BU Data Protection – HIPAA Data Security Incident & Breach Policy

Purpose & Scope

The Health Insurance Portability and Accountability Act (HIPAA) and the the HITECH Act (Health Information Technology for Economic and Clinical Health Act) require Covered Components at Boston University to establish rigorous processes for the proper handling of any security incident involving Protected Health Information (PHI) and timely reporting of any breach of unsecured PHI.

This policy defines the requirements of Covered Components to report security incidents and breaches, whether known, possible or suspected.  This policy supplements the BU HIPAA policy and Data Protection Standards.

Policy

The HIPAA Covered Component will promptly report all incidents that might involve the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under HIPAA. The HIPAA Privacy and HIPAA Security Officers will determine, in consultation with other University officials and the Covered Component, whether a “breach” has occurred and what, if any, steps should be taken in response to the incident, including notification to affected individuals, the Secretary of U.S. Dept. of Health and Human Services, and the media if there has been a breach of “unsecured Protected Health Information.”

Reporting

If you suspect there has been an incident that might involve the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, you must promptly report it to the University.

What to report

  • Any event in which access to PHI might have been gained by an unauthorized person
  • Any event in which a device containing (or may be containing) PHI has (or might have been) lost, stolen or infected with malicious software (viruses, trojans, etc.)
  • Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
  • Any attempt to physically enter or break into a secure area where PHI is or might be stored
  • Any other event in which PHI has been or might have been lost or stolen
  • Any other event in which PHI has been or might have been improperly used (e.g. used without the individual’s written authorization if authorization is required)

Reportable incidents include the impermissible use or disclosure of PHI by a Business Associate. If an incident occurs at a Business Associate that might involve a breach of BU’s PHI, the Business Associate is required to report it to the BU HIPAA Covered Component and BU Information Security. If you become aware of any incident at a Business Associate, you should report the incident immediately to the BU officials as described below. See Business Associate Contracts [link] and Business Associate Agreement form [link].

When to report

Generally, you should report before taking any investigative action.

If a computer is involved:

  • First, DO NOT TURN OFF OR UNPLUG THE COMPUTER
  • Second, unplug the network cable from the back of the computer and turn off any wireless internet connection
  • Report as described below.
  • TAKE NO OTHER ACTION.
    • DO NOT attempt to take any further action on your own.
    • DO NOT attempt to research what happened.
    • DO NOT attempt to encrypt any or otherwise protect any sensitive data on your system.
    • Doing any of these things may destroy crucial forensic data.

How to report:

In the event of a data security incident or other incident that might involve a breach of PHI, report it immediately to:

  • The Covered Component’s HIPAA Security Champion
  • BU Information Security: irt@bu.edu or 617-358-1100
  • If a crime might have occurred or a public safety concern exists, also contact
    • Boston University Police 617-353-2121

University’s Review of Reported Incident

The HIPAA Privacy and Security Officers, in consultation with others, will determine whether a “breach” has occurred. An investigation and determination will be made by these institutional officials in consultation with the Covered Component, Office of the General Counsel, and others as appropriate.

Whether or not there has been a “breach,” these officials will determine, in consultation with the Covered Component, what steps need to be taken to further investigate, remediate, and mitigate the incident and protect against a future incident.

If a “breach of unsecured PHI” has occurred, these officials will give timely notices to affected individuals, federal authorities, and (for large scale breaches) the public media as appropriate and/or required. The required notice to affected individuals must be given without unreasonable delay and in any event no later than sixty (60) calendar days after the discovery of the breach (with certain permitted delays for law enforcement purposes), and thus prompt and informative reporting by the HIPAA Covered Component is critical.

The workforce of the HIPAA Covered Component will cooperate and give assistance as requested with the investigation, follow-up steps, and any notifications.

Breaches must also be tracked for an Accounting

In addition, disclosures of Protected Health Information must be tracked by the Covered Component in order to provide the affected individual with an accounting if requested. See Individual’s Request for an Accounting of Unauthorized Disclosures.

 

Examples and guidance on when to report and to whom

When should BU HIPAA Component

  • report impermissible uses and disclosure (as possible breaches); and/or
  • account for unauthorized uses and disclosures (whether permissible or impermissible),
  • seek advice of General Counsel or Privacy Officer on uses and disclosures?

Definitions:

In the following examples, the term “Authorization” or “Authorized” refers to an individual’s authorization for disclosure of PHI, using the Authorization form.  The term “Accounting” refers to the requirement of maintaining a log of un-Authorized disclosures.  The term “Report” refers to the requirement to report possible breaches due to impermissible disclosure, which should be reported to the BU Incident Response Team.

