2. Unauthorized Person Who Used the PHI Or to Whom the Disclosure Was Made;

POLICY: BREACH NOTIFICATION Policy Number: HIP – 4343 Page(s): 1 of 3 Approved by: Effective Date:

PURPOSE: To properly give notice to patients and the Secretary in the event of a Protected Health Information (PHI) breach.

POLICY: It is the policy of this clinic to properly notify impacted patients and the Secretary of HHS in the event of a PHI breach. A breach means the acquisition, access, use, or disclosure of PHI in a manner that compromises the security and privacy of the PHI. A breach is presumed unless this clinic can demonstrate a low probability that the PHI has been compromised based on a Risk Assessment of at least the following: 1. Nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification; 2. Unauthorized person who used the PHI or to whom the disclosure was made; 3. Whether the PHI was actually acquired or viewed; and 4. Extent to which the risk of PHI has been mitigated. A breach shall be treated as discovered by this clinic as the first day on which it is known or should have been known by exercising reasonable diligence.

PROCEDURE:

This clinic will presume a breach has taken place unless it can demonstrate based on the four-part Risk Assessment listed above that there is a low probability that the PHI has been compromised. This Risk Assessment will be documented and retained regardless of the outcome.

Following a breach of unsecured protected health information this clinic will provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.

1. Individual Notice: The clinic will notify affected individuals following the discovery of a breach of unsecured protected health information. The clinic will provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If this clinic has insufficient or out-of-date contact information for 10 or more individuals, this clinic will provide substitute individual notice by either posting the notice on the home page of its web site for 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. If this clinic has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. These individual notifications will be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and will include, to the extent possible: a. Description of the breach including the date of breach and date of discovery, if known; b. Description of the types of information that were involved in the breach; c. Steps affected individuals should take to protect themselves from potential harm resulting from breach; d. Brief description of what this clinic is doing to investigate the breach, mitigate the harm, and prevent further breaches; e. Contact information for this clinic. f. This notification will be written in plain language. g. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact this clinic to determine if their protected health information was involved in the breach. This number must remain active for at least 90 days. 2. Media Notice: If this clinic experiences a breach affecting more than 500 residents of a State or jurisdiction will, in addition to notifying the affected individuals, provide notice to prominent media outlets serving the State or jurisdiction. This clinic will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification will be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and will include the same information required for the individual notice. 3. Notice to the Secretary: In addition to notifying affected individuals and the media (where appropriate), this clinic will notify the Secretary of Health and Human Services of breaches of unsecured protected health information. This clinic will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form found at the following website: https://ocrnotifications.hhs.gov. If a breach affects 500 or more individuals, this clinic will notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, this clinic will notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

4. Notification by a Business Associate: If a breach of unsecured protected health information occurs at or by a business associate, the business associate will notify this clinic following the discovery of the breach. To the extent possible, the business associate will provide this clinic with the identification of each individual affected by the breach as well as any information required to be provided by this clinic in its notification to affected individuals.