Steps ToBreach

Notifications

Source: Open Clip Art LibraryArt by: Openxs (6-7-10)

BreachA breach means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.Exceptions:

▶ Any unintentional acquisition, access or use of PHI by an employee or Individual acting under the authority of a Covered entity (CE) or business associate (BA). a. such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the CE or BA and

b. such information is not further acquired, accessed, used, or disclosed by any person;

▶ any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by a CE or BA to another similarly situated individual at the same facility;

▶ any such information received as a result of such disclosure is not further acquired, accessed, used or disclosed without authorization by any person.

Source: FlickrPhoto by: David Jones (9-15-07)

♣ Discovery - A breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which the breach is known to the Covered Entity or by a Business Associate as of the first day on which the breach is known to the CE or the BA (including any person, other than the individual committing the reach, that is an employee, officer or other agent of such entity or associate respectively), or should reasonably have been known to such entity or associate (or person) to have occurred.

♣ Notification – All notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the CE involved or BA involved in the case.

Source: Open Clip Art LibraryArt by: eady (8-11-10

Methods:Individual Notice – The notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:

a. Written Notification – Must be made by first class mail to the individual (or next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively or if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.

Image provided by Clip Art

B. In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written notification to the individual, Substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the

individuals affected by the breach likely reside. Such a notice

in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is

possibly included in the breach.

c. In any case deemed by the CE involved to require urgency because of possible imminent misuse of unsecured PHI, the CE, in addition to notice provided may provide information to individuals by telephone or other means as appropriate.

MEDIA NOTICE

Media notices are to be done if a breach of unsecured PHI is more than 500 residents of such Sate or Jurisdiction is, or is reasonably believed to have been, accessed, acquired or disclosed during such breach.

What needs to be in the Notification?

1. Date of the Breach2. Date of the Discovery of the Breach3. A brief description of what happened4. A description of what was breached, such

as:a. Full Nameb. Social Security Numberc. Date of Birthd. Home Addresse. Account Numberf. Disability Code

Image from Clip Art

5. Steps need to be given to the individual on what they need to do to protect themselves from potential harm resulting from the Breach.

6. Contact Procedures for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address.

7. If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed.

NOTICE TO SECRETARY

Less than 500 – The CE may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.More than 500 – The CE must provide a notice immediately to the Secretary.

POSTING ON HHS PUBLIC WEBSITE – The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each CE involved in the breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed.

Image by Clip Art

REFERENCES:1. Analysis of Health Care Confidentiality, Privacy, and

Security Provisions of The American Recovery and Reinvestment Act of 2009, Public Law 111-5 March, 2009 - http://www.ahima.org/dc/documents/AnalysisofARRAPrivacy-fin-3-3-2009a.pdf#page%3D1

2. eHealth Initiative – Navigating the American Recovery and Reinvestment Act – http://www.ehealthinitiative.org/stimulus/privacy.mspx

3. The Impact of the Stimulus Act on HIPAA Privacy and Security (Webinar – March 12, 2009) – AHIMA

4. U.S. Department of Health & Human Services (2011). Health Information Privacy. Retrieved from www.HHS.gov

5. Images provided by Flickr - http://www.flickr.com/search/?l=commderiv&q=privacy

6. Images provided by Open Clip Art Library - http://openclipart.org/search/?query=privacy