The Health Information Technology for Economic and Clinical Health Act regulations (“HITECH”) amended the Health Information Portability and Accountability Act (“HIPAA”) to establish requirements for notifying individuals in the event of a breach (as defined by HIPAA) of their unsecured Protected Health Information (“PHI”). In addition, HITECH contains requirements for notifying the Office of Civil Rights (“OCR”) regarding breaches.
UW-Madison investigates potential breaches of PHI (referred to hereafter as “incidents”) and determines if any incident meets HIPAA’s definition of a breach, therefore requiring breach notification according to HITECH. UW- Madison makes notifications in the manner required by HITECH.
- Investigations of incidents (Paper or Oral Only)
Anyone who becomes aware of an incident involving paper records or oral statements only must report the incident to the UW-Madison HIPAA Privacy Officer within 24 hours of the discovery of the incident.
HIPAA incident reports should be submitted online via the reporting mechanism available at compliance.wisc.edu/hipaa.
- Examples of incidents involving paper records or oral statements only include:
- A patient is handed a copy of the wrong After Visit Summary;
- A health care provider is overheard discussing a patient’s identifiable medical information in the elevator or cafeteria.
- An abstract or poster for a presentation at an event or conference contains PHI and does not reference obtaining appropriate authorization.
- Postcards are mailed to patients or research subjects which name diagnoses or specific therapies in addition to full names and addresses.
- To the extent applicable, the HIPAA Privacy Officer will notify the HIPAA Privacy Coordinator of the applicable UW HCC unit within 24 hours of being notified of an incident.
- The HIPAA Privacy Officer shall lead the investigation and, in coordination with the HIPAA Privacy Coordinator of the applicable UW HCC unit or his/her designee, shall complete the UW-Madison HIPAA Breach Analysis Form as soon as practicably possible, absent exigent circumstances. The HIPAA Privacy Officer shall notify the HIPAA Privacy and Security Operations Committee of the investigation and, if an investigation appears likely to continue beyond 14 calendar days, shall also provide the reason for the delay.
- The HIPAA Privacy Officer shall maintain a log of all reported incidents along with information from the HIPAA Breach Analysis Form and information about any notices sent to affected individuals, media outlets, and the Office of Civil Rights of the Department of Health and Human Services (“OCR”).
- All Other Investigations of Incidents.
Anyone who becomes aware of an incident other than those described in I. above must report the incident to the HIPAA Privacy Officer or the HIPAA Security Officer within 24 hours of the discovery of the incident. The HIPAA Privacy Officer and HIPAA Security Officer shall collaborate with local/department IT staff to determine how best to initiate an investigation about an incident.
HIPAA incident reports should be submitted online via the reporting mechanism available at compliance.wisc.edu/hipaa.
- If an incident is reported to a local/department IT office, that office shall immediately notify the HIPAA Privacy Officer or HIPAA Security Officer, and also submit the details of the incident online via the reporting mechanism available at compliance.wisc.edu/hipaa. The investigation shall then proceed as outlined in I.3-I.5, above.
- If additional information from the UW-Madison Chief Information Officer (“CIO”) is needed to investigate an incident, or as otherwise directed by the HIPAA Security Officer, the CIO’s Chief Information Security Officer (“CISO”) shall participate in the investigation and provide findings to the HIPAA Privacy and Security Officers without unreasonable delay and in no case more than 30 days from the date of discovery of the incident. The investigation shall then proceed as outlined in I.3-I.5, above.
- If the HIPAA Security Officer or CIO determines that an Administrative Leadership Team (“ALT”) should assemble as described in the CIO’s Information Incident Reporting and Response Policy, the ALT shall include the HIPAA Privacy Officer. Upon completion of ALT’s analysis, the investigation shall then proceed as outlined in I.3-I.5, above.
- Breach Determination
- The HIPAA Privacy Officer, in consultation with the UW-Madison HIPAA Security Officer and the HIPAA Privacy and Security Operations Committee, as needed or as time permits, will make the final determination of whether a breach has occurred.
- The HIPAA Privacy Officer will notify the UW-Madison HIPAA Privacy and Security Executive Board of any required breach notifications.
- Breach Notifications. If it is determined that a breach of unsecured PHI has occurred, the following notifications are made in accordance with HITECH regulations:
- Notification to Affected Individuals.
- Without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, the HIPAA Privacy Officer notifies each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach.
- The HIPAA Privacy Officer shall draft and sign any notification letter(s), in consultation as needed with the Privacy Coordinator of the relevant HCC unit in the drafting. The UW- Madison Office of Compliance shall ensure timely mailing of any notification letter(s).
- The notification, written in plain language, shall include, to the extent possible:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured PHI that were involved in the breach (e.g., full name, social security number, date of birth, home address, account number, diagnosis, disability code, and/or other types of information);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what UW-Madison is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
- The notification required shall be provided in the following form:
- Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
- If UW-Madison knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.
- If there is insufficient or out-of-date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual shall be provided (this does not apply to the next of kin or personal representative of the individual).
- If there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.
- If there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall:
- Be in the form of either a conspicuous posting for a period of 90 days on the hipaa.wisc.edu home page of, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
- Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured PHI may be included in the breach.
- In any case deemed to require urgency because of possible imminent misuse of unsecured PHI, the HIPAA Privacy Officer may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided as described above.
- Notification to the Secretary of US Department of Health and Human Services (HSS).
- For a breach involving 500 or more individuals, the HIPAA Privacy Officer provides notification to the Secretary contemporaneously with the notice to affected individuals in the manner specified on the HHS Web site.
- For a breach involving less than 500 individuals, the HIPAA Privacy Officer or the Privacy and Security Program Coordinator at his/her direction, maintains a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provides the notification for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.
- Notification to the Media. For a breach involving more than 500 residents of the State, the UW- Madison HIPAA Privacy Officer in conjunction with University Communications shall, contemporaneously with the notice to affected individuals and to the Secretary of HHS, notify prominent media outlets serving the State.
- Law Enforcement Delay. If a law enforcement official states that a notification, notice, or posting required by HIPAA would impede a criminal investigation or cause damage to national security, the HIPAA Privacy Officer shall:
- If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
- If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
- The HIPAA Privacy Officer will notify the HIPAA Privacy and Security Operations Committee and the HIPAA Executive Board when all required notifications have been made.
- In the event an incident involves research subjects, the HIPAA Privacy Officer shall notify the appropriate Intuitional Review Board (“IRB”) upon learning of the incident if it is unclear that the IRB is already aware, and shall work with such IRB to ensure that any proposed remediation does not conflict with IRB determinations, policies or laws governing human subjects research.
- Both breaches and incidents determined not to be breaches will be reported to the HIPAA Privacy and Security Operations Committee by the HIPAA Privacy Officer for discussion of possible remedial or preventive actions.
- Documentation Requirements
The UW-Madison HIPAA Breach Analysis Form must be completed for each incident investigation.
Consequences for Non-Compliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional non- compliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.