KUMC Breach of Protected Health Information Notification
The purpose of this policy is to provide guidance when there is a breach of a patient’s unsecure Protected Health Information (PHI) in a manner not permitted under the Health Insurance Portability and Accountability Act of 1996 and its implementing rules and regulations.
All workforce members
It is the policy of the University of Kansas Medical Center (KUMC) to protect the privacy and security of every patient’s Protected Health Information (PHI).
A. Any workforce member, upon discovering a potential breach of PHI or receiving an allegation of a breach of PHI relating to KUMC or its Business Associate (BA), will inform the University Privacy Officer at 913-588-0940, in addition to reporting the incident in accordance with the KUMC Computer Security Incident Response policy, if applicable.
Examples of possible breaches of PHI that should be reported to the Privacy Officer include, but are not limited to:
- Finding patient information in the trash
- Faxing patient information to the wrong fax number
- Loss or theft of any device containing patient information
- Any access to patient information out of curiosity or that is unauthorized.
B. The Privacy Official, in consultation with the Director of IT Security and the General Counsel’s Office, is responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the applicable notification obligations. All notifications must be reviewed by the KUMC Office of Compliance.
C. If a “breach of Unsecured PHI” has occurred, timely notice to affected individuals, federal authorities and (for large-scale breaches) the public media must be made as required. The required notice to affected individuals must be given without unreasonable delay and in any event no later than sixty (60) calendar days after the discovery of the breach (with certain permitted delays for law enforcement purposes).
D. The Privacy Officer or the Director of IT Security may take immediate action, when necessary, to mitigate harm to a person who is the subject of a potential/alleged breach, but before an investigation is complete.
E. A BA of KUMC shall notify KUMC of any unauthorized use or disclosure by the BA or its workforce, agents or subcontractors that violates the HIPAA Privacy or Security Rules and the remedial action taken or proposed to be taken with respect to the use or disclosure.
F. In addition to the notification required under federal law, any breach analysis and/or notification determination under this Policy shall include an evaluation of any applicable state breach notification laws.
KUMC Privacy Officer, 913-588-0940
Breach: The acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI.
The definition of “breach” specifically excludes the following:
- Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a Covered Entity or a BA, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
- Any inadvertent disclosure by a person who is authorized to access PHI at a Covered Entity or BA to another person authorized to access PHI at the same Covered Entity or BA, or organized health care arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
- A disclosure of PHI where a Covered Entity or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Apart from the exceptions as provided in the paragraphs above, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under 45 CFR 164.402 is presumed to be a Breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
Business Associate is a person who is not a Workforce member of a Covered Entity but creates, receives, maintains, or transmits PHI for or on behalf of a Covered Entity. A Covered Entity may be a Business Associate of another Covered Entity.
Protected Health Information: Individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or transmitted or maintained in any other form or medium (including paper and oral).
Unsecured PHI: Means PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services (HHS).
09/09/2016: Updated original date
05/06/2016: Removed Date Last Reviewed
02/15/2016: Reviewed and approved by Executive Vice Chancellor