New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Transcription

1 Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy Number: New Date: 8/22/2013 X Revised Reviewed Policy Owner: System Director, Integrity, Compliance and Privacy Implementation Date: August 1, 2010 Scope: This policy applies to Providence Health and Services and its Affiliates 1 and their employees, volunteers and others who are in the direct control of Providence (collectively referred to as workforce members) with access to Providence information and information systems. This is a management level policy recommended by Leadership Council, approved and signed by the President/CEO. Purpose: The purpose of this policy is to describe steps that must be taken in the event of a Suspected or Actual Breach of Unsecured Protected Health Information ( Breach ) and, when appropriate, to report the Breach as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) or its implementing regulations. Policy: Providence will provide notification of any Breaches of Unsecured PHI in accordance with the requirements of the federal HITECH Act or its implementing regulations and any other relevant laws. This policy establishes minimum HIPAA requirements. State law may impose more stringent requirements which will be addressed in regional level policies. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Definitions: For the definition of terms not specifically defined below, please refer to INHS-1805, Privacy Glossary. Breach or Actual Breach means an unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information. Examples of a Breach may include: a) Lost or stolen laptops, computers, servers, tapes, CD ROMs, flash drives, phones, PDAs and any other mobile data-storage medium containing PHI; b) Lost or stolen papers containing PHI; c) s or papers containing PHI sent to an unauthorized party;) Electronic transmissions of PHI sent outside the Providence network in unencrypted format that are accessed without authorization; e) Unauthorized or unnecessary access of PHI; f) An intentional violation of the physical access controls to facilities where PHI is kept; 1 For purposes of this policy, Affiliates is defined as any entity that is wholly owned or controlled by Providence Health & Services or Western HealthConnect (for example, Swedish Health Services, Swedish Edmonds, Kadlec Regional Medical Center, PacMed Clinics and Inland Northwest Health Services). Page 1 of 7

2 g) Deficient application or other information security controls allowing unauthorized access to PHI. h) Saving Electronic Protected Health Information (ephi) in a location that grants access to people without a need to know; and i) Notification from a business associate, law enforcement authority, government agency or other authority of a confirmed Breach of the computing environment where PHI is maintained or processed. If there is a concern that there has been unauthorized or unnecessary access to PHI and the circumstances do not fit into the examples above, consult with your regional Privacy Officer or the Department of Legal Affairs. Exceptions - Breach does not include: a) Any good faith unintentional acquisition, access or use of PHI by a workforce member or business associate acting within the scope of employment where the PHI is not further used or disclosed. An example would be a nurse opening the medical record of the wrong John Smith and closing out of the record immediately without further using or disclosing the PHI; b) An inadvertent disclosure of PHI by one person authorized to access PHI to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement if the PHI is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule. This exception applies even if the workforce members at issue are not authorized to access the same type of PHI. For example, a patient s information is accidentally sent to a doctor within the same covered entity who otherwise would have access to the record system and the doctor does not further use or disclose the information. c) A disclosure of PHI where Providence has a good faith belief that the unauthorized recipient would not reasonably have been able to retain the PHI. For example, a covered entity may send an explanation of benefits to the wrong individual. This inadvertent disclosure would typically trigger the Breach notification requirements. However, if the explanation of benefits is returned to the covered entity unopened, the exception applies and there is no Breach. Suspected Breach means an incident where there is a reasonable likelihood that PHI was inappropriately acquired, accessed, used or disclosed. Incident Response Team is the Providence team assembled to work through incidents, including Breaches and Suspected Breaches. The Team is generally comprised of representatives from Enterprise Risk Management Services (Privacy, Enterprise Security), Risk Claims and Insurance, Department of Legal Affairs and Communications. Unsecured PHI means PHI that is not encrypted or destroyed in a manner that makes the PHI unreadable to unauthorized individuals. Workforce member means employees, volunteers, trainees, medical staff and other persons under the direct control of Providence whether or not they are paid by Providence. This may also include independent contractors, depending upon the arrangement. Page 2 of 7

