HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected heath information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI. Show
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised. A physician must take an active role in evaluating the severity of improper use or disclosure of PHI by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold. To do so, physicians must use a 4-factor test:
In the absence of an exception or a demonstration of a low probability of compromise, physicians must notify patients and the U.S. Department of Health & Human Services (HHS) in the event of an impermissible use or disclosure of PHI. If, after evaluating whether the PHI has been compromised, a covered entity or business associate reasonably determines that the probability of such compromise is low, breach notification is not required. Covered entities are under no obligation to perform the entire 4-factor risk assessment if the PHI is obviously compromised. Covered entities may always begin the breach notification process without conducting a formal risk assessment. Once a covered entity knows or by reasonable diligence should have known (referred to as the “date of discovery”) that a breach of PHI has occurred, the entity has an obligation to notify the relevant parties (individuals, HHS and/or the media) “without unreasonable delay” or up to 60 calendar days following the date of discovery, even if upon discovery the entity was unsure as to whether PHI had been compromised. Parties to notify Parties to notifyIf the breach involves the unsecured PHI of more than 500 individuals, a covered entity must notify a prominent media outlet serving the state or jurisdiction in which the breach occurred, in addition to notifying HHS. For breaches involving fewer than 500 individuals, covered entities are permitted to maintain a log of the relevant information and notify HHS within 60 days after the end of the calendar year via the HHS website. Encryption safe harbor Encryption safe harborHIPAA only requires breach notification for unsecured PHI (e.g., unencrypted PHI). As such, physicians are encouraged to use appropriate encryption and destruction techniques for PHI, which render PHI unusable, unreadable or indecipherable to unauthorized individuals.
This resource is provided for informational and reference purposes only and should not be construed as the legal advice of the American Medical Association. Specific legal questions regarding this information should be addressed by one's own counsel. A PII breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. This includes, but is not limited to, posting PII on public-facing websites; sending PII via e-mail to unauthorized recipients; providing hard copies of PII to individuals without a need to know; loss of electronic devices or media on which PII is stored; use of PII by employees for unofficial business; and all other unauthorized access to and use of PII. Immediate Actions to be Taken if a PII Breach OccursThe most important thing to do if you discover that a breach of PII has occurred or is ongoing is to STOP IT as soon as possible.
Repercussions for NDU Personnel Who Breach PII SecurityNDU faculty, staff or students found responsible for a PII breach will be required, at minimum, to complete a PII refresher training course and submit their certificate of completion to their supervisor. NDU supervisors must report to the NDU SCOP within 15 days of the breach what disciplinary and/or administrative actions were assessed against those personnel responsible for a breach. Notification of Affected Parties
NDU Breach Response PlanInternal Communications and Reporting The NDU "Incident Response Plan (IR-8)," dated 12 June 2018, applies to all military, civilian and contracted NDU personnel, and is to be used when there is a known or suspected loss of NDU personally identifiable information (PII). All NDU personnel are required to immediately report to the IT Service Desk any confirmed or suspected security incidents below, for recording in the IT Service Management Application (ITSMA).
The Service Desk ensures the Incident Response Team Manager (IRTM) has acknowledged security incidents reported in the ITSMA within one hour. If the IRTM does not acknowledge the incident, the incident report is escalated to the Chief Information Security Officer (CISO). The IRTM initiates and manages all IR reporting activities. If an incident occurs outside normal business hours, reporting may be completed the next business day. The IRTM records all incident activities in the “Incident Response Reporting Form” for the purposes of documentation, evidence preservation, and to address liability issues, including but not limited to:
External Communications and Reporting The CISO serves a as primary POC, and the CIO serves as secondary POC, for external communication of IR and IR reporting, to include:
Breach Reporting Resources
Who should be notified upon discovery of a breach or suspected breach of PII?Report all cyber-related incidents involving the actual or suspected breach/compromise of PII within one hour of discovery to the United States Computer Emergency Readiness Team (US-CERT) by completing and submitting the US-CERT report at https://www.us-cert.gov/forms/report.
Who needs to be notified of a breach?If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.
When a breach of PII has occurred the first step is to?Actions When a PII Breach Occurs:
Upon discovery, take immediate actions to prevent further disclosure of PII and immediately report the breach to your supervisor. (Note: Do not report the disclosure of non-sensitive PII.)
What is responsible for most PII data breaches?The 8 Most Common Causes of Data Breach. Weak and Stolen Credentials, a.k.a. Passwords. ... . Back Doors, Application Vulnerabilities. ... . Malware. ... . Social Engineering. ... . Too Many Permissions. ... . Insider Threats. ... . Physical Attacks. ... . Improper Configuration, User Error.. |