hipaa-breach-policy.md

HIPAA BREACH POLICIES FOR CLEAR HEALTH STRATEGIES, LLC LAST UPDATED: May 21, 2020

HIPAA Breach Policies Introduction

INTRODUCTION

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), all rules and regulations promulgated thereunder, including the “Privacy Rule” at 45 CFR Part 160, 162, and 164, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and its implementing regulations (i.e., the Breach Notification Rule) requires Business Associates to follow certain steps following a Breach of Unsecured PHI. The purpose of these HIPAA Breach Policies (“Breach Policies”) is to document Clear Health Strategies, LLC (the “Company”) compliance with Breach notification requirements of HIPAA, including the “Breach Notification Rule” at 45 CFR Part 164, as amended. Company has adopted the Breach Policies in order to comply with the Breach Notification Rule and other HIPAA requirements to protect the confidentiality of PHI. Company is considered a Business Associate under HIPAA because it creates, receives, maintains, or transmits PHI on behalf of health plans (each a “Covered Entity” and collectively, the “Covered Entities”) as part of the management service it provides. These Breach Policies are subject in all respects to additional or more restrictive requirements under applicable state law and any Business Associate Agreement between Company and a Covered Entity. Responsibilities If not otherwise specified, Privacy Officer and his or her designee(s) (the “Privacy Officer”) is responsible for implementing these Breach Policies. Please contact Privacy Officer if you have any questions about these Breach Policies. *** 1

HIPAA Breach Policies Defined Terms

DEFINED TERMS All terms used but not otherwise defined in these Breach Policies shall have the same meaning as those terms are defined under HIPAA. The below definitions apply only to the use of the defined terms in these Breach Policies and not to any other policies of Company.
“Breach” means an unauthorized acquisition, access, use, or disclosure of Unsecured PHI that compromises the security or privacy of such information. Except as indicated in the Breach Policy, an unauthorized acquisition, access, use, or disclosure of Unsecured PHI is presumed to be a reportable Breach unless, after conducting a risk assessment, Company has demonstrated that there is a low probability that PHI has been compromised. The term “Breach” does not include: A. Any unintentional acquisition, access, or use of PHI by a Workforce Member, individual acting under the authority of Company, or a Business Associate, if such acquisition, access, or use was made: (1) in good faith; (2) within the course and scope of their authority with Company or a Business Associate; and (3) such information is not further used or disclosed in a manner not permitted by the HIPAA Privacy Rule; or B. Any inadvertent disclosure by either: (1) a person who is authorized to access PHI at Company; (2) a Business Associate to another person authorized to access PHI at Company; or (3) Business Associate; where any such information received as a result of such disclosure is not further used or disclosed in a manner not permitted by the HIPAA Privacy Rule; or C. A disclosure of PHI where Company or Business Associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. “Business Associate” means an entity that provides, other than in the capacity of a Workforce Member of Company, services for or on behalf of Company, in which the provision of the service involves the access, use, or disclosure of PHI from Company or from another Business Associate of Company. “Business Associate Agreement” or “BAA” means a written agreement which sets forth requirements to ensure that the Business Associate will appropriately use and safeguard PHI.
“Covered Entity” means a health plan; health care clearinghouse; or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA (see 45 CFR § 160.103). “Discovery of the Breach” or “Discovery” of a security incident is considered to be the first day on which the Breach is known to Company or should have been known to Company if it had exercised reasonable due diligence. 2 HIPAA Breach Policies Defined Terms “Individual” means a person who is receiving services from Company and whose PHI is protected by these Breach Policies. A Personal Representative of an Individual should be treated the same as an Individual with respect to the Individual’s PHI.
“Personal Representative” means a person who has legal authority to make health care decisions on behalf of the Individual. For example, a parent or legal guardian.
“Privacy Officer” means the Privacy Officer as designated by Company, or his or her designee. “Protected Health Information” or “PHI” means Individually Identifiable Health Information that Company transmits or maintains in Electronic Media or any other form or medium. PHI does not include Individually Identifiable Health Information contained in education records or employment records held by Company in its role as employer, and Individually Identifiable Health Information regarding a person who has been deceased for more than 50 years. This includes electronic PHI (“e-PHI”) and hardcopy formats of PHI.
“Secretary” means the Secretary of the United States Department of Health and Human Services. “Subcontractor” A person to whom Company delegates a function, activity, or service, other than in the capacity of a Workforce Member of Company.
“Subcontractor Business Associate Agreement” or “Sub-BAA” means a BAA which sets forth requirements to ensure that the Subcontractor will appropriately use and safeguard PHI. “Unsecured PHI” means PHI that is not encrypted and rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary. “Workforce” or “Workforce Member” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Company is under the direct control of Company, whether or not they are paid directly by Company.

