Download Step 2 - Potential Breach Report - American Health Care Association

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

Safety data sheet wikipedia , lookup

Transcript 
This document is intended to be a template which should be
customized to fit the unique needs of the provider's operations.
Step 2: Privacy and Security Event Analysis – Potential Breach Investigation
Date of Event
Date of Discovery
Event ID:
Facility:
Date Reported :
WHO REPORTED EVENT AND WHEN
Name
Phone
DETAILS OF EVENT
Paper
Electronic
Verbal
Format:
Type of Event Select all that apply. If selecting “other”, describe in greater detail.
Theft
Hacking / IT incident
Physical Security Breach
Loss or misplacement
Improper Disposal
Virus/other malicious software
Unauthorized Access/Use/Disclosure
Other
Unknown
Location of Information Select all that apply. If selecting “other”, describe in greater detail.
Laptop computer
Network Server
Desktop computer
Email
Paper
Other
DETAILS OF SECURITY OF PHI
Other Portable Electronic Device
Electronic Medical Record
Secured PHI is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals
At Rest
In Motion
Being cleared, purged or destroyed
State of Data:
Was the electronic PHI encrypted as specified according to HHS guidance (74 CFR 19006)?
Yes
No
N/A
OR
Was the PHI rendered unusable, unreadable or indecipherable to unauthorized individuals?
Yes
No
Describe details of security: ______________________________________________________________________
If this section ends with YES, stop process. Sign report. Maintain documentation per policy.
Type of Protected Health Information Involved Select all that apply. If selecting “other”, describe in greater detail.
Demographic
Financial
Clinical
Name
Credit Card #
Diagnosis/ Conditions
SS#
Bank Account #
Lab results
Address/ Zip
Claims Information
Medications
Drivers License
Other
Other Treatment Info
Date of Birth
Other
Safeguard(s) in Place Prior to Event Select all that apply. If selecting “other”, describe in greater detail.
Firewalls
Strong Authentication
Physical Security
Secure Browser Sessions
Biometrics
Logic al Access Control
Packet filtering (router-based)
Encrypted Wireless
NA
Additional Safeguard(s) in Place Prior to Event Select all that apply.
Encryption
Locked Storage Room(s)
Shredding Bin(s)
Other
If applicable, # of
residents involved
Anti-virus Software
Intrusion Detection
Locked File Cabinet(s)
Brief Description of the Unauthorized Event:
Did this event occur at or by a Business Associate: Yes
BA Name:
BA Address:
BA Contact:
No
If yes, describe actions taken by CE:
Contacted BA- BA agreed to correct
Termed agreement w/BA
Contacted BA- BA refused to correct
Other:
Contact Phone:
Contact email:
©2013, The Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers and their
health care affiliates for their internal use, in connection with their efforts to comply with relevant legal rules and regulations. All other reproduction,
transfer and use is prohibited without the express written consent of the LTCC. Neither the LTCC nor its members make any representation that use
of these materials will ensure other legal compliance.
Published 12/2013
This document is intended to be a template which should be
customized to fit the unique needs of the provider's operations.
Step 2: Privacy and Security Event Analysis – Potential Breach Investigation
Breach Risk Tool
Notifiable breach determined – risk assessment for low probability not completed. (Skip to Breach Notification section below.)
This incident involves a use or disclosure of unsecured Protected Health Information:
The information identifies or could reasonably be expected to identify a person.
The information is about the person’s present, past or future physical or mental health, healthcare received, or payment for care.
The information was unsecured: it was usable, readable, or otherwise decipherable to any individual (i.e. electronic data was NOT encrypted, wiped,
or destroyed.)
If ALL boxes are checked proceed to Section 1.
Section 1: Does this incident qualify as one the following exceptions? Answer each question in order.
1. Was this an unintentional acquisition, access, or use of PHI?
o By a workforce member or person acting under the authority of the CE or the CE’s BA, made in good faith, within the
person’s scope of authority, and did not result in further use/disclosure in a manner not permitted by the Privacy Rule?
Y
N
DK
N/A
Yes: Low Probability
demonstrated – Stop
2. Was this an inadvertent disclosure of PHI?
o By a person who is authorized to access PHI at a CE, BA, or OHCA, to another person authorized to access/receive
PHI at the same CE, BA, or OHCA, and did not result in further use/disclosure in a manner not permitted by the
Privacy Rule?
Y
N
DK
N/A
No, Don’t Know, or
N/A: Low Probability
fails – Continue
3. The unauthorized recipient could not reasonably have retained the data: (e.g., the data was only heard or seen
momentarily or in passing)
Y
N
DK
N/A
Section 2: Choose all options that apply for each category – total the points for all choices or check “Fail”
Method of Disclosure: Was the
PHI actually acquired or viewed?
No
0 pts
Verbal
1pt
Paper
2pts
Electronic
Scores
3pts
Any Two Methods or All 3: Low Probability Fails
Recipient(s): Who was the
Another Covered Entity or Federal Agency obligated to comply with Privacy Act of
unauthorized person who acquired 1974 and FISMA
or used the PHI?
Known Recipient(s)
Fail
1
3
Unknown Recipient(s): Low Probability Fails
Circumstances of access, use or
disclosure
Unintentional access, use or disclosure of PHI
Fail
1
All Other Circumstances: Low Probability Fails (includes loss, theft, and any
