Health Insurance Portability and Accountability Act Breach Notification Procedures

  1. Reporting Potential Breaches. WMU personnel shall immediately report any potential or suspected breach of PHI or WMU’s privacy policies to their unit’s HIPAA Compliance Officer, consistent with WMU’s Breach Notification Policy. 
  2. Investigating Potential Breaches. The Privacy Officer, or their designee, shall promptly investigate any reported privacy breach or related individual complaints to determine whether there has been a breach of PHI as defined by HIPAA, and if so, whether and how notice should be given.

2.1.  The fact-finding investigation should gather details about:

  • 2.1.1.     Whether the alleged breach violates the HIPAA privacy rule, or WMU’s HIPAA privacy policies and procedures;
  • 2.1.2.     The manner in which the data was accessed, used, or disclosed and circumstances of the incident;
  • 2.1.3.     The date the incident occurred and the date it was discovered;
  • 2.1.4.     The number of individuals whose information was involved, and
  • 2.1.5.     The states in which the affected individuals reside.
  • 2.1.6.     The nature and extent of the information involved (e.g., did it involve PHI);
  • 2.1.7.     The identity of the unauthorized person who used or received the information;
  • 2.1.8.     Whether the information was acquired or viewed;
  • 2.1.9.     Whether the information is secured;
  • 2.1.10.  The probability that the information was compromised; and
  • 2.1.11.  The extent to which risk of further disclosure has been mitigated.

2.2.  Determine whether the information is deemed “secured” under HIPAA.  If the information meets one of the tests below for being secured, the incident will not be considered a breach and notification will not be necessary.

2.2.1.     Electronic data is considered secured if:

  • 2.2.1.1.          The data has been properly encrypted consistent with guidance issued by the Department of Health & Human Services and
  • 2.2.1.2.          The individual/entity with improper access to the information does not have access to the confidential decryption process or key.

2.2.2.     Destroyed data may be considered secured if:

  • 2.2.2.1.          The information was stored on hard copy media, and the media has been shredded or destroyed in such a way that the PHI cannot be reconstructed. (Redaction is not an effective form of destruction.)
  • 2.2.2.2.          The information is electronic and has been cleared, purged or destroyed consistent with National Institute of Standards &Technology (NIST) Guidelines, so that the PHI cannot be retrieved.

2.3.  Determine whether the incident falls within an inadvertent acquisition or disclosure exception.  If the Breach Notification Team concludes that the incident meets one of the exceptions below, the incident will not be considered a breach and notification will not be necessary:

2.3.1.     Unintentional acquisition, access or use of PHI.  In order for this exception to apply, all of the following must be true:

  • 2.3.1.1.          The unauthorized acquisition, access or use of PHI was unintentional;
  • 2.3.1.2.          The individual who acquired, accessed or used the PHI is a member of WMU’s workforce, a member of a business associate’s workforce, a person acting under the authority of WMU or WMU’s business associate, or the individual who acquired, accessed, or used the PHI did so in good faith; and
  • 2.3.1.3.          The acquisition, access or use did not result in any further impermissible use or disclosure.

2.3.2.     Inadvertent internal disclosure of PHI. This exception applies if all of the following are true:

  • 2.3.2.1.          The disclosure is made by an individual who is authorized to access PHI;
  • 2.3.2.2.          The disclosure is made to an individual who is authorized to access PHI;
  • 2.3.2.3.          Both individuals work for the same organization, which may be a WMU Covered Component, a WMU business associate, or an organized health care arrangement in which WMU participates; and
  • 2.3.2.4.          The disclosure did not result in any further impermissible use or disclosure.

2.3.3.     Determine whether the information would not be retained. This exception applies if all of the following are true:

  • 2.3.3.1.          The disclosure is made to an unauthorized individual; and
  • 2.3.3.2.          WMU or its business associate has a good-faith belief that the unauthorized individual would not reasonably have been able to retain the information.