3 Section 1 HIPAA Breach Policies Applicability SECTION 1: APPLICABILITY Company will receive and respond to potential Breaches of Unsecured PHI, comply with notification requirements following a Breach of Unsecured PHI, and will investigate potential Breaches in accordance with these Breach Policies.
The below procedures are subject to any Business Associate Agreement between Company and a Covered Entity and state data breach notification laws. The law of an Individual’s state of residence will apply with respect to breach analysis and notification requirements. A. An acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted under the HIPAA Privacy Rule is presumed to be a Breach that requires notification, unless (1) an exception applies; or (2) Company demonstrates that there is a low probability that the Unsecured PHI has been compromised, based on a risk assessment (described below). B. Workforce Members should notify their appropriate supervisor(s) and/or the Privacy Officer of unauthorized access, use, or disclosure of Unsecured PHI, provide relevant facts regarding the unauthorized incident, and cooperate with subsequent investigations. C. Company will provide notification to Covered Entity of the suspected Breach without unreasonable delay and in accordance with the BAA. D. Workforce Members will be trained on how to identify and report potential Breaches.
E. Appropriate sanctions may be applied, up to and including termination, against Workforce Members who fail to comply with this Breach Policy. F. Subcontractors of Company shall be required to notify the Company’s Privacy Officer, without unreasonable delay, and no later than the period set forth in the Sub-BAA between the Subcontractor and Company, upon Discovery of a potential Breach.
G. Company and the Subcontractor may refer to the Sub-BAA for any specific obligations in the event of a suspected Breach.

4 Section 2 HIPAA Breach Policies Breach Investigation SECTION 2: BREACH INVESTIGATION 2.1 Discovery of the Breach A. Breach is “discovered” as of the first day on which Breach is known, or by exercising reasonable diligence would have been known, to Company. B. Company will mitigate, to the extent practicable, known harmful effects of the Breach.
C. Company will report discovery of the Breach to the applicable Covered Entity within the time period set forth in the BAA. 2.2 Initial Investigation A. Company should work with appropriate Workforce Members, as necessary, to uncover the facts related to the incident. Investigative actions may include, but are not limited to, conducting Workforce Member interviews, system audits, and site observations.
B. Company may conclude that a Breach has not occurred if the information is de-identified; or the use or disclosure meets one of the following regulatory exceptions and does not result in further use or disclosure not permitted under the HIPAA Privacy Rule:

1. Unintentional acquisition, access, or use of PHI if made in good faith and within the scope of authority;
2. Inadvertent disclosure by a person who is authorized to access PHI at Company to another person authorized to access PHI at Company; or
3. Disclosure of PHI where Company has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. C. Company will comply with the applicable BAA in providing information regarding its investigation of the Breach under this Breach Policy to the Covered Entity.
   2.3 Presumption of Breach If an unauthorized acquisition, access, use, or disclosure of PHI has occurred, and does not meet one of the exceptions provided above, it is presumed to be a Breach unless a risk assessment, as described below, is conducted and determines a low probability of compromise.

5 Section 3 HIPAA Breach Policies Risk Assessment SECTION 3: RISK ASSESSMENT A. If the Company does not choose to automatically provide notification to the Covered Entity and unless notification of suspected Breaches is required by the applicable BAA, then Company will conduct a risk assessment to determine whether there is a low probability that the impermissible acquisition, access, use, or disclosure compromised the security or privacy of the Unsecured PHI. If the Company determines there is a low probability that the use or disclosure compromised the security or privacy of the Unsecured PHI then the incident does not constitute a Breach. B. The risk assessment must consider, at minimum, the four following factors: 1. The nature and extent of PHI involved, including: a. Types of identifiers disclosed; b. Likelihood of re-identification of PHI; and c. The broad range of potential harms flowing from disclosure to unauthorized individuals. 2. The unauthorized person who used PHI or to whom the disclosure was made; 3. Whether PHI was actually acquired or viewed; and 4. The extent to which the risk to PHI has been mitigated. C. Appropriate Workforce Member or Privacy Officer should document the findings of the risk assessment and retain according to document retention policies and the HIPAA Privacy Rule.
A sample Breach Risk Assessment Tool is attached as Exhibit A.

