Uploaded byllovelace
PPTX, PDF361 views

Steps for breach notification

1. Covered entities must notify individuals of a breach of unsecured protected health information within 60 days of discovering the breach and in the following manner: written notification via first-class mail or electronically if preferred. 2. If there is insufficient contact information, a conspicuous web posting or media notice (such as major print/broadcast media) must be made with information on how to find out if their information was involved. 3. Notifications must include a description of the breach and steps individuals should take to protect themselves, as well as contact information for inquiries.

Embed presentation

Download to read offline
Steps To Breach Notifications Source: Open Clip Art Library Art by: Openxs (6-7-10)
Breach A breach means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Exceptions: b. such information is not further Any unintentional acquisition, access acquired, accessed, used, or disclosed or use of PHI by an employee or by any person; Individual acting under the authority of a any inadvertent disclosure from an Covered entity (CE) or business associate individual who is otherwise authorized (BA). to access PHI at a facility operated by a. such acquisition, access, or use was a CE or BA to another similarly made in good faith and within the situated individual at the same facility; course and scope of the employment or any such information received as a other professional relationship of such result of such disclosure is not further employee or individual, respectively, acquired, accessed, used or disclosed with the CE or BA and without authorization by any person. Source: Flickr Photo by: David Jones (9-15-07)
The first day the breach is discovered: Discovery - A breach shall be treated as Notification – All notifications discovered by a covered entity or by a required under this section shall business associate as of the first day on be made without unreasonable which the breach is known to the delay and in no case later than Covered Entity or by a Business 60 calendar days after the discovery Associate as of the first day on which of a breach by the CE involved or BA the breach is known to the CE or the BA involved in the case. (including any person, other than the individual committing the reach, that is an employee, officer or other agent of such entity or associate respectively), or should reasonably have been known to such entity or associate (or person) to have occurred. Source: Open Clip Art Library Art by: eady (8-11-10
Methods: Individual Notice – The notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: a. Written Notification – Must be made by first class mail to the individual (or next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively or if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available. Image provided by Clip Art
B. In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written notification to the individual, Substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
c. In any case deemed by the CE involved to require urgency because of possible imminent misuse of unsecured PHI, the CE, in addition to notice provided may provide information to individuals by telephone or other means as appropriate. MEDIA NOTICE Media notices are to be done if a breach of unsecured PHI is more than 500 residents of such Sate or Jurisdiction is, or is reasonably believed to have been, accessed, acquired or disclosed during such breach.
What needs to be in the Notification? 1. Date of the Breach 2. Date of the Discovery of the Breach 3. A brief description of what happened 4. A description of what was breached, such as: a. Full Name b. Social Security Number c. Date of Birth d. Home Address e. Account Number f. Disability Code Image from Clip Art
5. Steps need to be given to the individual on what they need to do to protect themselves from potential harm resulting from the Breach. 6. Contact Procedures for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address. 7. If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed.
Image by Clip Art NOTICE TO SECRETARY Less than 500 – The CE may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved. More than 500 – The CE must provide a notice immediately to the Secretary. POSTING ON HHS PUBLIC WEBSITE – The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each CE involved in the breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed.
REFERENCES: 1. Analysis of Health Care Confidentiality, Privacy, and Security Provisions of The American Recovery and Reinvestment Act of 2009, Public Law 111-5 March, 2009 - http://www.ahima.org/dc/documents/AnalysisofARRAP rivacy-fin-3-3-2009a.pdf#page%3D1 2. eHealth Initiative – Navigating the American Recovery and Reinvestment Act – http://www.ehealthinitiative.org/stimulus/privacy.mspx 3. The Impact of the Stimulus Act on HIPAA Privacy and Security (Webinar – March 12, 2009) – AHIMA 4. U.S. Department of Health & Human Services (2011). Health Information Privacy. Retrieved from www.HHS.gov 5. Images provided by Flickr - http://www.flickr.com/search/?l=commderiv&q=privac y 6. Images provided by Open Clip Art Library - http://openclipart.org/search/?query=privacy

