Class assignment

1. Steps To
Breach
Notifications
Source: Open Clip Art Library
Art by: Openxs (6-7-10)

2. Breach
A breach means the unauthorized acquisition, access, use, or disclosure of PHI
which compromises the security or privacy of such information, except where
an unauthorized person to whom such information is disclosed would not
reasonably have been able to retain such information.
Exceptions: b. such information is not further
Any unintentional acquisition, access acquired, accessed, used, or disclosed
or use of PHI by an employee or by any person;
Individual acting under the authority of a any inadvertent disclosure from an
Covered entity (CE) or business associate individual who is otherwise authorized
(BA). to access PHI at a facility operated by
a. such acquisition, access, or use was a CE or BA to another similarly
made in good faith and within the situated individual at the same facility;
course and scope of the employment or any such information received as a
other professional relationship of such result of such disclosure is not further
employee or individual, respectively, acquired, accessed, used or disclosed
with the CE or BA and without authorization by any person.
Source: Flickr
Photo by: David Jones (9-15-07)

3. The first day the breach is discovered:
Discovery - A breach shall be treated as Notification – All notifications
discovered by a covered entity or by a required under this section shall
business associate as of the first day on be made without unreasonable
which the breach is known to the delay and in no case later than
Covered Entity or by a Business 60 calendar days after the discovery
Associate as of the first day on which of a breach by the CE involved or BA
the breach is known to the CE or the BA involved in the case.
(including any person, other than the
individual committing the reach, that is
an employee, officer or other agent of
such entity or associate respectively), or
should reasonably have been known to
such entity or associate (or person) to
have occurred.
Source: Open Clip Art Library
Art by: eady (8-11-10

4. Methods:
Individual Notice – The notice required under this
section to be provided to an individual, with respect to
a breach, shall be provided promptly and in the
following form:
a. Written Notification – Must be made by first class mail
to the individual (or next of kin of the individual if the
individual is deceased) at the last known address of the
individual or the next of kin, respectively or if specified as a
preference by the individual, by electronic mail. The
notification may be provided in one or more mailings as
information is available.
Image provided by Clip Art

5. B. In the case in which there is insufficient, or out-of-date
contact information (including a phone number, email
address, or any other form of appropriate communication)
that precludes direct written notification to the individual,
Substitute form of notice shall be provided, including, in the
case that there are 10 or more individuals for which there is
insufficient or out-of-date contact information, a
conspicuous posting for a period determined by the
Secretary on the home page of the Web site of the covered
entity involved or notice in major print or broadcast media,
including major media in geographic areas where the
individuals affected by the breach likely reside. Such a notice
in media or web posting will include a toll-free phone
number where an individual can learn whether or not the
individual’s unsecured protected health information is
possibly included in the breach.

6. c. In any case deemed by the CE involved to require
urgency because of possible imminent misuse of
unsecured PHI, the CE, in addition to notice
provided may provide information to individuals by
telephone or other means as appropriate.
MEDIA NOTICE
Media notices are to be done if a breach of
unsecured PHI is more than 500 residents of such
Sate or Jurisdiction is, or is reasonably believed to
have been, accessed, acquired or disclosed during
such breach.

7. What needs to be in the Notification?
1. Date of the Breach
2. Date of the Discovery of the Breach
3. A brief description of what happened
4. A description of what was breached, such
as:
a. Full Name
b. Social Security Number
c. Date of Birth
d. Home Address
e. Account Number
f. Disability Code
Image from Clip Art

8. 5. Steps need to be given to the individual on
what they need to do to protect
themselves from potential harm resulting
from the Breach.
6. Contact Procedures for individuals to ask
questions or learn additional
information, which shall include a toll free
number, an e-mail address, Web site, or
postal address.
7. If a law enforcement official determines
that a notification, notice or posting
required under this section would impede a
criminal investigation or cause damage to
national security, such notification, notice
or posting shall be delayed.

9. Image by Clip Art
NOTICE TO SECRETARY
Less than 500 – The CE may maintain a log of
any such breach occurring and annually
submit such a log to the Secretary
documenting such breaches occurring during
the year involved.
More than 500 – The CE must provide a notice
immediately to the Secretary.
POSTING ON HHS PUBLIC WEBSITE – The
Secretary shall make available to the public
on the Internet website of the Department of
Health and Human Services a list that identifies
each CE involved in the breach in which the
unsecured PHI of more than 500 individuals is
acquired or disclosed.

10. REFERENCES:
1. Analysis of Health Care Confidentiality, Privacy, and
Security Provisions of The American Recovery and
Reinvestment Act of 2009, Public Law 111-5 March, 2009
-
http://www.ahima.org/dc/documents/AnalysisofARRAP
rivacy-fin-3-3-2009a.pdf#page%3D1
2. eHealth Initiative – Navigating the American
Recovery and Reinvestment Act –
http://www.ehealthinitiative.org/stimulus/privacy.mspx
3. The Impact of the Stimulus Act on HIPAA Privacy and
Security (Webinar – March 12, 2009) – AHIMA
4. U.S. Department of Health & Human Services (2011).
Health Information Privacy. Retrieved from
www.HHS.gov
5. Images provided by Flickr -
http://www.flickr.com/search/?l=commderiv&q=privac
y
6. Images provided by Open Clip Art Library -
http://openclipart.org/search/?query=privacy