HIPAA Policies for Healthcare Providers at Covered Components: Policy 7, Breaches
HIPAA Policies for Health Care Providers Collection
Previous Section: Health Care Providers Policy 6: Individuals’ Rights under HIPAA
7.1 Obligation to Report Potential Breaches
Any Workforce Member who learns that a potential breach of PHI may have occurred, s/he must immediately notify his or her supervisor and/or the Covered Component’s HIPAA Contact. The HIPAA Contact shall ensure the report is forwarded immediately to the BU HIPAA Privacy Officer. Reports may be sent to:
- the BU HIPAA Privacy Officer at email@example.com
- BU Information Security Incident Response Team at firstname.lastname@example.org or 617-358-1100
- BU EthicsPoint Hotline, https://secure.ethicspoint.com/domain/media/en/gui/8779/index.html or 866-294-8451.
Failure to make a report in circumstances where the Workforce Member is required to do so may lead to discipline, up to and including termination of employment.
7.2 No Retaliation
Neither Covered Components nor anyone else affiliated with BU may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for his/her exercise of any right established by, or for participation in any process provided for, these policies or the law, including:
- Filing a complaint with the Covered Component;
- Filing a complaint with governmental authorities;
- Assisting or participating in an investigation or compliance review by BU or its agents;
- Testifying in a proceeding or hearing by governmental authorities under HIPAA; or
- Opposing any act or practice made unlawful by HIPAA, provided the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve an impermissible disclosure of PHI.
Individuals who report breaches may be subject to the protections of the University’s Code of Ethical Conduct.
7.3 Investigation and Remedial Action for Reports of Potential Breaches
Responsibility to Receive, Record and Investigate Reports
BU’s HIPAA Privacy Officer and HIPAA Security Officer will:
- receive and respond to all notifications of the use or disclosure of PHI in violation of these Policies or of HIPAA;
- record all reports of potential breaches;
- investigate each according to the University’s Data Breach Management Plan to determine whether the circumstance constitute a breach; and
- document the conclusion.
In investigating electronic incidents the HIPAA Security Officer or HIPAA Contact follow Information Security’s First Responder Checklist to ensure that critical evidence is preserved. In addition, any Workforce member should take reasonable precautions against physical threats to information, such as closing a door found open, locking cabinets and doors and similar steps.
Upon request, BU will make all reasonable efforts to protect the confidentiality of persons reporting violations of law or of BU HIPAA policies or procedures to the extent practicable, given the nature of the investigation.
Response to Breach
If PHI has been used or disclosed in violation of BU policy or HIPAA requirements, BU will mitigate, to the extent practicable, any known harmful effects. Examples of actions that will be taken, depending on the circumstances, include the following:
- If the violation involves a continuing unauthorized disclosure of PHI, steps will be taken to end the practice immediately.
- If the violation involves an unlawful activity or practice, the activity or practice will be stopped, and the Office of the General Counsel will be notified of the violation.
- If the same or a similar violation could or might be prevented in the future by making changes to HIPAA policies and procedures, training or guidance, such changes will be instituted and promptly communicated to all affected employees.
7.4 Breach Notifications
In the event the BU HIPAA Privacy and/or Security Officer determines a Breach has occurred, they will notify the affected patients, the media and the Secretary, as applicable and as required under HIPAA, and will take appropriate remedial actions.
7.5 Enforcement and Sanctions
Members of the Workforce who are determined to have violated these policies or a Covered Component’s procedures may be subject to disciplinary action, up to and including termination of employment.
Additional Resources Regarding This Policy
Related Policies, Procedures, and Guides
- Data Security