Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Cell Biology

Page 1 HIPAA COW PRIVACY AND SECURITY NETWORKING

advertisement 
DRAFT
Version 1/FINAL: 3/1/12
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
HIPAA COW
PRIVACY AND SECURITY NETWORKING GROUPS
PRIVACY BREACH
PRIVACY OFFICER’S RESPONSE & INVESTIGATION CHECKLIST
This checklist has been created to provide outlined guidance in responding to a large scale/high impact privacy breach due to
loss, theft, or other unauthorized access, use or disclosure of patient protected health information (PHI). More detail is provided
in the HIPAA COW Breach Notification Policy available at www.hipaacow.org. The Privacy Officer is responsible for managing
privacy breaches.

Action Step
Responsible Contact
Notes (Include Date Action Carried Out)
Description of Incident
Incident Received and Documented
 Reported By (and contact information)
 Date and Time Report Received
 Date and Time of Incident
 Date and Time Incident Discovered
 Location/Department/Building
 Source/Media (e.g., EHR, Paper, Fax, etc.)
Business Associate (BA) /Vendor Involvement
 Description of Incident
Privacy Breach Investigation Record Initiated
Request Originals/Media to be Returned or
Destroyed with Written Verification of Such
If Applicable, Security Incident Initiated
Privacy Officer
Privacy Officer
Locate Signed BA Agreement; If No BA with
Vendor, Document Why Not
Include Name of Individual(s) Involved, PHI,
How and Why the Incident Happened, etc.
Privacy Officer
Privacy Officer
Security Officer
See HIPAA COW Security Incident
Response Policy
Internal Notification (as Appropriate)
IT Leadership
Risk Management, Compliance Officer,
Human Resources, Leadership, etc.
Internal Legal Counsel
Publication Relations & Communications/
Customer Service
Building Services/Facilities
Name, Title, Email
Address and Phone
Name, Title, Email
Address and Phone
Name, Title, Email
Address and Phone
Name, Title, Email
Address and Phone
Name, Title, Email
Address and Phone
Create an Immediate Script for Response
tor Incoming Inquiries About Incident
External Notification (as Appropriate)
External Legal Counsel
Law Enforcement Officials
 Date/Time
 Copyright 2012 HIPAA COW
Name, Title, Email
Address and Phone
To be Notified by Privacy
Officer or Risk
Management
Based on Geographic Location; Nature of
Crime
Page 1
DRAFT
Version 1/FINAL: 3/1/12
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)

Action Step
Responsible Contact
Notes (Include Date Action Carried Out)
 Agency
 Officer
Insurance Carrier (e.g., Facility, Cyber,
Malpractice, etc.)
 Date/Time
 Agency
 Agent
Office for Civil Rights (see separate section)
State and/or Federal Agency, if Required
(e.g., Health Plans with Medicare Plans –
Contact CMS)
To be Notified by
Privacy Officer or Risk
Management
Privacy Officer
Investigation Components
Complete Risk Assessment to Determine
Potential for Significant Risk of Financial,
Reputational, or Other Harm (see Attachment
A for PHI Data Elements)
See HIPAA COW Breach Notification Policy
- Risk Assessment Tool
Privacy Officer
Chief Information Officer
Assess/Engage Need for Forensics
Assess/Engage Need for Private Investigator
(e.g., research Craigslist, E-Bay, etc. for
stolen equipment)
Privacy Officer or Risk
Management
Another Option: NCHICA HITECH Breach
Notification Assessment Tool
Considerations: Does a Contract with a
Vendor Exist? If Not, Approval of Senior
Leadership?
Considerations: Does a Contract with a
Vendor Exist? If Not, Approval of Senior
Leadership?
Office for Civil Rights Breach Notification Requirements
< 500 Individuals (Year End Reporting)
 Notify OCR Reasonable Time Period or
< 60 Days
> 500 Individuals
 Notify OCR Reasonable Time Period or
< 60 Days
 Notify Individuals
Privacy Officer
Privacy Officer
Privacy Officer
Privacy Officer Oversight
Public Relations
 Notify Media Outlets
Report by March 1 of Following Year
In Consultation with Senior Leadership,
Legal Counsel. Refer to the Sample
Notification Letter in the HIPAA COW
Breach Notification Policy.
In Consultation with Senior Leadership,
Legal Counsel.
Consideration: Notification by Business Unit
Responsible - Leadership Decision?
Senior Leadership Decision Based on
Organizational Policy, Geographical
Location; See HIPAA COW Breach
Notification Policy.
Mitigation/Follow-Up Activities
Business Associate (as Applicable): Request
a document from the BA outlining the
mitigation plan, BA responsibilities for breach
management, and documentation of steps on
how the BA will ensure the event does not
 Copyright 2012 HIPAA COW
Privacy Officer
Page 2
DRAFT
Version 1/FINAL: 3/1/12
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)