6 Section 4 HIPAA Breach Policies Notification SECTION 4: NOTIFICATION If the Company determines a Breach has occurred and the BAA requires the Company to provide Breach notifications, Company will notify the appropriate parties in accordance with these Breach Policies and any requirements under the BAA. If the BAA does not require Company to provide Breach notifications or if the Covered Entity decides to provide the notifications despite the BAA, Company will not provide any notifications of the Breach.
A sample Breach Notification Letter is attached as Exhibit B. 4.1 Notification to Individuals Following the discovery of a Breach, Company will notify the Individual(s) whose Unsecured PHI has been or is reasonably believed by Company to have been, accessed, acquired, used, or disclosed as a result of such Breach. Notification to an Individual will comply with the following requirements for general, substitute, and urgent notice.
General Notice A. Company will provide the notification without unreasonable delay and in no case later than 60 calendar days after Discovery of the Breach. B. If the Covered Entity has elected to provide automatic notification, or the risk assessment determines that a Breach has occurred, Company will provide written notice to the affected Individual or:

1. If the Individual is deceased, the next of kin or Personal Representative; 2. If the Individual is incapacitated/incompetent, the Personal Representative; or 3. If the Individual is a minor, the parent or guardian.
   C. Written notification will be in plain language at an appropriate reading level with clear syntax and language with no extraneous materials. Americans with Disabilities Act and Limited English Proficiency requirements must be met. D. Written notification will contain the following information:
2. A brief description of what occurred with respect to the Breach, including to the extent known, the date of the Breach and the date on which the Breach was discovered;
3. A description of the types of Unsecured PHI that were disclosed during the Breach;
4. A description of the steps the affected Individual should take in order to protect himself or herself from potential harm caused by the Breach; 7 Section 4 HIPAA Breach Policies Notification
5. A description of what the Company is doing to investigate and mitigate the Breach and to prevent future Breaches;
6. Instructions for the Individual to contact the Company (toll free phone number, email, website, or postal address); and
7. Any other elements required by applicable state law. E. Company will consult with the Covered Entity regarding any other information to be included in the notification and to obtain Covered Entity’s approval prior to distributing the notification.
   Substitute Notice In the case where there is insufficient or out-of-date contact information: F. Fewer than 10 Individuals: A substitute form of notice will be provided, such as a telephone call. G. More than 10 Individuals: Company will:
8. Post a conspicuous notice for 90 days on the homepage of its website that includes a toll-free number; or
9. Provide notice in major print or broadcast media in the geographic area where affected Individual(s) can learn whether their Unsecured PHI is possibly included in the Breach. Company will also include a toll-free number in the notice. Notice In Urgent Situations If Company determines the affected Individual should be notified urgently of a Breach because of possible imminent misuse of Unsecured PHI, Company will consult with the Covered Entity and may, in addition to providing notice as outlined in items above, contact the affected Individual by telephone or other means, as appropriate. 4.2 Notification to the Secretary Following the discovery of a Breach of Unsecured PHI, Company will notify the Secretary of such Breach in the following manner: A. Fewer than 500 Individuals: Company will record the Breach in the Breach Notification Log, and no later than 60 days after the end of each calendar year, provide notification to the Secretary in the manner specified on the HHS website. 8 Section 4 HIPAA Breach Policies Notification B. 500 or more Individuals: Notice will be provided by Company without unreasonable delay, and in no case later than 60 days from the Discovery of the Breach, to the Secretary in the manner specified on the HHS website.