3.  Risk Assessment

3.1.  If the Breach Notification Team determines that the information was not secured and did not fall within one of the exceptions noted above, the Team must conduct a risk assessment. An impermissible use or disclosure is presumed to be a breach unless the risk assessment demonstrates that there is a low probability that the PHI has been compromised. If the Breach Notification Team concludes that there is a low probability that the PHI has been compromised, then notification is not required.

3.2.  Factors to consider include:

  • 3.2.1.     Whether it included other personally identifying information (e.g., social security numbers, driver’s license numbers, bank account/credit card numbers) that could be used for identity theft or identity fraud crimes;
  • 3.2.2.     Whether it included information about an individual’s medical treatment, diagnoses, diseases, or similar detail;
  • 3.2.3.     Whether the PHI could be reidentified based on the context and the ability to link the information with other available information;
  • 3.2.4.     Whether the unauthorized person or entity has a legal or contractual duty not to misuse the information;
  • 3.2.5.     Whether the PHI was actually acquired or viewed;
  • 3.2.6.     Whether electronic PHI was accessed, viewed, acquired, transferred or otherwise compromised;
  • 3.2.7.     The extent to which the risk to the PHI has been mitigated;
  • 3.2.8.     Whether there are past dealings with the recipient or other factors that would indicate that the recipient can be trusted not to use or further disclose the information; and
  • 3.2.9.     Other facts and circumstances that would indicate that the recipient of the information is unlikely to misuse the information;

4. Notice. If WMU is notified of possible unauthorized PHI disclosure, it must evaluate notification requirements.

4.1.  If the Privacy Officer, in consultation with the Breach Notification Team, determines that a breach of unsecured PHI has occurred, the Privacy Officer shall notify the individual, the United States Department of Health and Human Services (HHS), and the media (if required) consistent with the below and applicable legal requirements.  Any notice provided pursuant to this Policy must be approved and directed by the Privacy Officer or their designee. No other WMU personnel are authorized to provide such notice unless expressly directed by the Privacy Officer and/or WMU Senior Administration Officials.

4.2.  Notice to Individuals.  The Privacy Officer or their designee shall notify the affected individual(s) without unreasonable delay and in no case later than five University business days after WMU discovers or is informed of the breach.

  • 4.2.1.     The notice shall be in plain language and include, when available: (1) a brief description of the breach incident (e.g., the date(s) of the breach and its discovery); (2) a description of the types of information affected (e.g., whether the breach involved names, social security numbers, birthdates, addresses, diagnoses, etc.); (3) steps that affected individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what WMU is doing to investigate, mitigate, and protect against further harm or breaches; and (5) contact procedures for affected persons to ask questions and receive information, which shall include a toll-free telephone number, e-mail address, website, or postal address at which the person may obtain more information.
  • 4.2.2.     The Privacy Officer or their designee shall notify the individual by first class mail to the individual’s last known address or, if the individual agrees, electronically.  The notice may be sent by one or more mailings as information is available.

4.3.  Substitute Notice. If WMU does not have sufficient contact information to provide direct, written notice to the individual, the Privacy Officer or their designee must use a substitute form of notice reasonably calculated to reach the individual.

4.4.  Fewer than ten affected individuals. If there is insufficient contact information for fewer than ten affected individuals, the Privacy Officer or their designee shall provide an alternative form of written, telephone, e-mail, or other type of notice.

4.5.  Ten or more affected individuals. If there is insufficient contact information for ten or more affected individuals, the Privacy Officer or their designee shall do one of the following after consulting with WMU Administration:

  • 4.5.1.     Post a conspicuous notice on WMU’s and the Covered Unit’s [JMS1] website home page for 90 days with a hyperlink to the additional information required to be given to individuals as provided above; or publish a conspicuous notice in major print or broadcast media in the area where affected individuals may reside.
  • 4.5.2.     Notice must include a toll-free number that remains active for at least 90 days so individuals may call to learn whether their PHI was breached.

4.6.  Immediate Notice. If the Privacy Officer believes that PHI is subject to imminent misuse, the Privacy Officer or their designee may, in addition to the written notice described above, provide immediate notice to the individual by telephone or other means.

