BU Data Protection – HIPAA Data Security Incident & Breach Policy
Purpose & Scope
The Health Insurance Portability and Accountability Act (HIPAA) and the the HITECH Act (Health Information Technology for Economic and Clinical Health Act) require Covered Components at Boston University to establish rigorous processes for the proper handling of any security incident involving Protected Health Information (PHI) and timely reporting of any breach of unsecured PHI.
This policy defines the requirements of Covered Components to report security incidents and breaches, whether known, possible or suspected. This policy supplements the BU HIPAA policy and Data Protection Standards.
The HIPAA Covered Component will promptly report all incidents that might involve the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under HIPAA. The HIPAA Privacy and HIPAA Security Officers will determine, in consultation with other University officials and the Covered Component, whether a “breach” has occurred and what, if any, steps should be taken in response to the incident, including notification to affected individuals, the Secretary of U.S. Dept. of Health and Human Services, and the media if there has been a breach of “unsecured Protected Health Information.”
If you suspect there has been an incident that might involve the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, you must promptly report it to the University.
What to report
- Any event in which access to PHI might have been gained by an unauthorized person
- Any event in which a device containing (or may be containing) PHI has (or might have been) lost, stolen or infected with malicious software (viruses, trojans, etc.)
- Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
- Any attempt to physically enter or break into a secure area where PHI is or might be stored
- Any other event in which PHI has been or might have been lost or stolen
- Any other event in which PHI has been or might have been improperly used (e.g. used without the individual’s written authorization if authorization is required)
Reportable incidents include the impermissible use or disclosure of PHI by a Business Associate. If an incident occurs at a Business Associate that might involve a breach of BU’s PHI, the Business Associate is required to report it to the BU HIPAA Covered Component and BU Information Security. If you become aware of any incident at a Business Associate, you should report the incident immediately to the BU officials as described below. See Business Associate Contracts [link] and Business Associate Agreement form [link].
When to report
Generally, you should report before taking any investigative action.
If a computer is involved:
- First, DO NOT TURN OFF OR UNPLUG THE COMPUTER
- Second, unplug the network cable from the back of the computer and turn off any wireless internet connection
- Report as described below.
- TAKE NO OTHER ACTION.
- DO NOT attempt to take any further action on your own.
- DO NOT attempt to research what happened.
- DO NOT attempt to encrypt any or otherwise protect any sensitive data on your system.
- Doing any of these things may destroy crucial forensic data.
How to report:
In the event of a data security incident or other incident that might involve a breach of PHI, report it immediately to:
- The Covered Component’s HIPAA Security Champion
- BU Information Security: firstname.lastname@example.org or 617-358-1100
- If a crime might have occurred or a public safety concern exists, also contact
- Boston University Police 617-353-2121
University’s Review of Reported Incident
The HIPAA Privacy and Security Officers, in consultation with others, will determine whether a “breach” has occurred. An investigation and determination will be made by these institutional officials in consultation with the Covered Component, Office of the General Counsel, and others as appropriate.
Whether or not there has been a “breach,” these officials will determine, in consultation with the Covered Component, what steps need to be taken to further investigate, remediate, and mitigate the incident and protect against a future incident.
If a “breach of unsecured PHI” has occurred, these officials will give timely notices to affected individuals, federal authorities, and (for large scale breaches) the public media as appropriate and/or required. The required notice to affected individuals must be given without unreasonable delay and in any event no later than sixty (60) calendar days after the discovery of the breach (with certain permitted delays for law enforcement purposes), and thus prompt and informative reporting by the HIPAA Covered Component is critical.
The workforce of the HIPAA Covered Component will cooperate and give assistance as requested with the investigation, follow-up steps, and any notifications.
Breaches must also be tracked for an Accounting
In addition, disclosures of Protected Health Information must be tracked by the Covered Component in order to provide the affected individual with an accounting if requested. See Individual’s Request for an Accounting of Unauthorized Disclosures.
Examples and guidance on when to report and to whom
When should BU HIPAA Component
- report impermissible uses and disclosure (as possible breaches); and/or
- account for unauthorized uses and disclosures (whether permissible or impermissible),
- seek advice of General Counsel or Privacy Officer on uses and disclosures?
In the following examples, the term “Authorization” or “Authorized” refers to an individual’s authorization for disclosure of PHI, using the Authorization form. The term “Accounting” refers to the requirement of maintaining a log of un-Authorized disclosures. The term “Report” refers to the requirement to report possible breaches due to impermissible disclosure, which should be reported to the BU Incident Response Team.
|Examples of Impermissible Uses and Disclosures||Action to be taken by BU HIPAA Component|
|Unauthorized access to PHI by staff without a legitimate need to have access .||
|Inadvertent disclosure of PHI due to failure to safeguard PHI from viewing by an unintended party. For example, a laptop containing unsecured PHI lost in a public place.||
|Mistaken disclosure of PHI by misdirecting a disclosure to an unintended party. For example, sending PHI to an address not indicated in the patient’s Authorization form.||
|A disclosure to family member, when the individual patient has instructed that no information be given to this family member. (See, NPP)||
|Access by, or disclosure to, a researcher for research purposes without proper documentation of Authorization, Waiver of Authorization or Access Preparatory to Research. (See, NPP)||
|Examples of Permissible, but un-Authorized, Uses and Disclosures||Action to be taken by BU HIPAA Component|
|Use by, or disclosure to, clinic staff as necessary for performance of the following duties:Treatment – to provide, manage and coordinate care to meet your needs. Your treatment could also involve disclosing information to other providers such as a referring physician or dentist.
Payment – to obtain payment and determine health insurance eligibility. We may tell your health plan about treatment or services that may require their prior approval.
Health Care Operations – to assess the quality of care we provide, to improve our services, to train our staff and students, and to manage our business and services.
|Disclosure to comply with law requiring reports of suspected abuse or neglect of children, elders or disabled persons. (See, NPP)||
|Disclosure for public health activities to prevent or control disease such as reporting infectious diseases to boards of health, births or deaths or reactions to vaccines or medical devices to the FDA. (See, NPP)||
|Disclosure as legally required or federal and state health oversight activities such as fraud investigations. (See, NPP)||
|Disclosure as authorized by and necessary to comply with workers’ compensation law if you are injured at work. (See, NPP)||
|Disclosure for judicial or administrative proceedings in response to a valid court order, summons or subpoena to a hearing, or warrant. (See, NPP)||
|Disclosure to coroners, medical examiners and funeral directors. (See, NPP)||
Data Security Incident Reporting
If you suspect that a person is attempting to gain unauthorized access to another person’s medical information, contact your supervisor.
Any unauthorized disclosure or loss of HIPAA data must be reported to the BU Incident Response Team, email@example.com or 617-358-1100, which will respond accordingly to the documented Data Breach Management Process.
- BU Information Security
BUInfoSec@bu.edu (617) 353-9004
- BU Information Security – Incident Response Team
firstname.lastname@example.org (617) 358-1100
Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University. The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of University policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.
References | History | About
- The Boston University Data Protection Standards
- HIPAA – Health Insurance Portability and Accountability Act
- BU Technology Policies
- BU Information Security Policy
- BU Personal Information Protection Guidelines
- Office of Research Compliance
|mm/dd/2013||Approved||Quinn R. Shamblin, BU Information Security | HIPAA Security||–Original–|
Standard Number: 1.3.4
Effective Date: xx/xx/2013
Policy applicable for: All
Responsible Office(s): BU Information Security
Policy Owner and Source of Approval: Information Security & Business Continuity Governance
Associated Standards/Regulations: Health Insurance Portability and Accountability Act (HIPAA)