More Related Content

PPTX
Illegal video recording & violation of privacy
byDhruveshPatel31
 
DOCX
Software
byTecnica paticular de loja
 
PDF
Força e citocinas
bymsimoes29
 
PDF
Wave mobile collaboration Q3 2011
byKim Jensen
 
PPT
Lcm
byguestcc1f863
 
PDF
Intrigue Me: Writing Compelling Content
bySteph Hay
 
PDF
Who Cares About Content?
bySteph Hay
 
KEY
Intrigue Me: Writing Compelling Content
bySteph Hay
 
Illegal video recording & violation of privacy
byDhruveshPatel31
 
Software
byTecnica paticular de loja
 
Força e citocinas
bymsimoes29
 
Wave mobile collaboration Q3 2011
byKim Jensen
 
Lcm
byguestcc1f863
 
Intrigue Me: Writing Compelling Content
bySteph Hay
 
Who Cares About Content?
bySteph Hay
 
Intrigue Me: Writing Compelling Content
bySteph Hay
 

Similar to Steps for breach notification

PDF
HIPAA breach report submitted to Congress by DHHS OCR
byDavid Sweigert
 
PDF
Week Of 2009 08 31
bymbarreto13
 
PPTX
DATA BREach notification of laws in health care.pptx
byshaahidirfannew
 
PDF
Do You Know How to Handle a HIPAA Breach?
byCompliancy Group
 
PDF
Legal implications of HIPAA, HITECH and BAAs
byOnline Tech
 
PPTX
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
bycanadianlawyer
 
PDF
Crowdsurf - HIPAA & FERPA Data Privacy Training.pdf
byaxeneqer
 
PDF
SECURITY BREACH NOTIFICATION CHART 2013
by- Mark - Fullbright
 
PDF
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
byCompliance Global Inc
 
PPTX
HIPAA – Where’s the Harm? Final Rule Update
byResilient Systems
 
PPT
What You Need To Know About Privacy Now!
bycatherinecoulter
 
PPT
What You Need To Know About Privacy Now!
bycatherinecoulter
 
PPTX
Hipaa in the era of ehr mo dept hss
bylearfield
 
PDF
Mandatory data breach notification for Australia
byPatrick Dwyer
 
PPTX
Cybersecurity and the Law: Fasken Law Firm
byNext Dimension Inc.
 
PPTX
HIPAA Refresher for Home Health Professionals
byIsaac Oraweme
 
PPTX
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
PPT
Hippa
bykimgeorgelong08
 
PDF
Privacy law-update-whitmeyer-tuffin
byWhitmeyerTuffin
 
PDF
Personal Data Breach Notification
byTALOSCommunications
 
HIPAA breach report submitted to Congress by DHHS OCR
byDavid Sweigert
 
Week Of 2009 08 31
bymbarreto13
 
DATA BREach notification of laws in health care.pptx
byshaahidirfannew
 
Do You Know How to Handle a HIPAA Breach?
byCompliancy Group
 
Legal implications of HIPAA, HITECH and BAAs
byOnline Tech
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
bycanadianlawyer
 
Crowdsurf - HIPAA & FERPA Data Privacy Training.pdf
byaxeneqer
 
SECURITY BREACH NOTIFICATION CHART 2013
by- Mark - Fullbright
 
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
byCompliance Global Inc
 
HIPAA – Where’s the Harm? Final Rule Update
byResilient Systems
 
What You Need To Know About Privacy Now!
bycatherinecoulter
 
What You Need To Know About Privacy Now!
bycatherinecoulter
 
Hipaa in the era of ehr mo dept hss
bylearfield
 
Mandatory data breach notification for Australia
byPatrick Dwyer
 
Cybersecurity and the Law: Fasken Law Firm
byNext Dimension Inc.
 
HIPAA Refresher for Home Health Professionals
byIsaac Oraweme
 
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
Hippa
bykimgeorgelong08
 
Privacy law-update-whitmeyer-tuffin
byWhitmeyerTuffin
 
Personal Data Breach Notification
byTALOSCommunications
 

Recently uploaded

PPTX
Amyloidosis - MBBS (Pathology)
byReenaz Shaik
 
PDF
Investigations and Management of Varicose veins.pdf
byNijo B Jojy
 
PDF
Advanced Prostate Cancer: Symptoms, Progression & Treatment Options
byLetsMeds
 
PPTX
ARTIFICIAL INTELLIGENCE IN CARDIOLOGY BY DR SHANIL.pptx
byDr.Mohammed Shanil.P
 
PPTX
Hemoflagellates (Trypanosomes) -Bilal.pptx
byBilalMaheen
 
PPTX
Evaluation of Back Pain: Clinical Identification of Pain Generators (Disc, Fa...
byDaradia: The Pain Clinic
 
PPTX
HIGH FREQUENCY CURRENT ppt prepared by urvi
byurvipitroda1
 
PPTX
Neonatal Perioperative Care Pediatric Surgeons Perspective.pptx
byFaheem Andrabi
 
PPT
Benjamin Best -- Bedford Day 2026 presentation
byChurch Of Perpetual Life
 
PPT
Comprehensive digestive system presentation notes
bygracebirir822
 
PPTX
Biostatistics- Data types and presentation
byAnkitMittal145
 
PDF
Philippines CT Scanners Market Size & Share
byIMARC Group
 
PPTX
Human Excretory System (RIT): Kidney Functions & Urine Formation Made Easy
byBALAJI SOMA
 