3 Procedures Responding to a Suspected or Actual Breach 1. Suspected and Actual Breaches will be reported within 48 hours to local, regional or system Privacy or their designees, Enterprise Security or their designees, the Providence Integrity Line at (888) or the Information Services (EIS) Operations Center at The Incident Manager, in conjunction with the entity where the Suspected or Actual Breach occurred and the applicable region privacy and security representatives, will determine required actions. 3. Where incident management is deemed necessary, the Incident Manager will convene the Incident Response Team (IRT) to participate in the investigation and mitigation of the Suspected or Actual Breach. 4. Where appropriate, the IRT will be convened as soon as practicable following the report of a Suspected or Actual Breach. 5. If a Breach occurred, the entity and the IRT will take appropriate action as described in this policy. 6. If a Breach did not occur, the IRT or its designee will document how this conclusion was reached. Determining if a Reportable Breach has Occurred 1. Upon notice of a Suspected Breach, the entity, in conjunction with the IRT, will determine if: a) The Suspected Breach involved Unsecured PHI; b) The Suspected Breach involved an impermissible use or disclosure of PHI under the HIPAA Privacy Rule; and c) If any other breach notification laws or expectations for handling confidential information of any type, including but not limited to financial, business and workforce member information, apply. If the answer to either question a) or b) is no, then no HITECH breach has occurred and no HITECH breach notification is required. If the answer to either question a) or b) is yes, the entity and the IRT will determine if the Suspected Breach falls into one of the exceptions to the definition of Breach set out in the Definitions section above. If it does, no Breach has occurred and no notification is required. 2. Risk Assessment. If the Suspected Breach does not fall into one of the exceptions to the definition of Breach, the entity, in conjunction with the IRT, will conduct a risk assessment to determine if the Breach compromises the security or privacy of the information. The region or system privacy officer or his/her designee shall document the outcome from the risk assessment for inclusion into the appropriate reporting system. This documentation is required even if the risk assessment determines that no notification is required. Page 3 of 7

4 Actions if a reportable Breach has Occurred 1. Notification to individuals. If, after conducting the risk assessment, the entity and the IRT cannot determine that there is a low probability of compromise to the Unsecured PHI, a letter will be drafted notifying the individual(s) of the Breach (Note that it must be adapted for individual state law.) The letter shall be reviewed by the IRT and next steps determined. 2. Timing of notification. Except for cases in which a law enforcement official requests a delay in notification (see below), the region or system privacy officer or his/her designee shall provide notification to the individual without unreasonable delay and in no case later than 60 calendar days after discovery of a Breach by the entity or after being informed of a breach by a business associate. 3. Written request by law enforcement for delay in notification. If a law enforcement official provides the covered entity with a written statement that a notification described in this policy would 1) impede a criminal investigation or cause damage to national security, and 2) specifies the amount of time for which law enforcement is requesting a suspension of the notice requirement, the region or system privacy officer or his/her designee shall temporarily suspend the notice for the time specified by the law enforcement official. If a law enforcement official makes a statement orally, the region or system privacy officer or his/her designee must document the statement, including the identity of the official making it, and temporarily suspend the notice requirement for no longer than 30 days from the date of the oral statement unless a written statement is submitted during that time. The region or system privacy officer will notify the entity privacy representative of the suspension. 4. The date a Breach is discovered. A Breach is considered discovered on the first day the Breach is known to the covered entity. The covered entity is deemed to have knowledge of a breach when any workforce member other than the person committing the breach, becomes aware of the Breach. For example, a nurse discovers a Breach of PHI on October 15, but does not report the Breach until October 23. The Breach is considered discovered on October Content of notification. Breach notifications shall be written in plain language. At a minimum, the following elements shall be included in the Breach notification to the extent possible: a) A brief description of what happened, including the date of the Breach and the date the Breach was discovered, if known; b) A description of the types of Unsecured PHI that were involved (name, social security number, date of birth, diagnosis, etc.); c) Any steps individuals are advised to take to protect themselves from potential harm resulting from the Breach; d) A brief description of what the covered entity is doing to investigate the Breach, mitigate harm to individuals and to protect against any further Breaches; and e) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free number, an address, web site, or postal address. 6. Methods of notifying individuals. The region or system privacy officer or his/her designee, as Page 4 of 7

