The ARRA has decided what exactly is a breach. It spells it out the definition and also gives a definition of what a breach is not.Read the definition of the BREACH.A breach means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.The Exceptions:If the person is acting under the authority of the CE/BA and the breach is unintentional.The Breach was made in good faith and the course and scope of employmentA person who breaches PHI to another individual at the same facility.PHI received as a result of the disclosure
1. The discovery section sets the stage the for the timeliness of a the notification could be crucial and should the CE or BA later be prosecuted for not responding appropriately. (DOCUMENT, DOCUMENT, DOCUMENT)The time starts once the breach is discovered. The notification should be made no later than 60 days after the discovery of the Breach.
Notification must be made in a written form and sent by first class mail. If the individual that information was breached has expired, then the next of kin of that individual will need to be notified in a diligent manner.
b. Substitute form of noticeshall be provided, including in the case that there are 10 or more individuals which there is insufficient or out of date contact information:• a conspicuous posting for a period determined by the Secretary on the home page of the website of the CE involved or • notice in a major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. • Such a notice in media or web posting needs to include a toll free phone number where an individual can learn whether or not the individual’s unsecured PHI is possibly included in the breach.
If the Covered Entity believes the breach made may cause immediate harm to the individual’s whose information has been breached should make the extra step to contact the individual by phone or any other means to contact the individual as appropriate to help incur damages to a minimal.Media Notice If a CE or BA or Both has breached more than 500 individuals then they will need to use the method of the Media to broadcast that a breach has been made.
You will need to determine when the Breach happenedWho discovered the breachWho made the breachHow it happenedWhat was breached Such as: Patient’s name, SS#, Date of Birth, Home Address, Account Number, Disability Codes.
Now you need to handle the notification to the individual’s whose information has been breached. A procedure needs to be put into place on what steps should be given to help the individual to try to protect themselves against potential harm. A contact information sheet should be developed with the risk manager and privacy officer’s name, telephone number and e-mail address, also the medical facilities name, address and website if available. This sheet should be given to the individual at the time of contact.Law Enforcement:If for some reason a law enforcement officer has been brought in for whatever reason at the time of breach and they determine that the notification of the breach would impede a criminal investigation or cause damage to national security then the notification to the individual whose information was breached must be delayed.
A log needs to be kept of each breach that is made by any employee or BA that falls under your CE.The log should contain: The date the Breach happened The name of the patient Description of the Breach What steps were taken to correct the BreachA covered entity will need to submit to the Secretary the log of any breaches that occurred during the previous year if the breaches are less than 500 at one time. A covered entity will need to provide a notice immediately to the Secretary if a Breach occurs involving more than 500 individuals at one time. A.t which time the Secretary shall make available to the public on the website of the Department of Health and Human Services a list that identifies each Covered Entity involved in the Breach
Steps for breach notification
Steps To Breach NotificationsSource: Open Clip Art LibraryArt by: Openxs (6-7-10)
BreachA breach means the unauthorized acquisition, access, use, or disclosure of PHIwhich compromises the security or privacy of such information, except wherean unauthorized person to whom such information is disclosed would notreasonably have been able to retain such information.Exceptions: b. such information is not further Any unintentional acquisition, access acquired, accessed, used, or disclosedor use of PHI by an employee or by any person;Individual acting under the authority of a any inadvertent disclosure from anCovered entity (CE) or business associate individual who is otherwise authorized(BA). to access PHI at a facility operated by a. such acquisition, access, or use was a CE or BA to another similarlymade in good faith and within the situated individual at the same facility;course and scope of the employment or any such information received as aother professional relationship of such result of such disclosure is not furtheremployee or individual, respectively, acquired, accessed, used or disclosedwith the CE or BA and without authorization by any person. Source: Flickr Photo by: David Jones (9-15-07)
The first day the breach is discovered:Discovery - A breach shall be treated as Notification – All notifications discovered by a covered entity or by a required under this section shall business associate as of the first day on be made without unreasonable which the breach is known to the delay and in no case later than Covered Entity or by a Business 60 calendar days after the discovery Associate as of the first day on which of a breach by the CE involved or BA the breach is known to the CE or the BA involved in the case. (including any person, other than the individual committing the reach, that is an employee, officer or other agent of such entity or associate respectively), or should reasonably have been known to such entity or associate (or person) to have occurred. Source: Open Clip Art Library Art by: eady (8-11-10
Methods: Individual Notice – The notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: a. Written Notification – Must be made by first class mail to the individual (or next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively or if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.Image provided by Clip Art
B. In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written notification to the individual, Substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
c. In any case deemed by the CE involved to require urgency because of possible imminent misuse of unsecured PHI, the CE, in addition to notice provided may provide information to individuals by telephone or other means as appropriate. MEDIA NOTICE Media notices are to be done if a breach of unsecured PHI is more than 500 residents of such Sate or Jurisdiction is, or is reasonably believed to have been, accessed, acquired or disclosed during such breach.
What needs to be in the Notification?1. Date of the Breach2. Date of the Discovery of the Breach3. A brief description of what happened4. A description of what was breached, such as: a. Full Name b. Social Security Number c. Date of Birth d. Home Address e. Account Number f. Disability Code Image from Clip Art
5. Steps need to be given to the individual on what they need to do to protect themselves from potential harm resulting from the Breach.6. Contact Procedures for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address.7. If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed.
Image by Clip ArtNOTICE TO SECRETARY Less than 500 – The CE may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved. More than 500 – The CE must provide a notice immediately to the Secretary. POSTING ON HHS PUBLIC WEBSITE – The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each CE involved in the breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed.
REFERENCES:1. Analysis of Health Care Confidentiality, Privacy, and Security Provisions of The American Recovery and Reinvestment Act of 2009, Public Law 111-5 March, 2009 - http://www.ahima.org/dc/documents/AnalysisofARRAP rivacy-fin-3-3-2009a.pdf#page%3D12. eHealth Initiative – Navigating the American Recovery and Reinvestment Act – http://www.ehealthinitiative.org/stimulus/privacy.mspx3. The Impact of the Stimulus Act on HIPAA Privacy and Security (Webinar – March 12, 2009) – AHIMA4. U.S. Department of Health & Human Services (2011). Health Information Privacy. Retrieved from www.HHS.gov5. Images provided by Flickr - http://www.flickr.com/search/?l=commderiv&q=privac y6. Images provided by Open Clip Art Library - http://openclipart.org/search/?query=privacy