The Health Information Technology for Economic and Clinical Health Act regulations (HITECH) amended the Health Information Portability and Accountability Act (HIPAA) to establish requirements for notifying individuals in the event of a breach (as defined by HIPAA) of their unsecured protected health information. In addition, HITECH contains requirements for notifying the Office of Civil Rights (OCR) regarding breaches.
UW–Madison investigates potential breaches of protected health information (referred to hereafter as “incidents”) and determines if any incident meets HIPAA’s definition of a breach, therefore requiring breach notification according to HITECH. UW–Madison makes notifications in the manner required by HITECH.
- Investigations of Incidents (Paper or Oral Only).
Anyone who becomes aware of an incident involving paper records or oral statements only must report the incident to the UW–Madison HIPAA privacy Officer within 24 hours of the discovery of the incident.
HIPAA incident reports should be submitted online via the reporting mechanism available at compliance.wisc.edu/hipaa.
- Examples of incidents involving paper records or oral statements only include:
- A patient is handed a copy of the wrong After-Visit Summary.
- A health care provider is overheard discussing a patient’s identifiable medical information in the elevator or cafeteria.
- An abstract or poster for a presentation at an event or conference contains PHI and does not reference obtaining appropriate authorization.
- Postcards are mailed to patients or research subjects which name diagnoses or specific therapies in addition to full names and addresses.
- To the extent applicable, the HIPAA privacy officer will notify the HIPAA privacy coordinator of the applicable UW HCC unit within 24 hours of being notified of an incident.
- The HIPAA privacy officer will lead the investigation and, in coordination with the HIPAA privacy coordinator of the applicable UW HCC unit or their designee, will complete the UW–Madison HIPAA Breach Analysis Form as soon as practicably possible, absent exigent circumstances. The HIPAA privacy officer will notify the HIPAA Privacy and Security Operations Committee of the investigation and, if an investigation appears likely to continue beyond 14 calendar days, will also provide the reason for the delay.
- The HIPAA privacy officer will maintain a log of all reported incidents along with information from the HIPAA Breach Analysis Form and information about any notices sent to affected individuals, media outlets, and the Office of Civil Rights of the Department of Health and Human Services.
- All Other Investigations of Incidents.
Anyone who becomes aware of an incident other than those described in I. above must report the incident to the HIPAA privacy officer or the HIPAA security officer within 24 hours of the discovery of the incident. The HIPAA privacy officer and HIPAA security officer will collaborate with local/department IT staff to determine how best to initiate an investigation about an incident.
HIPAA incident reports should be submitted online via the reporting mechanism available at compliance.wisc.edu/hipaa.
- If an incident is reported to a local/department IT office, that office will immediately notify the HIPAA privacy officer or HIPAA security officer, and also submit the details of the incident online via the reporting mechanism available at compliance.wisc.edu/hipaa. The investigation will then proceed as outlined in I.3-I.5, above.
- If additional information from the UW–Madison chief information officer (CIO) is needed to investigate an incident, or as otherwise directed by the HIPAA security officer, the CIO’s chief information security officer (CISO) will participate in the investigation and provide findings to the HIPAA privacy and security officers without unreasonable delay and in no case more than 30 days from the date of discovery of the incident. The investigation shall then proceed as outlined in I.3-I.5, above.
- If the HIPAA security officer or CIO determines that an administrative leadership team should assemble as described in the CIO’s Information Incident Reporting and Response Policy, the administrative leadership team will include the HIPAA privacy officer. Upon completion of the administrative leadership team's analysis, the investigation will then proceed as outlined in I.3-I.5, above.
- Breach Determination.
- The HIPAA privacy officer, in consultation with the UW–Madison HIPAA security officer and the HIPAA Privacy and Security Operations Committee, as needed or as time permits, will make the final determination of whether a breach has occurred.
- The HIPAA privacy officer will notify the UW–Madison HIPAA Privacy and Security Executive Board of any required breach notifications.
- Breach Notifications. If it is determined that a breach of unsecured protected health information has occurred, the following notifications are made in accordance with HITECH regulations:
- Notification to Affected Individuals.
- Without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, the HIPAA privacy officer notifies each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach.
- The HIPAA privacy officer will draft and sign any notification letter(s), in consultation as needed with the privacy coordinator of the relevant HCC unit in the drafting. The UW–Madison Office of Compliance will ensure timely mailing of any notification letter(s).
- The notification, written in plain language, will include, to the extent possible:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured protected health information that were involved in the breach (e.g., full name, social security number, date of birth, home address, account number, diagnosis, disability code, and/or other types of information);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what UW–Madison is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which will include a toll-free telephone number, an email address, website, or postal address.
- The notification required will be provided in the following form:
- Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
- If UW–Madison knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.
- If there is insufficient or out-of-date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual will be provided (this does not apply to the next of kin or personal representative of the individual).
- If there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.
- If there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice will:
- Be in the form of either a conspicuous posting for a period of 90 days on the hipaa.wisc.edu home page or a conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
- Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach.
- In any case deemed to require urgency because of possible imminent misuse of unsecured protected health information, the HIPAA privacy officer may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided as described above.
- Notification to the Secretary of the U.S. Department of Health and Human Services (HSS).
- For a breach involving 500 or more individuals, the HIPAA privacy officer provides notification to the secretary contemporaneously with the notice to affected individuals in the manner specified on the HHS website.
- For a breach involving less than 500 individuals, the HIPAA privacy officer or the privacy and security program coordinator at their direction maintains a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provides the notification for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.
- Notification to the Media. For a breach involving more than 500 residents of the state, the UW–Madison HIPAA privacy officer in conjunction with University Communications will, contemporaneously with the notice to affected individuals and to the Secretary of HHS, notify prominent media outlets serving the state.
- Law Enforcement Delay. If a law enforcement official states that a notification, notice, or posting required by HIPAA would impede a criminal investigation or cause damage to national security, the HIPAA privacy officer will:
- If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
- If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
- The HIPAA privacy officer will notify the HIPAA Privacy and Security Operations Committee and the HIPAA Executive Board when all required notifications have been made.
- In the event an incident involves research subjects, the HIPAA privacy officer will notify the appropriate institutional review board (IRB) upon learning of the incident if it is unclear that the IRB is already aware, and will work with such IRB to ensure that any proposed remediation does not conflict with IRB determinations, policies or laws governing human subjects research.
- Both breaches and incidents determined not to be breaches will be reported to the HIPAA Privacy and Security Operations Committee by the HIPAA privacy officer for discussion of possible remedial or preventive actions.
- Documentation Requirements. The UW–Madison HIPAA Breach Analysis Form must be completed for each incident investigation.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.