If a breach involves less than 500 patients, the timeframe for notification to DHHS is within 60 days of the end of the calendar year in which the breach occurred.Notification may be delayed if it would impede a criminal investigation or cause damage to national security.In general, notifications are made as soon as possible, without unreasonable delay and in no case later than 60 calendar days after the breach discovery date. The local media (when a privacy breach involves more than 500 residents of any given state or jurisdiction).The Washington State Attorney General (when a security breach involves more than 500 Washington state residents).The Secretary of the Department of Health and Human Services (DHHS).Parties Required to be Notified if breach is determined If none of the exclusion criteria apply and a low probability of compromise to the PHIĬannot be demonstrated, a breach of PHI is confirmed, and UW CRS Privacy and Compliance ensures completion of the notification process.The extent to which the risk to the PHI has been mitigated.Whether the PHI was actually acquired or viewed The unauthorized person who used the PHI or to whom the disclosure was made.The nature and extent of the PHI involved, including the types of identifiers and the.UW CRS Privacy and Compliance may still demonstrate that there is a low probability that the PHI has been compromised by conducting a formal risk assessment based on a minimum of the following factors:.A disclosure of PHI to an unauthorized person, who UW HCCG believes, in good faith, would not reasonably have been able to retain such information.An inadvertent disclosure of UW HCCG PHI between two persons who are both authorized to access UW HCCG PHI, providing the information received as a result of such disclosure is not further impermissibly used or disclosed or.An unintentional acquisition, access or use of PHI by a workforce member or business associate who is acting in good faith within the scope of their authority (providing it does not result in further impermissible use or disclosure).UW CRS Privacy and Compliance determines if the circumstances meet any of the following breach notification exceptions:.Was not for treatment, payment, or healthcare operations.UW CRS Privacy and Compliance reviews all relevant facts of the reported event and determines if the acquisition, access, use or disclosure of PHI:.Assessment of Potential Breach Involving Protected Health Information The HCCG unit in which the potential breach occurs shall cooperate with the investigation, assist in remediating identified issues and may be responsible for funding the response and notification of affected patients. If a breach is confirmed, the CRS Privacy and Compliance Program Manager will ensure that written notification is provided to appropriate parties. The CRS Privacy and Compliance Program Manager shall review all relevant facts of a reported event to determine if a breach of PHI has occurred, which may include a formal risk assessment based on required factors to determine the probability that the PHI has been compromised. The CRS Privacy and Compliance Program Manager will work with each unit privacy liaison to ensure that the event has been fully investigated and they had collected all the information relevant to this incident. UW (HCCG) workforce members shall report potential breaches of PHI to their Privacy Liaison and the Liaison report these breaches to the UW CRS Privacy and Compliance Program Manager. The parties must be notified by specified timelines.UW CRS obligation to ensure notification to patients and other parties of a breach of PHI. The process UW Healthcare Components Compliance Group (HCCG) follows to report potential breaches of protected health information (PHI) to UW Compliance and Risk Services (CRS) and refer potential breaches of non-PHI University Personal Data to the appropriate department.The purpose of this documentation is to establish the following: The HIPAA Breach Notification Rule, 45 CFR 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Breaches Involving Personal Data (non-PHI)īreach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the rule which compromises the security or privacy of the protected health information.Required Elements of Patient Notifications.Assessment of Potential Breach Involving Protected Health Information.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |