Protected Health Information in Paper Or Electronic Format Will Be Protected from Unauthorized

Tehachapi Valley Healthcare District
POLICY: Privacy and Security Breach Reporting andNotification / POLICY NUMBER: 700.104
Original/Rewrite Approved: 10/12/2009
Originating Dept: HIPAA Privacy / Reviewed/Revised: 12/09/2009
Applies to Depts: All / Reviewed: 09/26/2010
Revised: 10/20/2010
Revised: 11/28/2011

Policy:

Protected Health Information in paper or electronic format will be protected from unauthorized acquisition. Should a potential breach be detected the facility will take prompt and through action based upon the procedure outlined in this policy.

Definitions:

Breach: means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI. “Compromises the security of privacy of the PHI” means “poses a significant risk of financial, reputational, or other harm to the individual [the patient]”. [HITECH 74 Fed. Reg. 42740]

Breach of the Security of the System: unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. [Civil Code Section 1798.82]

Personal Information: means an individual’s first name or first initial and last name in combination with any one or more of the following data elements,when either the name or the data element(s) are not encrypted [Civil Code Section 1798.82]:

1. Social security number.
2. Driver’s license number or California Identification Card Number
3. Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
4. Medical information: means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
5. Health insurance information: means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identity the individual, or any information in an individual’s application and claims history, including any appeals records.

Computerized Data: Civil Code Section 1798.82 does not define the term.

Privacy Breach: “Unlawful or unauthorized access to, and use or disclosure of, patients’ medical information,” whether electronic, paper or oral.[SB 541 and AB 211]

Unauthorized: means the inappropriate accessing of medical information without a direct need for that information for a lawful use. [SB 541 and AB 211]

Protected Health Information (PHI): means individually-identifiable health information that is transmitted or maintained in electronic media or any other form or media (HIPAA Privacy)

Individually-identifiable Health Information: is health information (including demographic information) that identifies or can be used to identify the individual. (HIPAA Privacy)

Health Information: is broadly defined to include any information, oral or recorded in any form or medium, relating to the physical or mental health or condition of an individual, the health care provided to an individual, or payment for health care provided to an individual. [SB 541 and AB 211]

Unsecured Protected Health Information: means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5 on the HHS Web site.

“Compromises the security or privacy of the PHI”: means poses a significant risk of financial, reputational, or other harm to the individual. [HITECH 74 Fed. Reg. 42740]

Procedure:

When a breach or suspected breach has been detected, there needs to be prompt response, which should include:

- Investigation into the circumstances of the breach, including consultation with the District’s malpractice carrier and/or legal counsel as appropriate to the situation.

-Identifying the scope of the breach; assuring that the breach is contained and that further breaches are not occurring.

-Other actions as necessary to mitigate the effects of the breach, which may include giving notice to government agencies and those persons whose information was compromised.

-Appropriate personnel actions, including discipline of any employees, volunteers, or members of the medical or allied health staff who are responsible for the breach.

-Review of administrative standards (training, policies and procedures, etc) and action as necessary to prevent future breaches (retaining personnel, revising procedures, etc.)

Breach Decision Tree

Below is a decision tree for determining whether any particular access, use or disclosure is “unlawful or unauthorized” and therefore must be reported to CDPH and to the patient:

Was the access, use or disclosure
of medical information lawful? → NO → Must Report
YES – No report
↓
Was there a direct need for the
medical information in connection → NO → Must Report
with this lawful use?
YES – No Report
↓
Was the access, use or disclosure
of the medical information YES → Must Report
Inappropriate under the NO→ Must Report
circumstances?

Misdirected internal paper records, emails, or fax transmissions that are received by another health care worker within the same facility, if sent for the purposes of coordination of care or delivery of services (CDPH “All Facilities Letter” dated July 29, 2009)

Timeline, Content and Method for Reporting/Notification:

Type of Breach/Agency / Clarifications, Notification/Report and Timing / Method and Content
Breach of unencrypted computerized data [Civil Code Section 1798.82]: / Notification must be made in the most expedient time possible and without unreasonable delay. The California law does not specify any particular information that will be reported to the patient. / Notice to affected patients may be provided by one of the following methods:

1. Written notice (on paper)
2. Electronic notice in conformity with provisions regarding electronic records and signatures in the federal Electronic Signatures in Global and National Commerce (e-SIGN) Act [15 U.S.C Section 7001].
3. Substitute notice is permitted if the costs of providing notice will exceed $250,000, or if more than 500,000 consumers affected, or if there is insufficient contact information. Substitute notices options:

