HIPAA Breach Notification Policy
To provide for notification procedures as it relates to a breach of unsecured protected health information discovered by LSUHSC-S or their Business Associate as prescribed in the Health Information Technology and Clinical Health Act (HITECH) of the American Recovery and Reinvestment Act (ARRA) of 2009.
This policy applies to all LSUHSC-Shreveport health care facilities and providers, including but not limited to hospitals, physician clinics, labs, etc which are referred to in this policy as LSUHSC-S. Applies to all unsecured protected health information including its PHI used by its Business Associates.† Unsecured PHI can be in any form, including electronic, paper, or oral.
Breaches are defined as the unauthorized acquisition, access, use, or disclosure of unsecured protected health information which compromises the security or privacy of such information, and poses significant risk of harm to the individual, except where an unauthorized person to who such information is disclosed would not reasonably have been able to retain such information.† A breach is not considered to have occurred if the health information has been de-identified
1.†† LSUHSC-S will make every reasonable effort to provide for the security of their †††††
††††† Patientís PHI.
2.†† Any detection of a breach shall be reported immediately to the LSUHSC-S Privacy†††††††††† Officer
Examples of possible breaches of PHI include, but are not limited to:
∑ Accessing and reading medical records out of curiosity
∑ Telling a family member about the diagnosis of another family member or neighbor
∑ Faxing† a patientís information to the wrong outside agency
∑ Improper disposal of patient information in the trashĖ Patient information must be shredded
3.†† To be considered reportable a data breach must meet certain elements. The following questions will be considered to determine if a reportable breach has occurred:
a) Did the incident involve impermissible use or disclosure of PHI under the HIPAA Privacy Rule?
b) Did the incident involve unsecured PHI?
c) Did the incident involve a breach?
d) Was that breach intentional or unintentional in relation to acquisition, access, or use of unsecured PHI?
e) Was that breach an inadvertent disclosure of unsecured PHI?
f) Was the person(s) to whom the PHI disclosed reasonably able to retain that PHI?
g) Did the breach pose risk of significant harm?
4.†† The Privacy Officer with the Information Security Officer will determine if the PHI was unsecured when the potential breach incident occurred.† If it is determined that the PHI was unsecured, then further review will be needed to determine if a reportable breach has occurred.†
5.†† The Privacy Office must determine if the PHI that was breached was actually acquired, accessed, used or disclosed by a member of the facilityís workforce or Business Associate and if that the employee or Business Associate used or disclosed the† PHI in a manner that is not permitted by the HIPAA Privacy rule.†
A breach is not reportable if the following criteria are met:
∑ The person who originally accessed the PHI was authorized to do so; and
∑ The PHI was disclosed to another person authorized to access the PHI
∑ The PHI was not further used or disclosed in a way that violates the HIPAA Privacy rule.
6. The Privacy and Information Security offices must determine if anyone was able to access and retain the PHI involved in the breach.† If the PHI was not able to be retained, then no further action is required.† If the PHI was able to be retained, then further review is required.
7. The Privacy and Information Security offices, with the assistance of other departments, shall conduct a risk assessment to determine the level of risk in relation to the privacy/security breach.† If the breach is found to be significant, and all other analysis indicates that the breach is a reportable event, then the Privacy Officer, or his/her designee, shall
move forward with notification procedures.† If the breach is determined to not †††††††constitute risk of harm to the patient(s), then no further action other than documenting the analysis is required.† Any analysis conducted must be documented and kept on file for a minimum of ten years.
8. LSUHSC-S will notify any individual(s) impacted by a reportable breach as soon as possible without reasonable delay, but in no case later than sixty days of the discovery of the reportable breach. Written notification will be sent first-class mail.
If there is reason to believe that the patientís information is in imminent danger of ††being misused, LSUHSC-S will attempt to contact the patient via phone in addition to sending a written notification.
a. If the mailed breach notice is returned indicating that the last known address was insufficient or inaccurate, an attempt will be made to contact the patient via the last known phone number of the patient.† If the phone number is found to be inaccurate or no longer in service, the Privacy Officer or designee will attempt to locate the patient via contact persons listed by the patient, taking care not to further breach PHI.† Every effort will be made to contact the patient via these methods. Documentation of attempts to locate the patient will be documented in the disclosure breach log.
b. If any one particular breach has ten or more individuals who cannot be contacted via their contact information listed in LSUHSC-S system, every reasonable attempt will be taken to update the information.† However, if after a reasonable period of time it becomes evident that such information will not be able to be updated for ten or more individuals impacted by the breach, then the Privacy Office must determine which alternate method of notification (e.g., posting on the facilityís website or notification through major media) will be used to reasonably reach those whose PHI has been breached.† This notification must occur as soon as possible, but no greater than sixty days from the discovery of the breach.
9.†† In any instance of a breach that involves 500 or more patients, the Privacy Officer will contact HHS and coordinate with the LSUHSC-S Information Services Department media notification.
10. If the law enforcement official provides a statement in writing that the delay is necessary for a specific period of time because notification would impede a criminal investigation or cause damage to national security, the LSUHSC-S is required to delay the notification for the time period specified by the official.
11. Business Associates are also responsible for the breach notification rules.† Business Associates must notify LSUHSC-S of the breach. It is then LSUHSC-Sís responsibility to follow through on notifying the individuals or HHS.
12. All reportable breaches will be entered into the LSUHSC-S disclosure log.† No later than sixty days after the end of each calendar year, the information related to reportable breaches will be entered into the HHS website.