9 Section 4

HIPAA Breach Policies Notification 4.3 Notification to the Media More than 500 Individuals: Notice will be provided to prominent media outlets serving that state or jurisdiction. Company will make such media contact pursuant to applicable media or communications policies. Company will provide notice without unreasonable delay and in no case later than 60 days after Discovery of the Breach.
4.4 Potential Delays to Notification Required by Law Enforcement A. Company will delay notification if a law enforcement official states that notification would impede a criminal investigation or would cause damage to national security.
B. Company will delay the notification as specified in a written statement from law enforcement or, if no written statement is provided, for not more than 30 days from the date that Company is in receipt of oral notification from law enforcement. Company will document any such oral communication in writing. A sample Breach Notification Log is attached as Exhibit

10

EXHIBIT A SAMPLE – BREACH RISK ASSESSMENT TOOL Privacy Officer

Start Date

End Date

Department

Occurrence Date

Discovery
Date

Incident
Location

Date Reported

Number
of Affected
Individuals

DETERMINATION OF BREACH

1. Was information acquired, accessed, used or disclosed? If no, a Breach has not occurred
2. Is the information involved in the incident PHI?
   If no, a Breach has not occurred
3. Is the incident a HIPAA Privacy Rule violation?
   If no, a Breach has not occurred
4. Is the PHI involved secure (i.e., encrypted, otherwise rendered unusable, or unreadable to unauthorized individuals)? If yes, it is unlikely that a Breach has occurred DETERMINATION OF EXCEPTION Does the incident fall under one the following exceptions: (If yes, a Breach has not occurred)
5. A good-faith, unintentional acquisition, access, or use of PHI by a Workforce Member, acting under the authority of Entity, if such acquisition, access, or use was made within the scope of authority and does not result in the further use or disclosure in a manner not permitted under the Privacy Rule; ❑ Yes ❑ No
6. An inadvertent disclosure of PHI by a person authorized to access PHI at Company to another person authorized to access PHI at Company, and the information received is not further used or disclosed in a manner not permitted under the Privacy Rule; ❑ Yes ❑ No
7. A disclosure of PHI, for which Company has a good-faith belief that an unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. ❑ Yes ❑ No

SAMPLE – BREACH RISK ASSESSMENT TOOL 11 Please Note: An acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted under the HIPAA Privacy Rule is presumed to be a Breach requiring notification unless an exception above is met or unless a low probability that the
PHI has been compromised is demonstrated by the Risk Assessment below. (Automatic notification of a presumed Breach is permitted to avoid performing a risk assessment) RISK ASSESSMENT *Risk Assessment factor required under HIPAA. *1. What is the nature and the extent of the Breach of PHI involved in the incident? 1a. What sensitive PHI is involved (e.g., HIV/AIDS information, mental health, or substance abuse)? 1b. What financial information is involved (e.g., SSN, credit card, or bank numbers)? 1c. What is the likelihood that the data could be re-identified on the basis of the context AND ability to link the data with other available information (e.g., news stories, public records, unique traits)? *2. Who used the PHI or to whom was the impermissible disclosure made? 2a. Does the person in receipt of the PHI have an obligation to protect the information (e.g., another entity governed by HIPAA)? *3. Was the PHI actually acquired or viewed?

SAMPLE – BREACH RISK ASSESSMENT TOOL 12 *4. To what extent has the risk to the PHI been mitigated? 4a. What corrective actions have been taken? 4b. Has the PHI been returned, remotely wiped, or destroyed? 4c. Has the unauthorized recipient(s) of the PHI provided satisfactory assurances that the information will not be further used or disclosed or will be destroyed? 5. What employee, department, and/or Workforce Member is responsible for the Breach? 6. What applicable safeguards were in place prior to the incident (e.g., locked file cabinets, badge entry, encryption, firewalls, passwords, biometrics, or other technological barriers)? 7. In the following questions, the probability that PHI has been compromised generally increases, moving left to right, with the last response having the highest probability of compromise. 7a. Method of incident (circle one): Verbal Paper Electronic 7a.1. If Electronic (circle one): Desktop Portable Device Server 7b. Recipient(s) of PHI (circle one): Internal Workforce External Workforce Public/Unknown 7c. Circumstances of incident (circle one): Unintentional Lost/Theft Hack/Malicious/Targeted Theft