PPT
7. BENIGN LEUCOCYTES DISORDERS.ppt ppppt
byelijahjkkallon008
 
PPTX
BILIARY TREE RADIOLOGY ADVANCE IMAGING (USG, CT SCAN, MRI AND ERCP) OF ITS AN...
byjuryshira
 
PPTX
DISORDERS OF PERCEPTION DETAILED FOR STUDENTS..pptx
byDr.Prakashkumar More
 
PDF
Best Ayurvedic Sexologist in Madhepura, Bihar Dr. Sunil Dubey
byDubey Clinic
 
PPTX
Lumbar Facet Joint Pain – A Pain Generator Based Diagnostic & Treatment Approach
byDaradia: The Pain Clinic
 
PPTX
Modes & Skills of Communication (slp-1) lecture-10.pptx
byDr Zonera Khalid PT
 
PDF
biomedicines-11-00150-v2b Silica induced diseases
byHaim R. Branisteanu
 
Amyloidosis - MBBS (Pathology)
byReenaz Shaik
 
Investigations and Management of Varicose veins.pdf
byNijo B Jojy
 
Advanced Prostate Cancer: Symptoms, Progression & Treatment Options
byLetsMeds
 
ARTIFICIAL INTELLIGENCE IN CARDIOLOGY BY DR SHANIL.pptx
byDr.Mohammed Shanil.P
 
Hemoflagellates (Trypanosomes) -Bilal.pptx
byBilalMaheen
 
Evaluation of Back Pain: Clinical Identification of Pain Generators (Disc, Fa...
byDaradia: The Pain Clinic
 
HIGH FREQUENCY CURRENT ppt prepared by urvi
byurvipitroda1
 
Neonatal Perioperative Care Pediatric Surgeons Perspective.pptx
byFaheem Andrabi
 
Benjamin Best -- Bedford Day 2026 presentation
byChurch Of Perpetual Life
 
Comprehensive digestive system presentation notes
bygracebirir822
 
Biostatistics- Data types and presentation
byAnkitMittal145
 
Philippines CT Scanners Market Size & Share
byIMARC Group
 
Human Excretory System (RIT): Kidney Functions & Urine Formation Made Easy
byBALAJI SOMA
 
7. BENIGN LEUCOCYTES DISORDERS.ppt ppppt
byelijahjkkallon008
 
BILIARY TREE RADIOLOGY ADVANCE IMAGING (USG, CT SCAN, MRI AND ERCP) OF ITS AN...
byjuryshira
 
DISORDERS OF PERCEPTION DETAILED FOR STUDENTS..pptx
byDr.Prakashkumar More
 
Best Ayurvedic Sexologist in Madhepura, Bihar Dr. Sunil Dubey
byDubey Clinic
 
Lumbar Facet Joint Pain – A Pain Generator Based Diagnostic & Treatment Approach
byDaradia: The Pain Clinic
 
