Skip to content

Breach Documentation And Notification Process 

Download the PDF version of this webpage

Jump to:

  1. Purpose of this documentation
  2. Process
  3. Assessment of Potential Breach Involving Protected Health Information
  4. Parties Required to be Notified
  5. Notification Timelines
  6. Required Elements of Patient Notifications
    1. Written Notifications
    2. Alternatives to Written Notifications
  7. Documentation Requirements
  8. Responsibility for Implementation
  9. Breaches Involving Personal Data (non-PHI)

HIPAA Breach Notification Rule

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the rule which compromises the security or privacy of the protected health information. The HIPAA Breach Notification Rule, 45 CFR 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Purpose of this Documentation

The purpose of this documentation is to establish the following:

  • The process UW Healthcare Components Compliance Group (HCCG) follows to report potential breaches of protected health information (PHI) to UW Compliance and Risk Services (CRS) and refer potential breaches of non-PHI University Personal Data to the appropriate department.
    UW CRS obligation to ensure notification to patients and other parties of a breach of PHI.
  • The parties must be notified by specified timelines.
  • Required content of notifications.
  • Responsibility for implementation.

Process

UW (HCCG) workforce members shall report potential breaches of PHI to their Privacy Liaison and the Liaison report these breaches to the UW CRS Privacy and Compliance Program Manager. The CRS Privacy and Compliance Program Manager will work with each unit privacy liaison to ensure that the event has been fully investigated and they had collected all the information relevant to this incident. The CRS Privacy and Compliance Program Manager shall review all relevant facts of a reported event to determine if a breach of PHI has occurred, which may include a formal risk assessment based on required factors to determine the probability that the PHI has been compromised. If a breach is confirmed, the CRS Privacy and Compliance Program Manager will ensure that written notification is provided to appropriate parties. The HCCG unit in which the potential breach occurs shall cooperate with the investigation, assist in remediating identified issues and may be responsible for funding the response and notification of affected patients.

Assessment of Potential Breach Involving Protected Health Information

  • UW CRS Privacy and Compliance reviews all relevant facts of the reported event and determines if the acquisition, access, use or disclosure of PHI:
    1. Was not for treatment, payment, or healthcare operations;
    2. Was not authorized by the patient; and
    3. Was not otherwise allowed by law.
  • UW CRS Privacy and Compliance determines if the circumstances meet any of the following breach notification exceptions:
    1. An unintentional acquisition, access or use of PHI by a workforce member or business associate who is acting in good faith within the scope of their authority (providing it does not result in further impermissible use or disclosure)
    2. An inadvertent disclosure of UW HCCG PHI between two persons who are both authorized to access UW HCCG PHI, providing the information received as a result of such disclosure is not further impermissibly used or disclosed; or
    3. A disclosure of PHI to an unauthorized person, who UW HCCG believes, in good faith, would not reasonably have been able to retain such information.
  • UW CRS Privacy and Compliance may still demonstrate that there is a low probability that the PHI has been compromised by conducting a formal risk assessment based on a minimum of the following factors:
    1. The nature and extent of the PHI involved, including the types of identifiers and the
      likelihood of re-identification
    2. The unauthorized person who used the PHI or to whom the disclosure was made;
      Whether the PHI was actually acquired or viewed
    3. The extent to which the risk to the PHI has been mitigated.
  • If none of the exclusion criteria apply and a low probability of compromise to the PHI
    cannot be demonstrated, a breach of PHI is confirmed, and UW CRS Privacy and Compliance ensures completion of  the notification process.

Parties Required to be Notified if breach is determined

  1. The patient(s).
  2. The Secretary of the Department of Health and Human Services (DHHS).
  3. The Washington State Attorney General (when a security breach involves more than 500 Washington state residents).
  4. The local media (when a privacy breach involves more than 500 residents of any given state or jurisdiction).

Notification Timelines

In general, notifications are made as soon as possible, without unreasonable delay and in no case later than 60 calendar days after the breach discovery date.

Exceptions: 

  • Notification may be delayed if it would impede a criminal investigation or cause damage to national security.
  • If a breach involves less than 500 patients, the timeframe for notification to DHHS is within 60 days of the end of the calendar year in which the breach occurred

Required Elements of Patient Notifications

    • Written Notifications
  1. Must be sent by UW CRS Privacy and Compliance and signed by the UW CRS Privacy Officer or designee.
  2. Must be sent by first-class mail to the patient’s last known address (or to the patient’s personal representative if the patient is deceased and UW CRS Privacy and Compliance has the personal representative’s address). If specified as a preference by the patient, the notification may be sent by email.
  3. Must contain the following elements:
    • A brief description of what happened, including the breach discovery date and the actual date of the incident
    • If known, a specific description of the unsecured PHI that was involved in the breach (such as full name, Social Security number, date of birth, home address, account number or disability code)
    • The steps patients should take to protect themselves from potential harm resulting from the breach
    • A brief description of what UW CRS Privacy and Compliance is doing to investigate the breach, mitigate losses and help prevent further breaches
    • Instructions for obtaining further information, making inquiries and obtaining assistance (including toll-free telephone number, email address, website or postal address).
  • Alternative Written Notification
    • If there is insufficient or out-of-date contact information that precludes direct written notification to 10 or more patients, UW CRS Privacy and Compliance will provide substitute notice. Substitute notice will include a toll-free phone number for obtaining additional information about the breach and may be in one of the following forms:
    1. A conspicuous posting for 90 days on the UW HCCG specific unit website
    2. A notice in appropriate print or broadcast media that serve geographic areas
      where affected patients likely reside
    3. An alternative form of written notice, such as by email or by telephone.
  • If imminent misuse of unsecured PHI is suspected, notification may be by telephone or other means.

Documentation Requirements

Written documentation must be maintained to demonstrate completion of the following actions:

  • Breach risk assessment; and
  • Notification to required parties, including copies of letters

Responsibility for Implementation

  1. UW CRS Privacy and Compliance Program Manager assesses whether an incident constitutes a breach as defined by the Health Insurance Portability and Accountability Act, makes the relevant recommendation to the UW Privacy Officer for healthcare information.
  2. UW CRS Privacy and Compliance Program Manager ensures the required notifications are made and maintains all documentation.
  3. The HCCG unit in which the breach occurred may be required to pay for the cost of notifying patients.

Breaches Involving Personal Data (non-PHI)

  1. Unforeseen events, incidents, and potential or confirmed data breaches of Personal Data that does not constitute PHI must be reported to the department responsible for managing such incidents in accordance with University or entity policy.
  2. Communications to persons, other than patients or human subjects, about breaches involving University Personal Data will be made as directed by the University Privacy Officer.

REGULATORY/LEGISLATION/REFERENCES

  • Notification in the Case of Breach of Unsecured Protected Health Information, 45 C.F.R. §164, Subpart D.
  • Privacy of Individually Identifiable Health Information, 45 C.F.R. §164, Subpart E.
  • Revised Code of Washington (RCW) 19.255 Personal Information – Notice of Security Breaches.
  • RCW 19.86.090 Civil action for damages —Treble damages authorized — Action by governmental entities.
  • RCW 42.56.590 Personal information — Notice of security breaches

PROCEDURE ADDENDUM(s) REFERENCES/LINKS

  • UW Medicine Compliance Glossary.
  • UW Administrative Policy Statement 2.5 Information Security and Privacy Incident Reporting and management Policy.

Approvals

Jane Yung
UW Executive Compliance and Risk Officer

Updated: 7/9/2022