Breach Investigation and Notification
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Breach Investigation and Notification
Policy Number: IM-24
Effective Date: September 23, 2013
Last Revision: July 1, 2014; September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Drexel University (DU) requires that all potential HIPAA privacy and security Breaches be fully investigated, and if it is determined that there has been an actual Breach, that notification be provided to individuals, the Office for Civil Rights (OCR), and to the extent required, to the media.
For purposes of this Policy, a "Breach" shall mean an unauthorized acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. Unsecured protected health information does not include protected health information that is either encrypted, or that has been shredded so that it is unreadable or cannot be reconstructed.
There is a presumption that unless there is a "low probability" that the breached data was compromised or unless an exception applies, a Breach has occurred.
There are three (3) exceptions to a Breach:
- Unintentional acquisition, use or access by workforce member in good faith (i.e. a workforce member opened the wrong file and immediately closed the file);
- Inadvertent disclosure by an authorized person (i.e. a workforce member sends an email to another authorized person containing protected health information and the receiving party deletes the email from the system); and
- Inability to retain the information (i.e. a letter was sent to the wrong address and was returned without opening the letter).
II. Policy and Procedure
Upon such time as the DU Privacy and Security Committee receives a report of a potential Breach, the Privacy and Security Committee shall investigate such potential breach. As part of its investigation, the Privacy and Security Committee shall consider the following four (4) factors:
- Nature and extent of the protected health information involved, including likelihood data could be re-identified;
- The unauthorized person who used the protected health information or to whom an improper disclosure was made;
- Whether protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information was mitigated.
The Privacy and Security Committee shall document its findings and maintain a copy of its findings. In the event that the Privacy and Security Committee determines that a Breach has occurred, it will send out notifications, as set forth below.
A notice if required, shall: (i) be written in plain English; (ii) explain what happened, including the date of breach and the date of discovery; (iii) set forth the types of unsecured protected health information that was involved; (iv) include steps individuals should take to protect themselves against potential harm; (v) include the steps DU is taking to investigate, mitigate and protect against further breaches; and (vi) contain contact procedures, which must include a toll free telephone number, an email address, website or postal address.
Notices must be sent to affected individuals 60 days from when DU discovered the Breach or 60 days from when DU, by exercising reasonable diligence would have known of the Breach, unless law enforcement informs DU to delay sending out notices so that it can complete an investigation. "Knowledge" for purposes of this Policy means by exercising reasonable diligence the Breach would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of DU.
Notices to individuals may be sent by first class mail, by email (with prior permission) or by personal delivery. For deceased individuals, if DU has the address of the next of kin or personal representative then notice should be sent by written notice by first-class mail to either the next of kin or personal representative.
If DU has insufficient or out-of-date contact information for 10 or more individuals, then DU must provide substitute individual notice by either posting the notice on the home page of its website or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the DU has insufficient or out-of-date contact information for fewer than 10 individuals, then DU may provide substitute notice by an alternative form of written, telephone (read in full and such reading is documented), or other means.
If the Breach involves more than 500 individuals, then notice must be sent to media and the Office for Civil Rights. If the Breach involves less than 500 individuals, DU must include the Breach in its Annual Report to the Office for Civil Rights (based on the year of discovery of the Breach not the year the Breach occurred, if different).
The Office of General Counsel shall investigate whether any additional State law notifications are required (based on the residency of affected patients).
Back to Top