disclosure of PHI not required or permitted by applicable laws, without an authorization signed by the patient or the patient s legal representative, or an order of a court with jurisdiction. The following are some examples of breaches (this list is not exhaustive): Employees discussing patient information in any public area where those with no need to know the information can and do overhear. A copy (paper or electronic) of patient medical information is left in a public area. A computer is left unattended in an accessible area with medical information displayed. Failure to log off a computer terminal that contains patient information. Sharing or exposing a password. Improperly accessing, reviewing or releasing PHI of patients, including friends or relatives, or requesting another to do so. 1

Improperly accessing, reviewing or releasing PHI of a public personality for any reason unrelated to assigned job responsibilities. 4) All employees have an affirmative obligation to report any suspected breach of PHI. 5) All reports of suspected breaches must be made to one of the following: To the reporting individual s immediate supervisor. To the reporting individual s department head or manager. To the Plan Privacy Officer. 6) The individual to whom the report is made must immediately report a suspected breach to the Privacy Officer. 7) Upon receipt of a credible report of a suspected breach, the Privacy Officer shall immediately begin a detailed investigation, commensurate with the level of the suspected breach and the specific facts. This investigation may include, but is not limited to, interviewing the individual(s) accused of the breach, interviewing other individuals, including potential witnesses, and reviewing pertinent documentation and technical reports. The Privacy Officer may seek the advice and participation of the Office of the General Counsel at any time. 8) The Privacy Officer will determine the necessary steps to take to mitigate the breach. 9) Report of Breach: A report of the suspected breach shall be prepared by the Privacy Officer. This report shall contain at least the following information: A detailed summary of the suspected breach, including the date of the breach; The date of discovery of the breach; A description of the information allegedly disclosed or used improperly; Any steps taken to mitigate the breach shall be set forth in the report. The Report shall contain a Risk Assessment as set forth below. This Breach Report, together with all supporting documentation, shall be retained by the Plan for a period of six (6) years from the date of the determination. 2

10) Risk Assessment: All breaches of PHI are considered reportable breaches, unless, after conducting a Risk Assessment, the Privacy Officer has determined and can demonstrate that there is a low probability that the PHI has been compromised. The Risk Assessment shall include a consideration the following issues: a. To/by whom was the PHI improperly used, disclosed or accessed? Was the PHI actually acquired or viewed by an unauthorized person? b. What was the nature, type and amount of PHI that was improperly disclosed or accessed? What patient identifiers were in the PHI, and what is the likelihood of re identification? c. Were the efforts at mitigation successful or did such efforts reduce the risk of harm to the individual(s) affected? d. Were social security numbers, bank account information or credit card numbers disclosed? e. Did any of the disclosed information constitute highly sensitive information, such as information related to HIV, Aids, mental health or substance abuse/ treatment? f. Was this a targeted access to the PHI? 11) If the Privacy Officer determines that there is a low probability that the PHI has been compromised, this determination and the basis for the determination must be documented in the Breach Report. 12) Unless there is a determination that the breach poses a low probability that the PHI has been compromised, then the matter constitutes a reportable breach, and the following steps must be taken: a. Written notice shall be given to each individual whose PHI has been breached. Such notice shall be provided promptly and no later than sixty (60) days after the Plan discovers the breach. b. The written notice shall be sent by first class mail to the affected individual s last known mailing address. Notice may be sent electronically, but only if the affected individual has agreed to receive electronic notice and this agreement has not been revoked. c. The notice must be written in plain language and contain the following information: 3

i. A brief description of the incident, including the date of the breach and the date of discovery, if different; ii. A description of the types of PHI involved in the breach; iii. A description of the steps taken by the Plan to investigate and mitigate the breach, and to protect against future occurrences; iv. Any steps the affected individual should take to protect himself or herself from potential harm resulting from the breach; and v. Contact information for the affected individual to ask questions or learn additional information, to include a toll free phone number, an email address, a website, or a postal address. d. Substitute notice must be given if the Plan does not have sufficient or current contact information for the affected individual. Substitute notice shall be reasonably calculated to reach the individual. If more than ten individuals are affected by the breach and substitute notice is required for such individuals, notice shall be in the form of either a conspicuous posting for ninety (90) days to the Plan s website home page or a conspicuous posting for ninety (90) days in major or broadcast media in the relevant geographic areas where the affected individuals are likely to be found, and include a toll free number that remains active for ninety (90) days which the affected individual can call to find out if his/her information was involved. e. Notice of the breach shall be given to the Department of Health and Human Services as follows: i. If the breach involved less than 500 individuals, the Plan shall maintain all documentation of the breach and shall notify HHS no later than sixty (60) days after the end of the calendar year in the manner set forth by HHS on its website. ii. If the breach involves 500 or more individuals, notice shall be required to be given to HHS immediately, and no later than sixty (60) days after discovery of the breach, in the manner set forth by HHS on its website. f. If the breach involves more than 500 residents of a state or jurisdiction, the Plan shall also notify prominent media outlets serving that state or jurisdiction, immediately and no later than sixty (60) days of discovery of the breach. This notice shall contain the same information as the notice to the affected individuals. 4

g. If a law enforcement official informs the Plan that notice to the affected individuals, HHS or the media would impede a criminal investigation or cause damage to national security, the Plan shall: i. If the statement is in writing and specifies a time for which the delay is required, delay the notification for the specified time; or ii. If the statement is oral, document the statement, including the identity and position of the official, and delay the notification for no longer than thirty (30) days from the date of the oral statement, unless during that thirty (30) day period, the official provides written statement requiring a different time period. 13) All documentation related to the provision of notice to affected individuals, HHS, media and any communication from law enforcement shall be retained, together with the Breach Report, for a period of six (6) years from the date notice was provided. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information