intentional access, use or disclosure w/o authorization)
Disposition: What happened to the Returned intact/unopened/complete or Properly destroyed by facility Workforce, BA,
info after the acquisition, use, or
another Covered Entity, a Federal Agency or Authorized Patient Family
disclosure?
Remained inside facility and returned (opened) or Electronically deleted (backup status
known)
Fail
1
2
All Other Dispositions: Low Probability Fails (includes not returned, unable to
retrieve, unknown disposition, suspicion of or actual re-disclosure)
Type of Information:
Were the identifiers direct or
indirect?
No specific names – for example, only MRN, room number, photographs or other
identifiers which could be re-identified based upon context
Impact Risk: What is potential
impact of the use or disclosure?
No known or low impact risk: no sensitive clinical, financial, or personal information
Fail
1
Direct Identifiers Used: Low Probability Fails
Fail
0
All Other Potential Impact Risks: Low Probability Fails
Not applicable
Additional Controls for
Electronic Devices (Laptops,
Data determined to be Wiped (remote or auto), Destroyed, or Encrypted
computers, handheld devices, etc.)
Password protected only – not compromised
Fail
0
0
1
Fail
©2013, The Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers and their
health care affiliates for their internal use, in connection with their efforts to comply with relevant legal rules and regulations. All other reproduction,
transfer and use is prohibited without the express written consent of the LTCC. Neither the LTCC nor its members make any representation that use
of these materials will ensure other legal compliance.
Published 12/2013
This document is intended to be a template which should be
customized to fit the unique needs of the provider's operations.
Step 2: Privacy and Security Event Analysis – Potential Breach Investigation
No Controls: Low Probability Fails
Risk Score:
Low: 5
Section 3: Decision
Medium: 6 – 9
High: 10+
Low: Do not notify
Total Score:
Fails:
2+ Fails: Auto-Fail – Score Preempted
Medium: Consider mitigating factors
High or 2+ Fails: Notify
Notes / Mitigating Factors:
An evaluation of the above factors
Decision:
does
does not demonstrate a low probability that the PHI been compromised.
Do Not Notify
Notify the Resident and HHS
Action Taken in Response to Event:
Select all that apply. If selecting “other”, describe in greater detail.
Security/Privacy Safeguards
Policy/Procedure/Guideline Re-Education
Mitigation
Sanctions/Disciplinary Actions
Policy/Procedure/Guideline
Updates
Other
Complete Following Section if Breach Occurred
BREACH NOTIFICATION:
Yes
No
Law Enforcement: Was law enforcement notified?
Request for Delay Received:
Verbally?
Yes
No; Date ________
Who? ________
Written?
Yes
Date ________
No; Date Specified: ________
Delivery of Notification to Affected Parties Written notice to be delivered via first class mail to last known address or electronic notice via email if agreed
Date(s) written notice mailed: ____________________ Include example letter with event documents
Does urgency exist because of possible imminent misuse?
Yes
No ; If YES, How was this addressed: ____________________
Is there out of date contact information for 10 or more individuals?
Yes
No; If YES, What substitute notice (CE website or media
release) was used? ____________________(Include example of substitute notice with event documents.)
HHS Notification
Did breach involve more than 500 individuals at one
covered entity?
No; IF NO, Document on event log. Sign report. Maintain documentation per policy.
Yes; IF YES, HHS Notification Date ________
Did breach involve more than 500 individuals from a
state or jurisdiction?
No; IF NO, Document on event log. Sign report. Maintain documentation per policy.
Yes ; IF YES, Date(s) of prominent media outlet notification ________ (in no case >
60 calendar days after discovery);
Names of prominent media outlets notified ________
Report Completed by:
Privacy/Security Officer’s Signature : ____________________
Date: ____________________
©2013, The Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers and their
health care affiliates for their internal use, in connection with their efforts to comply with relevant legal rules and regulations. All other reproduction,
transfer and use is prohibited without the express written consent of the LTCC. Neither the LTCC nor its members make any representation that use
of these materials will ensure other legal compliance.
Published 12/2013
Related documents
Potential Sanctions for Privacy and Security
Potential Sanctions for Privacy and Security
New Law Requires Businesses in California to Report Electronic Break-Ins
New Law Requires Businesses in California to Report Electronic Break-Ins
A20 L-type voltage-gated calcium channels in
A20 L-type voltage-gated calcium channels in
here - Phi Beta Psi Sorority
here - Phi Beta Psi Sorority
File - Western Ohio Psychological Services, LLC
File - Western Ohio Psychological Services, LLC
HIPAA NOTICE OF PRIVACY PRACTICES
HIPAA NOTICE OF PRIVACY PRACTICES
Notice of Privacy Practices for Protected Health Information
Notice of Privacy Practices for Protected Health Information
Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices
Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices
The following question must be answered
The following question must be answered
Woman`s Hospital Facility Documents File
Woman`s Hospital Facility Documents File
Breach-Notification-final-revised
Breach-Notification-final-revised
DISCLOSURE PURSUANT TO UTAH PUBLIC OFFICERS’ AND EMPLOYEES’ ETHICS ACT
DISCLOSURE PURSUANT TO UTAH PUBLIC OFFICERS’ AND EMPLOYEES’ ETHICS ACT