5 appropriate, shall: a) Provide notification in writing by first-class mail to the individual(s) at the last known address. may be used if the individual has agreed to electronic notice and has not withdrawn this agreement. b) If the individual affected by a Breach is a minor or lacks legal capacity due to a physical or mental condition, provide notice in writing by first-class mail to the parent or personal representative of the individual; c) If the region, entity or facility where the Breach occurred knows the individual is deceased and has the address of the next of kin or personal representative of the individual, provide written notice by first-class mail to the next of kin or personal representative. d) Provide information to individuals by telephone or other appropriate means, in addition to written notice by first class mail or , in any case which the region/facility determines is urgent because of possible imminent misuse of Unsecured PHI. 7. Substitute notice. In cases where there is insufficient or out-of-date contact information to allow for written notice by first-class mail, The region or system privacy officer or his/her designee shall provide a substitute form of notice as soon as reasonably possible that is reasonably calculated to reach the individual as follows: a) In cases where mailing address information is insufficient or out-of-date for nine or less individuals, provide substitute notice by an alternative form of written notice ( , for example), telephone, or other means; b) In cases where contact information is insufficient or out-of-date for 10 or more individuals, provide substitute notice in the form of either a conspicuous posting for 90 days on the home page of the facility s web site, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the Breach likely reside. Either option must include a toll-free phone number that remains active for 90 days where an individual can learn whether his/her Unsecured PHI may have been included in the Breach; c) Substitute notice is not required in the case of a deceased individual; 8. Notification to the Media. If a Breach of Unsecured PHI involves more than 500 residents of a state or jurisdiction, the entity and the IRT will work with region and system Communications to provide notice to prominent media outlets serving the state or jurisdiction. The notification must include the same content that is required in the notice to the individuals affected by the Breach. Except for cases in which law enforcement officials request a delay in notification, such notice shall be provided to the media without unreasonable delay and in no case later than 60 calendar days after discovery of a Breach. Notification to the media should be provided at approximately the same time, but not before, notification to the individual. 9. Notification to the Secretary of Health & Human Services of a Breach involving more than 500 individuals. The appropriate region or system privacy officer or his/her designee will report Breaches involving more than 500 individuals to the Secretary of Health & Human Services by entering the required fields of information into the HHS data portal. Such notice shall be provided to the Secretary at approximately the same time that notice is provided to the individuals affected by the Breach. Page 5 of 7

6 10. Notification to the Secretary of Health & Human Services of a Breach involving 500 or less individuals. The appropriate region or system privacy officer or his/her designee will report Breaches involving 500 or less individuals to the Secretary of Health & Human Services by entering the required fields of information into the HHS data portal. Such notice shall be entered no later than 60 days after the end of each calendar year for breaches occurring during the preceding calendar year. 11. Providence record keeping. All official documentation pertaining to Breaches and Suspected Breaches shall be maintained by Enterprise Risk Management Services in the Integrity Line database. 12. Notification from a business associate. All Providence regions, service areas, facilities or ministries who contract with a business associate on Providence s behalf shall contractually require business associates to report Suspected or Actual Breaches to Providence as soon as practicable and in no case more than 30 days from the first day on which the Actual or Suspected Breach is known, to the business associate. Reports of Suspected or Actual Breaches should be made to the Business Associate Breach Reporting Hotline at Content of business associate notice. The report of a Suspected or Actual Breach from a business associate to Providence shall include, to the extent possible, the following elements: a) The identification of each individual who s Unsecured PHI has been or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the Breach. b) A brief description of what happened, including the date of the Breach (if known) and the date of the discovery of the Breach; c) A description of the types of Unsecured PHI that were involved (name, social security number, date of birth, diagnosis, etc.); and d) A brief description of what the business associate is doing to investigate the Breach, mitigate harm to individuals and to protect against any further Breaches. Administrative Requirements For the purposes of Breach notification, Providence must comply with the following administrative requirements: a) Train existing and new workforce members on any Breach notification policies and procedures. All training must be documented. b) Provide a process for individuals to make complaints concerning Providence s Breach notification policies and procedures, or an entity's compliance with said policies and procedures. All complaints and their disposition must be documented. c) Have and apply appropriate sanctions against workforce members who fail to comply with the Breach notification policies and procedures. Workforce members who do not report a Suspected Breach will be subject to sanctions. d) Providence may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of rights under the HIPAA Privacy Rule, including the filing of complaints relating to Breach Page 6 of 7

7 References: notification policies and procedures. e) Providence cannot require individuals to waive their right to appeal to the Secretary of Health & Human Services as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. f) The breach notification process does not preclude the requirement to enter relevant events into the appropriate Accounting for Disclosures database. Disclosures should continue to be logged as required by law. 45 CFR 164 Privacy and Security Policies Page 7 of 7