Instalación de Barras

Purpose: To provide a process for notifying individuals of a breach of unsecured PHI as required by law.

Policy:

1. Individuals must be notified when their unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule that poses a significant risk of financial, reputational, or other harm to the individuals (“breach”).

2. Notice will be provided without unreasonable delay, but in any case not later than 60 calendar days from the date of discovery of the breach.

3. The notice will be sent to the last known address of each individual by first class mail unless the

individual agrees to electronic notice, in which case notice may be provided by e-mail. If it is known that the individual is deceased, the notice shall be sent to the next of kin or personal representative if that person’s address is known.

4. Alternative forms of substitute notice may be provided depending on the number of individuals to be notified and whether the unsecured PHI includes “personal information” as defined by Washington law.

• If the unsecured PHI does not include the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password (“personal information”), then if there is insufficient or out-of-date contact information preventing written notice by first class mail to 10 or fewer

individuals, notice may be provided by an alternative form of notice such as telephone. If there is insufficient or out-of-date contact information for more than 10 individuals, substitute notice will be provided by either posting notice on [insert name of practice or facility]’s Web site for 90 days or by notice in a major print or broadcast media, with a toll-free number active for at least 90 days for a person to call to learn whether his or her unsecured PHI was included in the breach.

• If the unsecured PHI includes personal information, then if there is insufficient or out-of-date contact information, notice may be provided by doing all of the following: e-mailing the notice if an e-mail address is available; posting the notice on [insert name of practice or facility]’s Web site for 90 days; and notification to major statewide media, with a toll-free number active for at least 90 days. 5. If the breach involves more than 500 individuals, notice must be provided by prominent media outlets in

[insert state where practice or facility is located], and to the Secretary of Health and Human Services. A log will be maintained of all other breaches and notice provided to the Secretary of HHS annually.

6. Business Associates of [insert name of practice or facility] are required to notify [insert name of practice or facility] of any breach without unreasonable delay and to the extent possible to identify the individuals whose unsecured PHI is involved.

7. Notification may be delayed if a law enforcement official states to [insert name of practice or facility]

that notification would impede a criminal investigation.

Responsible Party:

Other Responsible Party:

All staff must have sufficient understanding of the Privacy Rule, “unsecured PHI,” and “breach” to report potential situations in which unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule.

Procedure

1. Identify “unsecured PHI” to which notification of breach may apply. “Unsecured PHI” is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS.1 Encrypted PHI is not unsecured PHI. However, “unsecured PHI” may be in any form or medium, including paper or oral, neither of which may be encrypted. The remaining steps in the procedure apply only to “unsecured PHI.”

2. Promptly report to [insert name of practice or facility]’s Privacy and/or Security Official if unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule.

• HIPAA Privacy and Security Training will include this policy and training regarding timely reporting of breaches of unsecured PHI.

3. Investigate report to determine whether there has been a breach of unsecured PHI that requires notification under HIPAA.2

• Violation of the Security Rule does not in itself constitute a potential breach.

• A breach does not include:

• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of [insert name of practice or facility] or [insert name of practice or facility]’s BA made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.

• Any inadvertent disclosure by a person who is authorized to access PHI at [insert name of practice or facility] or [insert name of practice or facility]’s BA to another person

authorized to access PHI at [insert name of practice or facility] or [insert name of practice or facility]’s BA, or organized health care arrangement (OHCA) in which [insert name of practice or facility] participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule.

• A disclosure of PHI where [insert name of practice or facility] or [insert name of practice or facility]’s BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

• There is a breach only if there is a significant risk of financial, reputational, or other harm to an individual as a result of a breach.

• If the PHI was a limited data set and did not include date of birth and zip code, there is no significant risk of financial, reputational, or other harm to an individual as a result of a breach. 4. Document the determination as to whether there has been a breach, including the determination about

whether there is a significant risk of financial, reputational or other harm to an individual as a result of a breach of unsecured PHI.

5. If there has been a breach of unsecured PHI, prepare a notice in plain language. The notice shall include:

• A brief description of what happened, including date of the breach and the date of the discovery of the breach, if known.

• A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, etc., were involved), but do not include the actual PHI.

• Any steps the individuals should take to protect themselves from potential harm resulting from the breach.3

• A brief description of what [insert name of practice or facility] is doing to investigate the breach, mitigate the harm to individuals, and protect against further breaches.

• Contact information if the individuals have questions or want to learn more—either a toll-free telephone number, an e-mail address, Web site, or postal address.

6. Send the notice via first class mail to the last known address of individuals whose unsecured PHI was accessed, acquired, used, or disclosed in a manner not permissible under the Privacy Rule without unreasonable delay, but no later than 60 days following its discovery. The notice may be sent by

electronic mail if the individual agrees to electronic notice and such agreement has not been withdrawn. If an individual is deceased, mail the notice to the individual’s next of kin or personal representative, if that person’s address is known.

7. If the contact information is insufficient or out-of-date, determine whether the PHI includes the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password.

• If the PHI does not include such information:

• For fewer than 10 individuals involved, provide the notice by telephone or other means.

• For 10 or more individuals, provide the notice by either:

• Conspicuously posting the notice for 90 days on the home page of [insert name of practice or facility]’s Web site; or

• Provide notice in major print or broadcast media where the individuals reside and include a toll-free phone number that remains active for at least 90 days, so

individuals can call to learn whether their unsecured PHI was involved in the breach.

• If the PHI includes the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password, then:

• E-mail notice if an e-mail address is available;

• Conspicuously post the notice on the home page of [insert name of practice or facility]’s Web site for 90 days; and

• Post the notice in major print or broadcast media where the individuals reside and include a toll-free phone number that remains active for at least 90 days.

8. If the breach involves more than 500 individuals, provide the notice to prominent media outlets and to the Secretary of HHS in the manner specified on the HHS Web site. The HHS Office for Civil Rights has posted a form for covered entities to use to provide notice to the Secretary of HHS of a breach of

unsecured, protected health information. This form can be found at

http://transparency.cit.nih.gov/breach/index.cfm.

9. For breaches that involve fewer than 500 individuals, record the breach in the Accounting Log for Breaches of Unsecured Protected Health Information, attach copy of notice, and provide notification annually to the Secretary of HHS.

References:

45 CFR Section 164, subpart D RCW 19.255.010

1

“Unsecured protected health information” has been defined by guidance issued by the Department of Health and Human Services on April 17, 2009, as PHI that is encrypted or destroyed according to National Institute of Standards and Technology (“NIST”) standards. 74 Fed. Reg. 19006 (published April 27, 2009). Guidance will be available at the HHS Web site at http://www/hhs,gov/ocr/privacy/. The specific description is:

“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.’ To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.

(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)

Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSLVPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.

(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.”

2

Washington law requires businesses to promptly notify individuals whose computerized personal information (an individual’s first name or initial, last name and SSN, driver’s license number, State ID card number, or account or bank card number) is reasonably believed to have been obtained by an unauthorized person. RCW 19.255.010.

3

The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html