Privacy & Information Security Protocol: Breach Notification & Mitigation

Similar documents
University of Wisconsin-Madison Policy and Procedure

QUALITY HIPAA December 23, 2013

Security and Privacy Breach Notification

A Panel Discussion. Nancy Davis

Data Breach Response Guide

Summary Comparison of Current Data Security and Breach Notification Bills

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Federal Breach Notification Decision Tree and Tools

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Breach Notification Remember State Law

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

LCU Privacy Breach Response Plan

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Information Security Incident Response Plan

HIPAA-HITECH: Privacy & Security Updates for 2015

Information Security Incident Response Plan

Credit Card Data Compromise: Incident Response Plan

Subject: University Information Technology Resource Security Policy: OUTDATED

Analysis of the Final Rule, August 25, 2009 Health Breach Notification

HIPAA Tips and Advice for Your. Medical Practice

Cyber Security Issues

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Privacy Breach Policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

The HIPAA Omnibus Rule

Customer Proprietary Network Information

PRIVACY-SECURITY INCIDENT REPORT

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Putting It All Together:

Privacy Policy. I. How your information is used. Registration and account information. March 3,

Data Privacy Breach Policy and Procedure

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Security Breaches: How to Prepare and Respond

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Data Compromise Notice Procedure Summary and Guide

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA and HIPAA Compliance with PHI/PII in Research

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

What is a Breach? 8/28/2017

UTAH VALLEY UNIVERSITY Policies and Procedures

Overview of Presentation

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security

The University of British Columbia Board of Governors

HIPAA FOR BROKERS. revised 10/17

Information Security Incident Response and Reporting

Lusitania Savings Bank Retail Internet Banking Terms and Conditions

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

ecare Vault, Inc. Privacy Policy

SECURITY & PRIVACY DOCUMENTATION

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Data Breach Notification Policy

I. INFORMATION WE COLLECT

Audits Accounting of disclosures

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Regulation P & GLBA Training

THE BASICS. 2. Changes

HIPAA Security Manual

Virginia Commonwealth University School of Medicine Information Security Standard

HPE DATA PRIVACY AND SECURITY

Information Technology Standards

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Integrating HIPAA into Your Managed Care Compliance Program

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Table of Contents. PCI Information Security Policy

Schedule Identity Services

BoostMyShop.com Privacy Policy

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

The Data Breach: How to Stay Defensible Before, During & After the Incident

COMMENTARY. Information JONES DAY

Seattle University Identity Theft Prevention Program. Purpose. Definitions

What is Cybersecurity?

Clyst Vale Community College Data Breach Policy

First Federal Savings Bank of Mascoutah, IL Agreement and Disclosures

Understanding the Impact of Data Privacy January 2012


How AlienVault ICS SIEM Supports Compliance with CFATS

Consolidated Privacy Notice

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Why you MUST protect your customer data

NAI Mobile Application Code

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Breach Notification Assessment Tool

IDENTITY THEFT PREVENTION PROGRAM

Beam Technologies Inc. Privacy Policy

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Employee Security Awareness Training Program

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Transcription:

The VUMC Privacy Office coordinates compliance with the required notification steps and prepares the necessary notification and reporting documents. The business unit from which the breach occurred covers the costs of production and mailing of the required notification and any mitigation efforts deemed to be appropriate. I. Breach of Protected Health Information (PHI) A. When the Privacy Office is notified or otherwise becomes aware of an event involving known or suspected unauthorized acquisition, access, use, or disclosure of PHI; an investigation internal to VUMC is conducted to determine if: 1. VUMC privacy and/or information security policies have been violated; and/or 2. PHI has been accessed, used, or disclosed in a manner that violates the HIPAA Privacy Rule; and 3. Breach notification is required. B. Confirmed violation of privacy and/or information security policy results in disciplinary action consistent with the VUMC policy for Sanctions for Privacy and Information Security Violations (IM 10-30.12). C. Violations of the HIPAA Privacy Rule are evaluated to determine whether the federal definition of breach has been triggered. A Breach Notification Analysis is completed for each such violation. The Breach Notification Analysis will identify whether the additional Assessment of the Risk of Compromise of the PHI needs to be documented using the Risk Assessment Scoring Grid. All documentation related to these analyses is retained for six (6) years. D. Based upon the above noted Assessment of the Risk of Compromise of the PHI those incidents that trigger the federal definition of breach of PHI require the following notification and reporting actions: 1. Notification to the individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach. 2. Notice to the Secretary of DHHS (Secretary) shall be provided as defined in regulations defined by DHHS: a) The Privacy Office maintains a log of each breach event that involves less than 500 individuals. Annually the log is reviewed by the Information Privacy and Security Page 1 of 7

