Lumin Medical LLC has adopted this Breach Notification Policy to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), the Department of Health and Human Services (“DHHS”) security and privacy regulations, and the Joint Commission on Accreditation of Healthcare Organizations accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. In addition, this Breach Notification Policy will assist [Lumin Medical LLC] in fulfilling its obligation under the HITECH Act to determine whether to report breaches of PHI confidentiality and integrity to DHHS and/or to the individuals affected by the breach. All personnel of Lumin Medical LLC must comply with this policy. Familiarity with the policy and demonstrated competence in the requirements of the policy are an important part of every Lumin Medical LLC employee’s responsibilities.
This Breach Notification Policy is based on the following assumptions:
- Breaches of security, confidentiality, or Lumin Medical LLC’s policies and procedures may occur despite security and confidentiality protections.
- Lumin Medical LLC has a duty to mitigate the harm of a breach and, in some cases, has a duty to notify the subject of the breach, DHHS, and the media.
- Other federal and state laws, such as the Red Flag Rules, may also require notification.
- Failure to notify DHHS, the media, and individuals affected by a breach may result in harm to the individuals and to Lumin Medical LLC, such as by resulting in a civil money penalty.
- Reporting health information breaches and suspected breaches is important to minimize the harm of the breach. For example, notifying the individuals may permit them to take effective action to minimize the harm of the breach.
- Individuals detecting or suspecting a breach of health information security or confidentiality must report the breach or suspected breach as specified herein, including a written report to the Security Officer as soon as possible as specified in Lumin Medical LLC’s Report Procedure Policy.
- Upon receiving the report, the Security Officer will take the steps required in the Response Procedure Policy.
- The Security Officer will conduct a risk analysis of the breach to determine the existence of a significant risk to the affected individuals. After September 23, 2013, this risk assessment must include the following:
- The nature and extend of the protected health information (“PHI”) involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person that used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
- If, after investigation, the breach qualifies as a breach under the HITECH Act definition of breach in Subtitle D—Privacy, Part I, § 13400, the data is unsecured, and the breach poses a significant risk to the affected individuals, Lumin Medical LLC must, without unreasonable delay and in no case later than 60 days after the discovery of the breach, notify the individual(s) whose PHI was involved in the breach and notify DHHS.
- The notice to the individuals must include the following:
- Description of the types of unsecured PHI that were involved in the breach, such as name, Social Security number, patient number, insurance number, date of birth, home address, disability code, and the like.
- Brief description of what Lumin Medical LLC is doing to investigate the breach, to mitigate losses, and to protect against further breaches.
- Contact information for individuals to ask questions or learn additional information, which will include [toll-free telephone number][email address][website url][postal address]. The Privacy Officer shall respond to all such contacts.
- See Appendix A, below for a sample breach notification letter to be used as a guide in drafting such notices.
- Unless the contact information is insufficient or out-of-date, the notification shall be by first-class mail to the individual or next-of-kin of the individual or, if specified as a preference by the individual, by email.
- If the contact information is insufficient or out-of-date, Lumin Medical LLC will use a substitute form of notice, such as, if the breach involves 10 or more individuals for whom information is insufficient or out-of-date, a conspicuous posting on the home page of Lumin Medical LLC’s website or a notice in major print or broadcast media in geographic areas in which the individuals affected by the breach likely reside as determined by the Privacy Officer in conjunction with legal and risk management. Such notice will include a toll-free number where the individual can learn whether the individual’s unsecured PHI was possibly involved in the breach.
- If the Security Officer, in consultation with the Privacy Officer determines that the breach requires urgency because of the possible imminent release of unsecured PHI, immediate notification may also be made by telephone or other appropriate means.
- Lumin Medical LLC will notify the Secretary by visiting the DHHS website and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.
- The Security Officer is responsible for processing required notifications under other laws, such as laws requiring reporting of possible identify theft.
All officers, agents, and employees of Lumin Medical LLC must adhere to this policy, and all supervisors are responsible for enforcing this policy. Lumin Medical LLC will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with Lumin Medical LLC’s medical information sanction policy and personnel rules and regulations.
Signature of User Date
Title of User Printed Name of User
Witness Printed Name of Witness
Sample Breach Notification Letter
VIA U.S. MAIL, CERTIFIED RETURN RECEIPT REQUESTED
RECEIPT NO. [____ ____ ____ ____ ____]
[Name and address of subject of the information that was or may be the subject of a breach]
Dear [name of subject of the breach]:
Here at Lumin Medical LLC, we understand that personal information is important, and we are committed to protecting information entrusted to our care. This commitment includes notifying individuals if we believe that the security or privacy of their information may have been compromised. We regret to inform you that a recent incident may have exposed your personal information to an unintended audience.
[Enter details of breach or potential breach, such as the following example of an identity theft incident.] On [date], a criminal apparently walked off with one of our employee’s laptops while she was going through security at Kansas City International Airport. Her laptop contained clinical records that included, besides the clinical details of your treatment, financial and demographic information that could be used for identity theft. Most likely, the criminal just wanted a laptop that he could pawn, and the data maintained on it was password protected, but we cannot absolutely rule out the possibility of identity theft.
We suggest that you contact any of the three major credit bureaus and have a “fraud alert” placed on your credit file. A fraud alert lets creditors know to contact you before new accounts are opened in your name. You will also be automatically sent copies of your current credit files. You only need to call one of the credit bureaus, for the fraud alert to be placed on all three files. The major credit bureaus and their toll-free telephone numbers are as follows:
- Equifax: (800) 525-6285
- Experian: (888) 397-3742
- TransUnion: (800) 680-7289