Modes & Skills of Communication (slp-1) lecture-10.pptx
byDr Zonera Khalid PT
 
biomedicines-11-00150-v2b Silica induced diseases
byHaim R. Branisteanu
 

Steps for breach notification

  • 1.
    Steps To Breach Notifications Source: Open Clip Art Library Art by: Openxs (6-7-10)
  • 2.
    Breach A breach meansthe unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Exceptions: b. such information is not further Any unintentional acquisition, access acquired, accessed, used, or disclosed or use of PHI by an employee or by any person; Individual acting under the authority of a any inadvertent disclosure from an Covered entity (CE) or business associate individual who is otherwise authorized (BA). to access PHI at a facility operated by a. such acquisition, access, or use was a CE or BA to another similarly made in good faith and within the situated individual at the same facility; course and scope of the employment or any such information received as a other professional relationship of such result of such disclosure is not further employee or individual, respectively, acquired, accessed, used or disclosed with the CE or BA and without authorization by any person. Source: Flickr Photo by: David Jones (9-15-07)
  • 3.
    The first daythe breach is discovered: Discovery - A breach shall be treated as Notification – All notifications discovered by a covered entity or by a required under this section shall business associate as of the first day on be made without unreasonable which the breach is known to the delay and in no case later than Covered Entity or by a Business 60 calendar days after the discovery Associate as of the first day on which of a breach by the CE involved or BA the breach is known to the CE or the BA involved in the case. (including any person, other than the individual committing the reach, that is an employee, officer or other agent of such entity or associate respectively), or should reasonably have been known to such entity or associate (or person) to have occurred. Source: Open Clip Art Library Art by: eady (8-11-10
  • 4.
    Methods: Individual Notice – The notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: a. Written Notification – Must be made by first class mail to the individual (or next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively or if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available. Image provided by Clip Art
  • 5.
    B. In thecase in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written notification to the individual, Substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
  • 6.
    c. In anycase deemed by the CE involved to require urgency because of possible imminent misuse of unsecured PHI, the CE, in addition to notice provided may provide information to individuals by telephone or other means as appropriate. MEDIA NOTICE Media notices are to be done if a breach of unsecured PHI is more than 500 residents of such Sate or Jurisdiction is, or is reasonably believed to have been, accessed, acquired or disclosed during such breach.
  • 7.
    What needs tobe in the Notification? 1. Date of the Breach 2. Date of the Discovery of the Breach 3. A brief description of what happened 4. A description of what was breached, such as: a. Full Name b. Social Security Number c. Date of Birth d. Home Address e. Account Number f. Disability Code Image from Clip Art
  • 8.
    5. Steps needto be given to the individual on what they need to do to protect themselves from potential harm resulting from the Breach. 6. Contact Procedures for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address. 7. If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed.
  • 9.
    Image by ClipArt NOTICE TO SECRETARY Less than 500 – The CE may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved. More than 500 – The CE must provide a notice immediately to the Secretary. POSTING ON HHS PUBLIC WEBSITE – The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each CE involved in the breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed.
  • 10.
    REFERENCES: 1. Analysis ofHealth Care Confidentiality, Privacy, and Security Provisions of The American Recovery and Reinvestment Act of 2009, Public Law 111-5 March, 2009 - http://www.ahima.org/dc/documents/AnalysisofARRAP rivacy-fin-3-3-2009a.pdf#page%3D1 2. eHealth Initiative – Navigating the American Recovery and Reinvestment Act – http://www.ehealthinitiative.org/stimulus/privacy.mspx 3. The Impact of the Stimulus Act on HIPAA Privacy and Security (Webinar – March 12, 2009) – AHIMA 4. U.S. Department of Health & Human Services (2011). Health Information Privacy. Retrieved from www.HHS.gov 5. Images provided by Flickr - http://www.flickr.com/search/?l=commderiv&q=privac y 6. Images provided by Open Clip Art Library - http://openclipart.org/search/?query=privacy

Editor's Notes

  • #2 Steps to Breach Notifications
  • #3 The ARRA has decided what exactly is a breach. It spells it out the definition and also gives a definition of what a breach is not.Read the definition of the BREACH.A breach means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.The Exceptions:If the person is acting under the authority of the CE/BA and the breach is unintentional.The Breach was made in good faith and the course and scope of employmentA person who breaches PHI to another individual at the same facility.PHI received as a result of the disclosure
  • #4 1. The discovery section sets the stage the for the timeliness of a the notification could be crucial and should the CE or BA later be prosecuted for not responding appropriately. (DOCUMENT, DOCUMENT, DOCUMENT)The time starts once the breach is discovered. The notification should be made no later than 60 days after the discovery of the Breach.
  • #5 Notification must be made in a written form and sent by first class mail. If the individual that information was breached has expired, then the next of kin of that individual will need to be notified in a diligent manner.
  • #6 b. Substitute form of noticeshall be provided, including in the case that there are 10 or more individuals which there is insufficient or out of date contact information:• a conspicuous posting for a period determined by the Secretary on the home page of the website of the CE involved or • notice in a major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. • Such a notice in media or web posting needs to include a toll free phone number where an individual can learn whether or not the individual’s unsecured PHI is possibly included in the breach.
  • #7 If the Covered Entity believes the breach made may cause immediate harm to the individual’s whose information has been breached should make the extra step to contact the individual by phone or any other means to contact the individual as appropriate to help incur damages to a minimal.Media Notice If a CE or BA or Both has breached more than 500 individuals then they will need to use the method of the Media to broadcast that a breach has been made.
  • #8 You will need to determine when the Breach happenedWho discovered the breachWho made the breachHow it happenedWhat was breached Such as: Patient’s name, SS#, Date of Birth, Home Address, Account Number, Disability Codes.
  • #9 Now you need to handle the notification to the individual’s whose information has been breached. A procedure needs to be put into place on what steps should be given to help the individual to try to protect themselves against potential harm. A contact information sheet should be developed with the risk manager and privacy officer’s name, telephone number and e-mail address, also the medical facilities name, address and website if available. This sheet should be given to the individual at the time of contact.Law Enforcement:If for some reason a law enforcement officer has been brought in for whatever reason at the time of breach and they determine that the notification of the breach would impede a criminal investigation or cause damage to national security then the notification to the individual whose information was breached must be delayed.
  • #10 A log needs to be kept of each breach that is made by any employee or BA that falls under your CE.The log should contain: The date the Breach happened The name of the patient Description of the Breach What steps were taken to correct the BreachA covered entity will need to submit to the Secretary the log of any breaches that occurred during the previous year if the breaches are less than 500 at one time. A covered entity will need to provide a notice immediately to the Secretary if a Breach occurs involving more than 500 individuals at one time. A.t which time the Secretary shall make available to the public on the website of the Department of Health and Human Services a list that identifies each Covered Entity involved in the Breach