Executive Committee prior to being submitted to the Secretary within sixty (60) days of the end of the calendar year. b) The Privacy Office, after consultation with the Chair of the Information Privacy and Security Executive Committee and the business leader involved in the investigation of the breach, will notify the Secretary immediately of any breach event that involves 500 or more individuals. c) The Secretary posts to a public Internet website of DHHS a list that identifies each covered entity involved in a breach in which unsecured PHI of more than 500 individuals is acquired or disclosed. E. Requirements for Notification to the Individual(s): 1. Timeliness: notification to the individual must be made without unreasonable delay and in no case later than 60 calendar days after the date of discovery of the breach. 2. Method of notice must be provided promptly and in the following form: a) Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available. b) In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes the above described written notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will Page 2 of 7

include a toll-free phone number where an individual can learn whether or not the individual's unsecured protected health information is possibly included in the breach. c) Notice to prominent media outlets is required following the discovery of a breach if the unsecured PHI of more than 500 residents is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. VUMC News and Public Affairs coordinates placement of this notice with media outlets. d) In any case deemed to require urgency because of possible imminent misuse of unsecured protected health information, the individual(s) may be contacted by telephone or other means in addition to, but not in place of, the required notification noted above. 3. Content of Notification: regardless of the method of notice, the notice of a breach includes, to the extent possible, the following: a) a brief description of what happened, including the date of the breach and the date of the discovery; b) a description of the types of unsecured PHI that were involved (such as full name, Social Security number, date of birth, home address or phone, etc.); c) the steps the individual should take to protect themselves from the compromise which resulted in a breach; d) a brief description of what is being done to investigate the breach, to mitigate losses, and to protect against any further breaches; and e) information about contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an e-mail address, Web site, or postal address. II. Computerized Data Security Breach of Personal Information (Reference Flow Chart): Page 3 of 7

A. When VUMC information technology and security management professionals have reason to believe that computerized data has been hacked, stolen, lost or otherwise compromised, the VUMC authorities responsible for collecting, maintaining, and storing the data will be consulted to determine whether or not Personal Information was resident in the system or on the device that was accessed. 1. If Personal Information was not present, then notification is not required. 2. If Personal Information was present, then VUMC determines whether or not the data was encrypted. B. If any of the Personal Information was not encrypted, then the information technology and security management team determine whether or not there is reasonable belief that any Personal Information was acquired or under the control of an unauthorized individual, system, or device. 1. When the device or computer resides behind a firewall with a perimeter intrusion detection system: a) and the perimeter intrusion detection system confirms that data did not leave VUMC control, then notification is not required, but b) if the perimeter intrusion detection system is not able to confirm that data did not leave VUMC control, then notification to the individuals whose Personal Information may have been compromised is completed in accordance with the notification requirements defined below. 2. When the device or computer does not reside behind a firewall with a perimeter intrusion detection system: a) if there is no indication of unauthorized acquisition or control of data, then notification is not required; but, b) if there is reasonable belief that data may have been subject to unauthorized acquisition or control, then notification to the individuals whose Personal Information may have been compromised is completed in accordance with the notification requirements defined below. Page 4 of 7

C. The VUMC Privacy Office is notified when there is reasonable belief that a Computerized Data Security Breach of Personal Information has occurred. The Privacy Office will consult with the VUMC business leader responsible for the data and confirm whether or not notification is required and, if so, what type of notification response is appropriate based upon the above defined factors. If consensus is not clear or if the business leader believes an exception to the above processes is appropriate, then a final determination will be made by the core executive members of the Information Privacy and Security Executive Committee. D. Notification Method and Timeframe: 1. Notification requirement with confirming evidence: When data confirms a Computerized Data Security Breach, then affirmative written notice will be provided to the individual(s) whose Personal Information may have been involved: a) Notice will be delivered by mail unless the individual has given VUMC prior written informed consent to electronic notification. (see web references) b) If the cost of providing mailed written notice exceeds $250,000 or the affected number of individuals involved exceeds 500,000 or insufficient contact information is available to deliver written notice, then substitute notice is provided by: i. Email notice, when an email address is available; and ii. Conspicuous posting of the notice on the VUMC website page(s); and iii. Notification to major statewide media. c) If more than 1,000 persons are subject to notification, all three major consumer credit bureaus are also notified. 2. Notification requirement with no confirming evidence: When VUMC identifies a data security incident or event that creates reasonable belief that a Computerized Data Security Breach has occurred and in the absence of confirming evidence to the contrary, precautionary notice is provided to the individual(s) whose Personal Information may have been compromised: Page 5 of 7

a) If VUMC is able to discretely define the individuals impacted, then written notice will be delivered by mail. b) If the population impacted is not discretely defined or if sufficient contact information is not available, then notification may be provided by: i. Email notice, when an email address is available; and ii. Conspicuous posting of the notice on the VUMC website page(s). 3. Notification timeframe: Notification will be provided within the most expedient time possible and without unreasonable delay, but delay may be appropriate for: a) Measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system; or b) To support the needs of a criminal investigation if a law enforcement agency determines that notification will impede the investigation. III. Additional Notice and Mitigation - Indication of Identity Theft: When VUMC becomes aware that data secured through a Computerized Data Security Breach has been used by an unauthorized person for a specific purpose, such as to commit identity theft, then additional affirmative notification and mitigation steps are implemented as follows: A. Written notice identifying the probable risk of identity theft is delivered by mail or B. Substitute notice is acceptable if the costs and number of individuals exceeds the defined limits or if insufficient contact information is available to deliver written notice by mail. C. A VUMC hotline telephone number is also established to handle questions, and D. If more than 1,000 persons are subject to notification, and reporting to the three major consumer credit bureaus has not already occurred, then all three major consumer credit bureaus are also notified. Page 6 of 7

E. VUMC provides additional mitigation, such as identity theft recovery services on a case-by-case basis. Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback