HIPAA Breach Notification
On September 23, 2013, the “HIPAA Omnibus Rule” took effect modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules and implementing various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This rule provides for the notification of individuals following a breach of their unsecured protected health information.
Unsecured protected health information is defined as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary.
If, after investigating a suspected security breach, the Information Security Office determines that unsecured protected health information was or is reasonably believed to have been accessed, acquired, used, or disclosed in a manner not permitted and cannot demonstrate a low probability of compromise based on a risk assessment of the following factors, the Information Security Office will coordinate with covered components to notify affected individuals, following the methods required by 45 C.F.R. § 164.404.
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
Media Notification: If it is determined that a breach of unsecured protected health information involves more than 500 residents of a state or jurisdiction, the Information Security Office will coordinate with covered components to notify prominent media outlets serving the affected area, as required by 45 C.F.R. § 164.406.
Federal Notification: For all breaches affecting less than 500 individuals, the Information Security Office will coordinate with covered components to submit notice of all such breaches discovered in the prior calendar year to the Department of Health and Human Services (HHS) via the HHS website. This notice will be submitted to HHS on an annual basis, no later than sixty (60) days after the end of each calendar year. For all breaches affecting more than 500 individuals, the Information Security Office will coordinate with covered components to provide notice to HHS contemporaneously with the notification of affected individuals.
To fulfill burden of proof requirements, the Information Security Office will coordinate with covered components to document that all notifications were made or that the use or disclosure did not constitute a breach.
Note: Joint Guidance on the Application of FERPA and HIPAA to Student Health Records maintains that FERPA, not HIPAA, governs the health records of students.
Users are required to follow the Procedure for Responding to a Compromised Computer if they suspect that the security or privacy of a Carnegie Mellon computing resource has been compromised.
The HIPAA Supplement requires that users report actual or suspected vulnerabilities and breaches in the confidentiality, integrity, security and/or privacy or suspicious requests of protected health information to the HIPAA Privacy Officer and/or the HIPAA Security Officer.