BAMBUCO “COMO PA DESENGUAYABAR”

HIPAA BREACH OF UNSECURED PHI YES NO COMMENT

1. Was PHI (identifier + health information) involved? If Yes, Go to Question 2. IfNo,

Figure 5 Privacy Incident Form

42

2. Was there an unauthorized acquisition, access, use or disclosure of PHI in violation of the

Privacy Rule? If Yes, Go to Question 3. If No, Go to Question 8.

3. Was the information encrypted using 256-bit during transmission? If Yes, notification is not

required. Go to Question 8 and complete your investigation/mitigation efforts. If No,

Go to Question 4.

Type of encryption

software used:

4. Does an exception exist? Please check exception(s) if applicable.

Unintentional acquisition, access or use of PHI by workforce member or person acting under authority of Covered Entity (CE) or Business Associate (BA) if made in good faith, within the scope of authority and not further used or disclosed in violation of the Privacy Rule; Inadvertent disclosure of PHI by a person authorized to access PHI at a facility operated by

CE or BA to another person at same CE, BA or health care arrangement and information received as a result of such disclosure is not further used or disclosed in a manner that violates the Privacy Rule; or

Unauthorized disclosure where CE or BA has good faith belief that unauthorized person would not reasonably have been able to retain the information

If at least one of these three exceptions is checked, notification is not required; Go to Question 8. If you cannot check any of these boxes, Go to Question 5.

Explain why

exception(s) exist(s):

5. Did the breach involve limited data sets? If No, Go to Question 7. If Yes, Go to Question 6. 6. Were the dates of birth and zip codes removed? If Yes, notification is not required; Go to

Question 8. If No, Go to Question 7.

7. Did the incident pose a significant risk of financial, reputational, or other harm to the individual?

If Yes, notification is required. Go to Question 8. If No,notification is not required.

Go to Question 8 and complete investigation/mitigation efforts.

Consider these factors for evaluating “significant” standard:

Would the unauthorized person reasonably have been able to retain the information? Who used or received the information?

What type of information was involved (i.e., is it highly sensitive PHI?)?

Were immediate and effective steps to mitigate the incident taken (such as receiving assurances from the recipient that the PHI was destroyed)?

Was the PHI returned prior to being accessed for an improper purpose? What level of harm could or did result?

Explain why risk is/is not significant:

POLICY VIOLATION, BREACH OF CONFIDENTIALITY or IDENTITY THEFT SECURITY

BREACH YES NO COMMENT

8. Was there a violation of Network policy (i.e., Privacy Safeguards)? Go to Question 9. Explain:

9. Was there an unauthorized acquisition, access, use or disclosure of IC information? Go to

Question 10. If Yes, Explain:

10. Was the information in paper form? Go to Question 11. _{If Yes, Explain:}

11. Was the information in electronic form? Go to Question 12. If Yes, Explain:

12. Was the information or equipment containing the information stolen, lost, or misplaced? If a

laptop is involved, it may be a security incident also.Report to N3CN Immediately. Go

to Question 13.

If equipment, Explain:

Figure 5 Privacy Incident Form

43

14. Was the information involved confidential (i.e., non-public)? If Yes, it could be a breach of

confidentiality. Go to Question 15. If No, STOP! If Yes, Explain:

15. Was a SSN or other identifying information involved? List only identifiers defined as “identifying information.” See N.C.G.S. § 132-1.10(b) (5) and § 14-113.20(b) for clarity. If Yes, Go to Question 16. If No, notification is not required. Investigate as a breach of confidentiality.

List identifying

information:

16. Was the individual’s first name or first initial and last name included? If Yes, Go to Question 17. If No, not “personal information”; notification is not required. Determine if confidential information could still be identifiable without name. If not, STOP!

If Yes, Explain:

17. Was the information encrypted using 256-bit during transmission? If Yes, STOP! Notification

is not required. If No, Go to Question 18. Type/bit of encryption _{software used:}

18. Had the information been redacted such that it is unreadable (i.e. for SSN, must be no more than

last four digits of SSN)? If Yes, STOP! Notification is not required. Go to Question 19. If Yes, Explain:

19. Did a securitybreach occur? Please check section(s) if applicable:

a. Was there an incident of unauthorized access to and acquisition of unencrypted and un-

redacted records or data containing personal information . . .

i. Where illegal use of the personal information has occurred, or is likely to occur?

or

ii. That creates a material risk of harm to the individual? or

b. Was there an incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key?

If either (a) (i), a (ii), or (b) is checked, notification may be required; Go to Question 20. If you cannot check one of these three boxes, STOP! Notification is not required.

Explain:

20. Was there a good faith acquisition by an employee or agent of Network for a legitimate purpose, where personal information was used only for a lawful business purpose and there was no further unauthorized disclosure? If Yes, STOP! Notification is not required. If No, notification is required. Contact COVERED ENTITY Privacy Officer for further direction.

Explain: