Section 34: Breach Notification Policy
HIPAA regulations require Covered Entities and their Business Associates to investigate and mitigate any security or other incidents that involve potential unauthorized access of Protected Health Information (PHI). Except in very limited instances, any unauthorized access to a Covered Entity’s PHI constitutes a breach. Breaches impacting 500 or more individuals must be reported to the U.S. Department of Health & Human Services (HHS), the media and the impacted individuals within 60 days of discovery. Breaches impacting fewer than 500 individuals must be reported to the impacted individuals within 60 days of discovery and reported on an annual basis to HHS.
The University of Texas at Dallas is a Covered Entity and is required to comply with these regulations. It is the policy of the University to comply with these regulations at all times. This policy applies to all University officers, faculty, staff, students, volunteers, or any other individual or contractor who provides services to or conducts business on behalf of the University.
Breach Notification – An acquisition, access, Use, or Disclosure of PHI is presumed to be a breach unless the Center or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
a) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
b) The unauthorized person who used the PHI or to whom the disclosure was made;
c) Whether the PHI was actually acquired or viewed; and
d) The extent to which the risk to the PHI has been mitigated.
Incident – any act, such as an unauthorized Use or Disclosure, or any other occurrence that could reasonably involve PHI and indicates that a Breach has occurred.
Responsibility to Notify University Officials
1. All individuals covered by this policy are required to report possible Incidents of advertent or inadvertent disclosure to the HIPAA Privacy Officer IMMEDIATELY upon discovery. Examples include:
- Accessing and reading medical records out of curiosity
- Faxing a patient’s information to the wrong person or agency
- Improper disposal of patient information
Notification to the HIPAA Privacy Officer should be made by phone call, if possible, at 972-883-3601, and must be followed-up with an encrypted email to HIPAAPrivacyOfficer@utdallas.edu describing the Incident in detail.
2. The responsibility to report Incidents to the HIPAA Privacy Officer includes reporting by the Chief Information Security Officer (CISO) or the CISO’s designee when the Incident involves an electronic information resource that may involve PHI.
3. The responsibility to notify the HIPAA Privacy Officer is in addition to any reporting required by the University’s Information Security Polices or other applicable University or UT System Policies.
4. Business Associate Agreements executed by the University shall require the contractor to notify the University of any unauthorized use or disclosure by the business associate or its workforce, agents or subcontractors that violates the HIPAA Privacy or HIPAA Security Rules, including any remedial action proposed or taken. The HIPAA Privacy Officer and the HIPAA Security Officer must each receive any contractor reports pertaining to the potential access of electronic PHI.
5. The HIPAA Privacy Officer must notify the Office of Legal Affairs, the Executive Director of the Callier Center, the Provost and the President, without delay, of any reported Incident that upon preliminary analysis could reasonably constitute a Breach.
Breach Response Team, Investigation, and Risk Analysis
- The HIPAA Privacy Officer will convene a Breach Response Team to immediately investigate and respond to any potential Breach. The composition of the Breach Response Team will depend on the nature of the potential Breach. For example, the HIPAA Security Officer will be a member of the Breach Response Team in instances involving access of PHI through an electronic information resource. Other members may include University legal counsel, the Executive Director of the Callier Center, other Callier administrators, the Compliance Manager, the Vice President for Advancement, the Provost and the President, if necessary.
- The responsibility of the Breach Response Team includes, at a minimum:
- Ensuring that all appropriate actions are immediately taken to prevent any further unauthorized exposure of PHI;
- Investigating the Incident, which may include conducting interviews to learn about circumstances surrounding the Incident; reviewing logs, tapes, and other resources;
- Conducting a risk analysis to determine whether a Breach has occurred;
- Identifying and engaging non-University consultants, as necessary to assist the University in its investigation or risk analysis;
- Conducting a root cause analysis of the Incident;
- Developing a mitigation plan to prevent further exposure of PHI and/or risk of harm to anyone affected by the Breach, which may include revision of the policies and additional Workforce training;
- Determining the appropriate notification required and developing an action plan for the delivery of such notices;
- If the Incident involves violations of other University Policy, referring the individual to the appropriate body for disciplinary action, including sanctions in accordance with Section 31 of this manual;
- If the Incident involves a Business Associate or its subcontractor, amending the terms of the Business Associate Agreement or terminating the agreement;
- Keeping the Provost, President, and senior administration informed.
- The Breach Response Team will notify law enforcement, including University Police, local law enforcement agencies, or federal law enforcement agencies, as appropriate, if it determines that the Incident may have been the result of criminal action.
A Breach will be treated as discovered by the University (or a Business Associate or the Business Associate’s subcontractor) on the first day such breach is known or should reasonably have been known to have occurred by the University (or its Business Associate or the Business Associate’s subcontractor), even if it is initially unclear whether the Incident constitutes a Breach.
Notification to Individuals
- Timing. Upon determining a Breach has occurred, the Callier Center (or the Business Associate) will make the required individual notifications as soon as reasonably possible after the Covered Entity takes a sufficiently reasonable time to investigate the circumstances surrounding the Breach in order to collect and develop the information required to be included in the notice to the individual, except in no case shall notifications be given later than 60 days following the discovery of a Breach (unless a law enforcement agency requests a delay). Any delay based on a request from law enforcement must be documented in writing by the requesting law enforcement agency. The Callier Center may provide the required information in multiple mailings as the information becomes available.
- Process. Unless otherwise determined by the President, the Breach Response Team will determine the University office or department responsible for ensuring that the required reporting to individuals and media occurs. Notification to a significant number of individuals and/or the media will be conducted under the direction of the Office of Communications, working with the HIPAA Privacy Officer and University legal counsel.
- a. In the case of a Breach involving a Business Associate, notifications may be handled by the University or the Business Associate, depending on the terms of the Business Associate Agreement in place and the circumstances surrounding the incident.
- b. The HIPAA Privacy Officer is responsible for reporting to the Department of Health and Human Services.
HIPAA Regulatory Citations: 45 CFR § 164.402, § 164.404, § 164.406, § 164.408, § 164.410 Effective: 04/14/2003
Reviewed: 03/31/2021, 12/08/2015
Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center