4.7.  Deceased Individual; Notice to Next of Kin. If the affected individual is deceased and WMU knows the address for the individual’s next of kin or personal representative, the Privacy Officer or their designee shall mail the written notice described above to the next of kin or personal representative. If WMU does not know the address for the next of kin or personal representative, WMU is not required to provide such notice.

4.8.  Notice to HHS. If the Privacy Officer determines that there was a breach of PHI, the Privacy Officer shall also notify HHS as described below.

  • 4.8.1.     Fewer than 500 Affected Individuals. If the breach involves PHI of fewer than 500 persons, the Privacy Officer may either (1) report the breach immediately to HHS, or (2) maintain a log of such breaches and submit the log to HHS annually within 60 days of the end of the calendar year as set forth on HHS’s website.
  • 4.8.2.     500 or More Affected Individuals. If the breach involves 500 or more individuals, the Privacy Officer shall notify HHS of the breach at the same time the Privacy Officer notifies the individual or next of kin. The Privacy Officer shall maintain and submit to HHS a log of breaches as set forth on HHS’ website.

4.9.  Notice to Media. If a breach of PHI involves more than 500 residents in a state, WMU will also notify prominent media outlets in such state. The notice shall be provided without unreasonable delay but no later than 60 days after discovery of the breach. The notice shall contain the same elements of information as required for the notice to the individual. The Privacy Officer shall work with WMU Administration and WMU’s Office of Marketing and Strategic Communication to develop an appropriate press release.

4.10.                 Notice from Business Associate. If WMU’s business associate discovers a breach of PHI, the business associate shall notify the Privacy Officer as set out in the Business Associate Agreement (BAA). The business associate shall, to the extent possible, identify each person whose information was breached and provide such other information WMU requires to comply with this Policy.  Unless the Privacy Officer directs otherwise, the Privacy Officer or their designee shall provide the required notification.

4.11.                 Notice where WMU is the Business Associate

If WMU is the Business Associate that made or discovered the breach, it will provide the covered entity or entities notice as set out in the applicable BAA and will cooperate with the Covered Entity as set forth in the applicable BAA.

4.12.                 Delay of Notice Per Law Enforcement’s Request. Upon request from a law enforcement official, the Privacy Officer shall delay notice to the individual, HHS, and the media if the notice would impede a criminal investigation or threaten national security. If the law enforcement official’s statement is in writing and specifies the time for which the delay is required, the Privacy Officer shall delay the notice for the required time. If the official’s statement is verbal, the Privacy Officer shall document the statement and the identity of the official, and shall delay the notice for no more than 30 days from the date of the statement.

5. Training Employees The HIPAA Compliance Officer of each Health Care Component shall train its workforce members upon hire and annually thereafter concerning the University’s HIPAA Policy and these procedures, including members’ obligation to immediately report suspected violations.

6. Sanctions For employees, failure to follow this Policy and any associated procedures could lead to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable procedures and Collective Bargaining Agreements.  For students, failure to follow this Policy could lead to sanctions under the Student Code, up to and including expulsion. 

7. Documentation The Privacy Officer and Compliance Officer for the Covered Component shall prepare and maintain documentation required by this Policy for six years.  If the Privacy Officer and/or Compliance Officer for the Covered component make a determination regarding any of the criteria addressed in Sections Two, Three and Four of this Policy, documentation must include analysis and conclusions that led to any action or inaction on behalf of the University.

8. Mitigating Potential Breaches If WMU personnel improperly access, acquire, use or disclose PHI and immediate action may cure or mitigate the effects of such use or disclosure, WMU personnel should take such action. For example, if WMU personnel improperly access or acquire PHI, they should immediately stop, close, and/or return the information.

9. Contact Information

Individuals who need to report a potential or suspected breach, or who have any questions about these procedures, should contact the WMU Privacy Officer at:

1903 West Michigan Ave.

Kalamazoo, MI 49008

Ph: 269-387-1900

Toll free:  855-247-3145

Hipaa-officer@wmich.edu

References

42 C.F.R. Part 160

Special Publication 800-88, Guidelines for Media Sanitization

https://www.hollandhart.com/pdf/HIPAA_Breach_Notification_Policy.pdf