Examples

Examples of Impermissible Uses and Disclosures Action to be taken by BU HIPAA Component
Unauthorized access to PHI by staff without a legitimate need to have access .
  • Report of possible breach is required
  • Accounting is required
Inadvertent disclosure of PHI due to failure to safeguard PHI from viewing by an unintended party.  For example, a laptop containing unsecured PHI lost in a public place.
  • Report of possible breach is required
  • Accounting is required

 

Mistaken disclosure of PHI by misdirecting a disclosure to an unintended party.  For example, sending PHI to an address not indicated in the patient’s Authorization form.
  • Report of possible breach is required
  • Accounting is required
A  disclosure to family member, when the individual patient has instructed that no information be given to this family member. (See, NPP)
  • Report of possible breach is required
  • Accounting is required
Access by, or disclosure to, a researcher for research purposes without proper documentation of Authorization, Waiver of Authorization or Access Preparatory to Research.  (See, NPP) 
  • Report of possible breach is required
  • Accounting is required, even if access is by Waiver or by Access Preparatory to research (without Authorization)
  • Consultation with OGC or Privacy Officer is recommended.

 

Examples of Permissible, but un-Authorized, Uses and Disclosures Action to be taken by BU HIPAA Component
Use by, or disclosure to, clinic staff as necessary for performance of the following duties:Treatment to provide, manage and coordinate care to meet your needs. Your treatment could also involve disclosing information to other providers such as a referring physician or dentist.

Payment – to obtain payment and determine health insurance eligibility.  We may tell your health plan about treatment or services that may require their prior approval.

Health Care Operations – to assess the quality of care we provide, to improve our services, to train our staff and students, and to manage our business and services.

(See, NPP)

  • Report of possible breach not required
  • Accounting is required by HITECH; but
  • DHHS proposes to implement HITECH by requiring only
    • An access report that would provide information on who has accessed electronic PHI in a designated record set including for TPO purposes
    • All Electronic Health Records must  have the capacity to support access reporting
    • If an access report is requested, please consult OGC and Privacy Officer.
Disclosure to comply with law requiring reports of suspected abuse or neglect of children, elders or disabled persons.  (See, NPP)
  • Report of possible breach is not required
  • Accounting is required
  • Consultation with OGC or Privacy Officer is recommended.
Disclosure for public health activities to prevent or control disease such as reporting infectious diseases to boards of health, births or deaths or reactions to vaccines or medical devices to the FDA.  (See, NPP)
  • Report of possible breach is not required
  • Accounting is required
  • Consultation with OGC or Privacy Officer is recommended.
Disclosure as legally required or federal and state health oversight activities such as fraud investigations.  (See, NPP)
  • Report of possible breach is not required
  • Accounting is required
  • Consultation with OGC or Privacy Officer is required.
Disclosure as authorized by and necessary to comply with workers’ compensation law if you are injured at work.  (See, NPP)
  • Report of possible breach is not required
  • Accounting is required
  • Consultation with OGC or Privacy Officer is recommended.
Disclosure for judicial or administrative proceedings in response to a valid court order, summons or subpoena to a hearing, or warrant.  (See, NPP)
  • Report of possible breach is not required
  • Accounting is required
  • Consultation with OGC or Privacy Officer is required.
Disclosure to coroners, medical examiners and funeral directors. (See, NPP) 
  • Report of possible breach not required
  • Accounting is required
  • Consultation with OGC or Privacy Officer is recommended.

Data Security Incident Reporting

If you suspect that a person is attempting to gain unauthorized access to another person’s medical information, contact your supervisor.

Any unauthorized disclosure or loss of HIPAA data must be reported to the BU Incident Response Team, irt@bu.edu or 617-358-1100, which will respond accordingly to the documented Data Breach Management Process.

Key Contacts

  • BU Information Security

BUInfoSec@bu.edu (617) 353-9004

  • BU Information Security – Incident Response Team

irt@bu.edu (617) 358-1100

 

Important

Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University.  The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of University policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.

 

References | History | About

References

History

Date Action By Supersedes
mm/dd/2013 Approved Quinn R. Shamblin, BU Information Security | HIPAA Security –Original–

About

Standard Number: 1.3.4
Effective Date: xx/xx/2013
Policy applicable for: All
Responsible Office(s): BU Information Security
Policy Owner and Source of Approval: Information Security & Business Continuity Governance
Associated Standards/Regulations: Health Insurance Portability and Accountability Act (HIPAA)