1. E-mail notice
2. Conspicuous posting on District website
3. Notification to major statewide news media

Reporting to the California Department of Public Health and Patient(s) [SB 541 and AB 211] / Breach of protected health information “Unlawful or unauthorized access to, and use or disclosure of, patients’ medical information” must be reported to the California Department of Public Health (CDPH) and to the affected patient or to the patient’s representative within five businessdays upon detection of the breach by the District.
Effective January 1, 2010, TVHD shall delay the reporting to the affected patient or patient’s representative of any unlawful or unauthorized access to, or use of disclosure of, a patient’s medical information beyond five business days if a law enforcement agency or official provides TVHD with a written or oral statement that compliance with the five business day reporting requirement would be likely to impede the law enforcement agency’s activities that relate to the unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made. A law enforcement agency or official may request an extension of delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing related to the unlawful or unauthorized access to, and use or disclosure, a patient’s medical information that notification of patients will undermine the law enforcement agency’s activities, and that specifies a date upon which the delay shall end, not to exceed 60 days after the end of the original delay period (1280.15(c)(1)) / California law does not specify any particular information that must be included in the notification to the patient. See sample letter, Attachment A, that may be used a guide.
Notice to CDPH should include:

1. Date and time of reported incident
2. Facility name
3. Facility address/location
4. Facility contact person
5. Name of patient(s)
6. Name of alleged violator(s)
7. General information about the circumstances surrounding the breach
8. Any other information needed to make the determination for an onsite investigation
9. Quantros number or unique number linked to the report

Consider also including:

1. Mitigation efforts
2. Changes made to policy/procedures
3. Other information that might be useful to CPDH surveyors in making a decision as whether or not to conduct on onsite investigation.

CDPH Report fax sample form, Appendix B.
Reporting to Department of Health and Human Services and Patients [74 Fed. Reg. 42740]: Requirements under California State and federal breach notification laws are significantly different and requires analysis of each potential breach to determine actions to take. / Breach notification requirements apply only to PHI that is unsecured.
Notification must be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach”. The breach is discovered when it became known to the facility or when it should have been known if reasonable diligence was exercised.
Consult OMB Memorandum M-07-16 regarding factors to consider when evaluating the potential harm from a breach (
Conditions for reporting:
-Breach must be a violation of the Privacy Rule
-Breach must pose significant risk of harm
. To whom disclosed
. Possibility of mitigation
. Type and amount of information
Disclosed
Risk analysis must be documented if no disclosure made.
Exceptions to Reporting:
-Good faith unintentional access by authorized person
-Inadvertent disclosure by one authorized person to another
-Unauthorized disclosure to a person who cannot reasonably retain it / Notification must contain (42 USC §17932):

1. Brief description of whathappened, including date of breach and date discovered
2. Description of types of unsecured PHI involved
3. Steps individuals should take to protect themselves from potential harm
4. Brief description of investigation, mitigation and protection against further breaches
5. Contact procedures to ask questions, toll-free telephone number, e-mail address, website or postal address.

≥ 500 residents in one state, also provide notice to “prominent media outlets”. HHS and individuals are notified at the same time. HHS link to reporting online form:
Substitute notice if no contact information:
-If < 10 individuals, by written notice, telephone or other means
-If ≥ 10 individuals, by –
. Conspicuous posting on web site home page for 90 days or
. Conspicuous posting in major print or broadcast media with toll-free telephone number.
< 500 residents, promptly notify the individuals. Enter breach into log and provide to HHS annually within 60 days after the end of the calendar year. Reporting information on HHS website. HHS online form at:
Business Associates are required to notify the District and the District to notify the individuals and HHS. Same reporting requires imposed.

RESPONSIBILITIES:

The following individuals and organizational units have policy responsibilities:

Tehachapi Valley Healthcare District: is prohibited from engaging in intimidating or retaliatory acts against individuals who exercise their rights under the breach notification provision, including filing a complaint.

TVHD Privacy Officer and Security Officer: Initially train workforce members (which includes employees, volunteers, trainees, and other persons whose conduct is under the direct control of TVHD without regard to whether they are paid by TVHD) on TVHD privacy and security responsibilities and then provide at least annual refresher training to ensure staff continue to understand their responsibilities. Both initial and refresher training must include acceptable rules of behavior and the consequences when the rules are not followed. If employees are participating in “tele-work and other authorized remote access programs, training must also include the rules of such programs.” Efforts should be made to augment training by using creative methods to promote daily awareness of employees’ privacy and security responsibilities, such as weekly tips, mouse pads imprinted with key security reminders, privacy screens for public use of laptops, and incentives for reporting security risks. (OMB 5/2007).

Prepare policies and procedures for the detection and investigation of data breaches. Conduct breach investigations.

HIPAA Privacy Officer: Log data on breaches. Breach notifications to patients/individuals, CDPH and DHHS and annually report to DHHS.

Sample Security Breach Notification: Submit”electronically” a sample notification electronically to the California Attorney General - Appendix C. Cal. Civil Code §1798.82

Department Managers: Reinforce and enforce policies and procedures regarding breach notification.

