HIPAA Breach Analysis Form - HIPAA at the University of Wisconsin

advertisement

HIPAA Breach Analysis

Under the Final Omnibus Rule

CONFIDENTIAL

UW-Madison HIPAA Breach Analysis Form

Analysis Number ____________________________

1.

2.

Date Event Occurred

Date Discovered

General Information

__ __ / __ __ / __ __ __ __

3.

Date Reported to Privacy and/or Security

Officers

4.

Reported By

5.

Name(s) of Patient(s)/Subject(s) Involved

6.

Forms of Unsecured Protected Health

Information

__ __ / __ __ / __ __ __ __

__ __ / __ __ / __ __ __ __

Business Associate

UW-Madison Employee

UW Hospital Employee

UW Medical Foundation Employee

Other: ________________

7.

8.

Type and Amount of PHI Involved

Do You Believe the Disclosure Was a Violation of the Privacy Rule?

Electronic ____________

Fax

Paper

Verbal

Other: _______________

First Name

Last Name

Date of Birth

MRN

Address

Services Received

Social Security No.

Yes

No

Substance Abuse Tx.

Mental Health Tx.

________________

________________

________________

________________

________________

9.

Briefly Describe Incident

Page 1 of 5

HIPAA Breach Analysis

Under the Final Omnibus Rule

Analysis

Step One. There is a presumption that an impermissible use or disclosure of PHI is a reportable breach.

Breach means the acquisition, access, use or disclosure of PHI in a manner not permitted under The Privacy Rule, which compromises the security or privacy of the protected health information.

Note: Encrypted data does not meet the definition of a “breach”.

Protected Health Information (“PHI”) means individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in another form or medium.

1

Health information is defined as any information, including genetic information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

2

Id.

Individually identifiable health information is defined as information that is a subset of health information, including demographic information that is collected from an individual, and “(1) is created or received by a health care provider, health plan, employer, or health care clearinghouse, and (2) relates to the past, present, or future

Check if presumed to be a breach.

Check if PHI was encrypted.

Please describe: physical or mental health or condition of an individual, the provision of health care to an individual; and (i) that identifies the individual, or (ii) with respect to which there is a reasonable basis the believe that information can be used to identify the individual.” 3 Id.

1 Health Insurance and Portability and Accountability Act, 45 C.F.R. sec. 160.103 (1996)(protected health information does not include employment records held by a cover entity in its role as employer)

2 Id.

3 Id.

Page 2 of 5

Step Two. Does an exception apply?

Breach excludes:

HIPAA Breach Analysis

Under the Final Omnibus Rule

(i) Any unintentional acquisition, access, or use of protected health information by workforce member or person acting under the authority of a covered entity (“CE”) or a business associate (“BA”), if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a CE or B A to another person authorized to access protected health information at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.

(iii) A disclosure of protected health information where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Step Three. An impermissible use or disclosure is presumed to be a breach unless the CE, or and BA if applicable, demonstrates a low probability that the

PHI has been compromised based on a risk assessment of at the least the following factors: [A low probability breach would not be reportable.]

Factor 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

Consider whether the information was of a sensitive nature: a. Financial information - such as a credit card number, SSN, or information that increases the risk of identity theft or financial fraud.

Page 3 of 5

Check if (i) applies. Please describe:

Check if (ii) applies. Please describe:

Check if (iii) applies. Please describe:

Supports not reporting

Supports reporting

Check if financial info included.

Please describe:

HIPAA Breach Analysis

Under the Final Omnibus Rule b. Clinical information - consider the nature of the services, amount of detailed clinical information involved (e.g. treatment plan, diagnoses, medication, medical history information, test results.) Sensitive information includes (but is not necessarily limited to) mental health,

STI's and substance abuse. c. Likelihood that PHI can be identified (if no name attached, then may not be a reportable breach)

Check if detailed or sensitive info.

Please describe:

Check if likely. Please describe:

Supports not reporting

Supports reporting

Factor 2. The unauthorized person who used the PHI or to whom the disclosure was made.

Does the recipient have an obligation to protect the PHI through HIPAA, Privacy Act of

1974, FISMA (Federal Information Security Management Act of 2002), i.e., fax was sent in error to another CE. If so, then there may be a lower probability the PHI has been compromised since the recipient of the information is obliged to protect the privacy and security of the information in a similar matter as the disclosing entity.

The fact that information is only impermissibly used within a CE or BA and the impermissible use does not result in additional disclosure outside the entity is something that may be taken into account and may reduce the possibility that PHI has been compromised.

Factor 3. Whether the PHI was actually acquired or viewed.

Determine if the PHI was actually acquired or viewed or, alternatively if only the opportunity existed for the information be acquired or viewed.

Not reportable if PHI is out of possession and later recovered and we can prove that the

PHI was not actually accessed, viewed, acquired, transferred or otherwise compromised.

In contrast, it is a reportable breach if a CE mailed PHI to the wrong person who opened the envelope and called the CE to say she received it in error. In this case the PHI was viewed and acquired because she opened and read the information to the extent she recognized it was mailed to her in error.

Factor 4. The extent to which the risk to the PHI has been mitigated.

CEs (and BAs, if applicable) should attempt to mitigate the risks to the PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a

Page 4 of 5

Please describe recipient:

Supports not reporting

Supports reporting

Please describe if acquired or viewed:

Supports not reporting

 Supports reporting

Please describe mitigation -

Who provided the attestation:

__________________

Under the Final Omnibus Rule confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.

This factor, when considered in combination with the factor regarding the unauthorized recipient of the information discussed above, may lead to different results in terms of the risk to the PHI. For example, a CE may be able to obtain and rely on the assurances of an employee, affiliated entity, BA, or another CE that the entity or person destroyed information it received in error, while such assurances from certain third parties may not be sufficient.

Factor 5. Other factors may be considered when necessary.

Promptness of notification, Intent, Etc. Describe.

HIPAA Breach Analysis

Written Assurance

 Verbal Assurance

 No Assurance

PHI was returned

PHI was not returned

PHI was not removed

 Supports not reporting

 Supports reporting

 Supports not reporting

 Supports reporting

Name of Person Completing Form and Date

This Section for Use by the HIPAA Privacy Officer

10.

Is this a Reportable Breach?

11.

Involved in Risk Assessment

Privacy Office Follow-Up Notes

Yes

No

HIPAA Privacy and Security Operations Committee

Office of Legal Affairs

UW-Madison Privacy Officer

Applicable Privacy Coordinator

UW-Madison Security Officer

Applicable Security Coordinator

Office of Research Policy

Health Information Management

Other _________________________________

Page 5 of 5

Security and/or Privacy Safeguards:

Policies and Procedures:

Sanctions:

ADDITIONAL NOTES:

HIPAA Breach Analysis

Under the Final Omnibus Rule

Page 6 of 5

Download