1 / 15

HIPAA BREACH REPORTING

June 04, 2013 Robin Thomas, NC III, Presenter. HIPAA BREACH REPORTING. PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or State laws. Federal Law is the HIPAA Privacy Rule and State Law is the Information Practices Act of 1977.

dexter-horne
Download Presentation

HIPAA BREACH REPORTING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. June 04, 2013 Robin Thomas, NC III, Presenter HIPAA BREACH REPORTING

  2. PRIVACY BREACHES • A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or State laws. Federal Law is the HIPAA Privacy Rule and State Law is the Information Practices Act of 1977. • Privacy breaches may be paper or electronic, and may occur when information is transmitted to an unintended or unauthorized recipient. • Examples of paper breaches include: • Misdirected paper faxes with PHI/PCI outside of the Department • Loss or theft of paper documents containing PHI/PCI • Mailings with PHI/PCI to incorrect providers or service recipient • Examples of electronic breaches include all of the following if they contain PHI/PCI: • Stolen unencrypted laptops, hard drives, or PCs • Stolen unencrypted thumb drives • Stolen unencrypted compact discs (CDs) • Misdirected electronic fax to a person outside of authorized State government

  3. INCIDENT REPORTING • State policy requires Departments to follow specified notification and reporting processes when information security incidents occur…and this process starts with you! • As soon as you are aware that an incident has occurred, report it to your supervisor immediately. • In addition, as applicable to the incident, you must report: • description of the information disclosed or accessed by an unauthorized person • the primary business processes involved

  4. Breach Reporting If a breach of security is suspected, you must immediately report it to the CDPH Information Security Office (CDPH.InfoSecurityOffice@cdph.ca.gov). If you suspect CDPH confidential or sensitive information was viewed by an unauthorized individual, you must also notify the CDPH Privacy Office (Privacy@cdph.ca.gov). Make sure to keep your Supervisor informed.

  5. First Contact: Stephen Stuart, Privacy Officer/Sen. Staff Counsel Privacy Office, Office of Legal Services Stephen.Stuart@cdph.ca.gov (916) 440-7432 Ivory Mitchell, Privacy Analyst Privacy Office, Office of Legal Services Ivory.Mitchell@cdph.ca.gov (916) 440-7845

  6. STEP ONE • Email to Stephen and Ivory: • A clear and concise description of the incident • No abbreviations or acronyms.  The PO or the ISO are not familiar with Newborn Screening’s or other entities abbreviations or acronyms. • Forms 1-4 listed on the next page

  7. STEP ONE • Complete and submit forms to the Privacy Office • CDPH Breach Incident Reporting Form cdph2375 • submit one form per incident • 2. HIPAA Breach Notification Checklist • complete one for each party involved • 3. State Breach Notification Checklist • complete one for each party involved • 4. Security Incident Determination Checklist • submit one form per incident • The privacy office will review and determine • Whether a breach occurred and next steps.

  8. STEP TWO • The Privacy Office will draft letters for mailing. • Review the letters for necessary corrections and send approval back to the privacy office. • The Privacy Office will update letters. • Print letters, obtain Program chief signature, copy for file and mail to affected parties. • Update and print Notification Log for file.

  9. STEP THREE • Complete and submit forms to the Privacy Office • Completed Breach Corrective Action Plan • Send copy of Notification Log 30 days after letters mailed. • Update Notification Log if any communication received.

  10. Office of Information Security Contacts: Brian Issertell Department of Public Health Information Security Office Brian.Issertell@cdph.ca.gov (916) 552-9924 Greg Meixner Greg.Meixner@cdph.ca.gov (916) 322-2649

More Related