Workforce Members: Adhere to policies and procedures and report suspected and known breaches to the HIPAA Privacy Officer, Security Officer and/or Administration.

Business Associates: Business Associates (BAs), who are independent contractors, are required tonotify TVHD of a breach “without unreasonable delay” and in any event within 60 days. TVHD must carry out the appropriate notifications and reporting. The B.A. is required to provide information that TVHD must include in the notification. TVHD will not delay initial notification while the B.A. collects this information.

BAs must also implement reasonable processes for discovery of breaches, implement policies and procedures for complying with breach notification requirements,and train workforce members.

References: Security Breach notice laws = http:

Federal Register, August 24, 2009, Department of Health and Human Services, 45 CFR

Parts 160 and 164

Privacy Manual, CHA, Chapter 12, Breaches

Reportable Events Policy, Admin. 100.59

Sanctions Policy, HIPAA Privacy, 700.98

Identity Theft Program, Admin, 100.62

SB 337 / All Facilities Letter November 19, 2009

HSC Section 1280.15

42 USC § 17932

California Attorney General – Cal. Civil Code §1798.82

Appendix A

Sample letter to patient

Date:

Name

Address

Re: Incorrect Release of Information

Dear

We are writing you to inform you we just became aware that a hospital employee inadvertently and against hospital procedure changed information in the hospital information system which caused a statement with information regarding your ______visit to be sent to an employee at ______. The statement contained______.

Corrective actions taken………We have re-educated all staff on the correct method to modify an account. In addition, with the assistance of our software vendor or investigating methods to increase the security in the system to prevent this issue from every happening again.

Please rest assured that the information disclosed did notcontain your:

-home address

-telephone number

-social security number

-diagnosis

Please know that we take the protection of your personal information very seriously and have a program in place to educate our staff on proper handling of confidential information. If you have a question or concern, please contact our Privacy Officer, Christine Sherrill, RHIA at (661) 823-3010.

Sincerely,

Alan J. Burgess, FACHE, CFAAMA

Chief Executive Officer

AJB/cms

Appendix B

Tehachapi Valley Healthcare District

115 West E Street, Tehachapi, CA 93561, (661)823-3000, (661)823-3082

CALIFORNIA DEPARTMENT OF PUBLIC HEALTH NOTIFICATION REPORTABLE EVENT

DATE: ______TIME: ______

FROM: TVHD, ______TELEPHONE: ______

TO: California Department of Public Health, Licensing and Certification/Bakersfield District Office

1200 Discovery Plaza, Suite 120, Bakersfield, CA 93309, (866)222-1903, FAX (661)336-0529

ATTN: ______

RE: Patient/Staff ______DOB: ______

Regulation/Statue / Specify Applicable Regulation/Statue
 Never 28: Adverse event… with serious disability or death / H & S 1279.1 – 11279.4
 Unusual Occurrence, call and fax / Title 22, CCR 70737
 Product or device Event
 Surgical/Procedure Event
 Patient Protection Event
 Case Management Event
 Environmental Event
 Criminal Event: Injury or condition resulting from neglect or
abuse from receiving facility / Penal code, Section 11161.8
 Privacy Event (SB 541)
Briefly describe event:
Privacy Event: Include Quantros#:
TVHD staff: See Reportable Event Policy #100.59 and Breach Notification # 700.104
Confidentiality Notice
The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled.
If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.

Appendix C

Sample Security Breach Notification Text

To [name]:

In [date], Tehachapi Valley Healthcare District officials were notified of the [description of breach]. This [computer/server/laptop] contained a list of [department] [ patients] [employees]. The list included the names and [Social Security/bank account/credit card numbers] of the [patients/employees]. We are notifying you of this security breach because you are one of the [patients/employees] whose personal information was present on the [computer/server/laptop]. Although we have no evidence that an unauthorized individual has actually retrieved and is using your personal data, we are bringing this incident to your attention, in accordance with California law, so that you can be extra alert to signs of any possible misuse of your personal identity. We regret that your information may have been subject to unauthorized access and have taken remedial measures to ensure that this situation is not repeated.

Although there is no evidence that an unauthorized person has obtained your personal information and is using it, there are some steps you can take, exercising abundant caution, to protect yourself.

First, you may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call any one of the three credit reporting agencies at the phone numbers listed below: You should (1) request that a fraud alert be placed on your account and (2) order a free credit report from the agency.

• Equifax 1-888-766-0008
• Experian 1-888-397-3742
• Trans Union 1-800-680-7289

Second, when you receive your credit reports, look them over carefully for accounts you did not open or for inquiries from creditors that you did not initiate. Review your personal information, such as home address and Social Security number for accuracy. If you see anything you do not understand, call the credit agency at the telephone number on the report. Please note that the District will not contact you again to confirm any of your personal information, so if an unknown person should contact you, do not give out any additional information.