SAMPLE – BREACH RISK ASSESSMENT TOOL 13 7d. Location of PHI subsequent to incident (circle one): Returned Destroyed Unknown Re-Disclosed 7e. Safeguards (circle one): De-Identified Encrypted Password None Redacted Protected 7f. Future risk (circle one): None/Destroyed Re-Identifiable Re-Disclosed 8. What additional facts, specific to this incident, are notable in determining the risk of harm? FINAL DETERMINATION Based on this risk assessment, Company has determined:
❑ There is a low probability that the PHI has been compromised and, therefore, Company is not required to provide notification under HIPAA.* ❑ The probability that the PHI has been compromised is greater than “low” and, therefore, Company will provide notification under HIPAA.*

• Notwithstanding this Final Determination, Company should review its Business Associate Agreement(s) or other contractual agreements with its customers to determine whether any other action is required by Company and/or its customers, including but not limited to specific mitigating measure and/or reporting. Approved by: Privacy and/or Security Official: Date: Print Name:

SAMPLE – BREACH RISK ASSESSMENT TOOL 14

EXHIBIT B SAMPLE – BREACH NOTIFICATION LETTER [LETTERHEAD] [DATE] [ADDRESS OF PATIENT] [ADDRESS OF PATIENT] [ADDRESS OF PATIENT] Dear [Patient Name]: I am writing to you about a recent potential disclosure of your personal information (“PHI”) from [Company] (the “Company”), which occurred on or around [INSERT DATE]. We became aware of this incident on [INSERT DATE].
✔ [INCLUDE FACTUAL DESCRIPTION OF THE INCIDENT]
The type of PHI about you that was involved includes: ✔ [INCLUDE LIST OF TYPES OF PHI THAT WAS BREACHED (SUCH AS WHETHER FULL NAME, SSN, BIRTH DATE, HOME ADDRESS ACCOUNT NUMBER, DIAGNOSIS, OR DISABILITY CODE WERE INVOLVED] The Company has conducted an investigation of the events, including a review of relevant information and documentation, and has conducted meetings and interviews with individuals having knowledge of the events. In light of this investigation, we have taken the following actions: ✔ [LIST REMEDIAL STEPS TAKEN TO MITIGATE HARM] If you have any questions or would like any additional information, you may contact us using the following information: SAMPLE – BREACH NOTIFICATION LETTER 15

[Practice] Attn: Privacy Officer [INCLUDE ANY POTENTIAL STATE-SPECIFIC BREACH NOTIFICATION REQUIREMENTS IF BREACH INVOLVES MORE THAN PHI] [INCLUDE TEXT BELOW IF INFORMATION THAT COULD BE USED TO PERPETUATE AN IDENTITY THEFT IS INVOLVED] [To help ensure that this information is not used inappropriately, we encourage you to request a credit report. To do so you may call the toll-free numbers of anyone of the three major credit bureaus (below) to place a fraud alert on your credit report. This can help prevent an identity thief from opening additional accounts in your name. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified to place alerts on your credit report, and all three reports will be sent to you free of charge. ✔ Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241. ✔ Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013. ✔ TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790.] The Company has also provided a membership for one year to [credit monitoring services]. The Company takes very seriously our role of safeguarding your personal information and using it in an appropriate manner. Accordingly, we apologize for any stress and worry this situation may have caused you and we assure you that we are doing everything we can to rectify the situation. Sincerely,

SAMPLE – BREACH NOTIFICATION LETTER 16

EXHIBIT C SAMPLE – BREACH NOTIFICATION LOG A record of the investigation of the reported Incident or potential Breach as well as the risk assessment to determine notification requirements should be retained in the file corresponding to the file number in this Breach Notification Log.

                   Notification Dates

File # Date of Discovery Date of Reported Incident Brief Description of Reported Incident/Breach Number of Individuals Involved Was Written Breach Assessment Completed Did Breach Occur (Y/N) Individuals Media** HHS Other: Covered Entity Actions Taken: Resolution Steps

• A description of what happened, including a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, etc.). ** Notice must be provided to a prominent media outlet only in the event of a Breach of Unsecured PHI involving more than 500 residents of a state or region. SAMPLE – BREACH NOTIFICATION LOG 17 SAMPLE – BREACH NOTIFICATION LOG 18