Action Step
Responsible Contact
Notes (Include Date Action Carried Out)
Privacy Officer
Cyber-Insurance Vendor/Senior Leadership
to Approve
reoccur.
Consideration of External Vendor Specializing
in Breach Notification
Consideration of External Vendor Specializing
in Credit Card Monitor
Prepare Communication Plan to Cover Oral,
Electronic and Written Communications to
Victims as Well as Information to Assist with
Personal Needs; Include Organizational
Contact Information.
Report to Senior Leadership/BOD
Completion of Investigation Report
Completion of Workforce Member Sanctions
Communication to Staff – Learning
Opportunity (e.g., newsletter article, meeting
presentation, etc.)
Record Disclosure Information in Accounting
of Disclosures Records.
Completed Checklist Retained with Supporting
Documentation for six years
Privacy Officer/Public
Relations Leader
Privacy Officer
Privacy Officer
Director of Human
Resources
Privacy Officer
Privacy Officer; Director of
HIM/MR Department
Privacy Officer
HIPAA Defined PHI Data Elements
Note: Any single or combination of PHI data elements used, accessed, or disclosed without an individual’s authorization is a
breach. A risk assessment must be carried out to determine if there is potential harm to the individual and whether or not
notification should be carried out (e.g., Identity Information Trifecta: Name, DOB, SSN#).
1
2
3
4
5
6
7
8
9
Name
Geographic Subdivision Smaller than a State
All Elements of Dates Related to Individual (birth, death,
adm)
Telephone Numbers
Fax Numbers
Electronic Mail Address
Social Security Number
Medical Record Numbers
Health Plan Beneficiary Numbers
10 Account Numbers
11 Certification/License Numbers
Vehicle Identifiers and Serial Numbers Including License
12
Plates
13 Device Identifiers and Serial Numbers
14 Web URLs
15 Internet Protocol Addresses
16 Biometric Identifiers, Including Finger and Voice Prints
17 Full Face Photos and Comparable Images
18 Any Unique Identifying Number, Characteristic or Code
Key Contacts/Information Sources
Name
Title
Privacy Officer
 Copyright 2012 HIPAA COW
Location
Office
Cell Phone #
E-Mail Address
Page 3
DRAFT
Version 1/FINAL: 3/1/12
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
Name
Title
Security Officer
Location
Office
Cell Phone #
E-Mail Address
Compliance Leader
Legal Counsel
Director, Human
Resources
Director, Health
Information Mgmt
Director, Risk
Management
Chief Information
Officer
Director, Facility
Management
Supporting Resources
List Relevant Internal Policies and Procedures and Web Sites - Provide Web Links
External Resources

HIPAA COW Breach Notification Sample Policy, Available at:
http://www.hipaacow.org/Docs/BreachNotificationPolicy0111.doc

North Carolina Healthcare Information & Communications Alliance, Inc. (NCHICA) Breach Notification Risk Assessment
http://www.nchica.org/HIT_HIE/ARRA/Improper%20Disclosures%20Assessment%20november%205%2009%20v7%20(3)%20(3).doc

OCR Breach Notification Resources, Available at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

OCR Breach Notification Reporting, Submit Breach at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
Primary Authors


Nancy Davis, MS, RHIA, Ministry Health Care
Chrisann Lemery, MS, RHIA, FAHIMA, WEA Insurance
Reviewed By: HIPAA COW Privacy Networking Group
Disclaimer
This 2012 Privacy Officer Breach Checklist is Copyright  2012 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely
redistributed in its entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW
shall be referenced as a resource. It may not be sold for profit or used in commercial documents without the written permission of the
copyright holder. This2012 Privacy Officer Breach Checklist is provided “as is” without any express or implied warranty. This 2012 Privacy
Officer Breach Checklist is for educational purposes only and does not constitute legal advice. If you require legal advice, you should
consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this 2012 Privacy
Officer Breach Checklist. Therefore, this document may need to be modified in order to comply with Wisconsin/State law.
 Copyright 2012 HIPAA COW
Page 4
Related documents
Privacy Confidentiality Minor
Privacy Confidentiality Minor
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
Understanding HIPAA Compliance
Understanding HIPAA Compliance
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Download
advertisement