Phleb-Finders Breach Notification Policy

Phleb-Finders Portal should never be used to store PHI or HIPAA-related information. If this information is found by anyone, please notify Brad Akers, CIO, immediately.

1. PURPOSE #

The purpose of this Breach Notification Policy is to provide guidance to the staff of Phleb-Finders “the Practice” when there is a breach an acquisition, access, use, or disclosure of the Practice’s patients’ unsecured protected health information in a manner not permitted under the Health Insurance Portability and Accountability Act of 1996 and its implementing rules and regulations, which compromises the security or privacy of the Protected Health Information. HIPAA requires that Phleb-Finders notify individuals whose unsecured PHI has been compromised by such a breach. In certain circumstances, the Practice must also report such breaches to the Secretary of HHS and through the media. Phleb-Finders breach notification process will be carried out in compliance with the  HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414.

2. DEFINITIONS #

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

Covered entities and business associates, where applicable, have the discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

3. POLICY AND PROCEDURES #

In summary, HIPAA requires that covered entities notify individuals whose unsecured protected health information has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the protected health information. The notification requirements only apply to breaches of unsecured PHI. In other words, if PHI is encrypted or destroyed in accordance with the HIPAA guidance, there is a “safe harbor” and notification is not required.

Discovery of Breach. A breach shall be treated as discovered as of the first day on which such breach is known to the Practice or, by exercising reasonable diligence, would have been known to the Practice or any person, other than the person committing the breach, who is a workforce member or agent of the Practice.

Workforce members who believe that patient information has been used or disclosed in any way that compromises the security or privacy of that information shall immediately notify Brad Akers, CIO.

Following the discovery of a potential breach, the Practice shall begin an investigation, conduct a risk assessment, and, based on the results of the risk assessment, begin the process of notifying each individual whose PHI has been, or is reasonably believed by the Practice to have been, accessed, acquired, used, or disclosed as a result of the breach. The Practice shall also begin the process of determining what notifications are required or should be made, if any, to the Secretary of the Department of Health and Human Services (HHS), or media outlets.

Breach Investigation. The Practice shall utilize Brad Akers, CIO, to act as the investigator of the breach. The investigator shall be responsible for the management of the breach investigation, completion of the risk assessment, and coordinating with others in the Practice as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel.) The Practice’s entire workforce is expected to assist management in this investigation as requested. The investigator shall be the key facilitator for all breach notification processes.

Risk Assessment. For breach response and notification purposes, a breach is presumed to have occurred unless the Practice can demonstrate that there is a low probability that the PHI has been compromised based on, at minimum, the following risk factors:

The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

Based on the outcome of the risk assessment, the Practice will determine the need to move forward with breach notification. The investigator must document the risk assessment and the outcome of the risk assessment process. All documentation related to the breach investigation, including the risk assessment, must be retained for a minimum of six years.

Notification: Individuals Affected. If it is determined that breach notification must be sent to affected individuals, the Practice’s standard breach notification letter (as modified for the specific breach) will be sent out to all affected individuals. The Practice also has the discretion to provide notification following an impermissible use or disclosure of PHI without performing a risk assessment, if the Practice so chooses. Notice to affected individuals shall be written in plain language and must contain the following information, which elements are included in the Practice’s standard breach notification letter:

  1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  2. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
  3. Any steps the individuals should take to protect themselves from potential harm resulting from the breach.
  4. A brief description of what the Practice is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
  5. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, email address, website, or postal address.

This letter will be sent by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification shall be provided in one or more mailings as information is available. If the Practice knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to the next of kin or person representative shall be carried out.

If there is the insufficient or out-of-date contact information that precludes direct written or electronic notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. If there is insufficient or out-of-date contact information for fewer than 10 individuals, then the substitute notice may be provided by an alternative form of written notice, by telephone, or by other means. If there is insufficient or out-of-date contact information for 10 or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the Practice’s website, or a conspicuous notice in major print or broadcast media in the Practice’s geographic areas where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active for at least 90 days where an individual can learn whether his or her PHI may be included in the breach.

Notice to affected individuals shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. If the Practice determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate, in addition to the methods noted above. It is the responsibility of the Practice to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of any delay.

Notification: Health and Human Services (HHS). In the event a breach of unsecured PHI affects 500 or more of the Practice’s patients, HHS will be notified at the same time notice is made to the affected individuals, in the matter specified on the HHS website. If fewer than 500 of the Practice’s patients are affected, the Practice will maintain a log of the breaches to be submitted annually to the Secretary of HHS no later than 60 days after the end of each calendar year, in the manner specified on the HHS website. The submission shall include all breaches discovered during the preceding calendar year.

Notification: Media. In the event, the breach affects more than 500 residents of a state, prominent media outlets serving the state and regional area will be notified without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. The notice shall be provided in the form of a press release.

Delay of Notification Authorized for Law Enforcement Purposes. If a law enforcement official states to the Practice or a business associate that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Practice shall:

If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or

If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.

This applies to notices made to individuals, the media, HHS, and by business associates.

Maintenance of Breach Information. The Practice shall maintain a process to record or log all breaches of unsecured PHI, regardless of the number of patients affected. The following information should be collected for each breach:

A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known.

A description of the types of unsecured protected health information that were involved in the breach (such as full name, social security number, date of birth, home address, account number, other).

A description of the action taken with regard to notification of patients regarding the breach.

Steps will be taken to mitigate the breach and prevent future occurrences.

Business Associate Responsibilities. The Practice’s business associates shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach of unsecured PHI, notify the Practice of such breach. Such notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. The business associate shall provide the Practice with any other available information that the Practice is required to include in notification to the individual at the time of the notification or promptly thereafter as information becomes available. Upon notification by the business associate of discovery of a breach, the Practice will be responsible for notifying affected individuals, unless otherwise agreed upon by the business associate to notify the affected individuals.

Workforce Training. The Practice shall train all members of its workforce on the Practice’s policies and procedures with respect to PHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the Practice.

Retaliation/Waiver. The Practice may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising his or her privacy rights. Individuals shall not be required to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Burden of Proof. The Practice has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach.

Title

Go to Top