Scribd Logo
Upload

Welcome to Scribd!

  • Breach Notification Policy

    Uploaded by

    lokeshe21
    28 views4 pages
    This document outlines Exterprise's breach notification policy which establishes procedures for mitigating harm from unauthorized protected health information disclosures. The policy applies to all workforce members and requires notifying the privacy officer of any PHI uses or disclosures not permitted by associates' contracts. It describes investigating incidents, notifying affected individuals, and imposing sanctions on those responsible for violations. The goal is to minimize known harmful effects from PHI breaches and comply with HIPAA regulations.

    Original Description:

    Original Title

    Breach Notification Policy.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines Exterprise's breach notification policy which establishes procedures for mitigating harm from unauthorized protected health information disclosures. The policy applies to all workforce members and requires notifying the privacy officer of any PHI uses or disclosures not permitted by associates' contracts. It describes investigating incidents, notifying affected individuals, and imposing sanctions on those responsible for violations. The goal is to minimize known harmful effects from PHI breaches and comply with HIPAA regulations.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views4 pages

    Breach Notification Policy

    Uploaded by

    lokeshe21
    This document outlines Exterprise's breach notification policy which establishes procedures for mitigating harm from unauthorized protected health information disclosures. The policy applies to all workforce members and requires notifying the privacy officer of any PHI uses or disclosures not permitted by associates' contracts. It describes investigating incidents, notifying affected individuals, and imposing sanctions on those responsible for violations. The goal is to minimize known harmful effects from PHI breaches and comply with HIPAA regulations.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Breach Notification Policy

    Reference 45 CFR 164.308(b)  164.314 Ver. No. 1.0

    Doc ID Version # Process Owner(s) Effective Date


    EXT/HIPAA/BNP/ Version 1.0 CISO 15th July 2019
    01

    Revision History

    Ver. Date of Release Author(s) History of Changes Approver


    No.

    1.0 15th July 2019 CISO First Baseline CISO

    1. Objective
    The purpose is to establish a procedure to mitigate, to the extent practicable, any
    harmful effect that results from an unauthorized use or disclosure of Protected
    Health Information (PHI).

    EXT/HIPAA/BNP/01 Page 1 of 4
    Breach Notification Policy
    Reference 45 CFR 164.308(b)  164.314 Ver. No. 1.0

    2. Scope
    This policy applies to all Exterprise workforce members including, but not limited to
    full-time employees, part-time employees, trainees, volunteers, contractors, and
    temporary workers.

    3. Process Overview
    The Process describes the action that needs to be taken for a breach Incident by
    involving various stake holders chaired by the Privacy Officer of Exterprise.
    Every employee and associates have an obligation to notify Exterprise of any use or
    disclosure of PHI not permitted by the contract between Associate and Exterprise
    within five (5) business days of Associate’s learning of such use or disclosure.

    4. Policy
    Exterprise will take positive action to minimize known harmful effects resulting from
    the unauthorized use or disclosure of PHI, and will alleviate known instances of harm
    where the use or disclosure is in violation of Exterprise Administrative Policies and
    Procedures or HIPAA Privacy Regulations.

    Process Details
    Tasks
    1. Upon receiving any information from any source that PHI may have been
    used or disclosed, intentionally or inadvertently, in a manner that does not
    comply with Exterprise Administrative Policies, Procedures or the HIPAA
    Privacy Regulations, Exterprise personnel will report such use or disclosure to
    the Privacy Office.
    2. The Privacy Officer will intimate formally the Covered entity if the BA
    agreement covers this clause.
    3. Exterprise personnel will take steps to stop or limit any such use or
    disclosure also.
    4. The Privacy Office will investigate the report and determine whether the use
    or disclosure did not comply with Exterprise Policies and procedures.

    EXT/HIPAA/BNP/01 Page 2 of 4
    Breach Notification Policy
    Reference 45 CFR 164.308(b)  164.314 Ver. No. 1.0

    5. If the Privacy Officer determines that the use or disclosure violated Exterprise
    policy, the Privacy Officer will contact the person or persons responsible for
    the violation (“the original source”) and take all practicable measures to
    retrieve and cease any further use or disclosure of the information. Also, the
    Privacy Officer will determine from the original source all of the persons or
    entities receiving the PHI from the original source.
    6. If the Privacy Officer determines that the original source is an employee of
    Exterprise, the Privacy Officer will report the matter to the original source’s
    Supervisor and to the Human Resources (HR) Department. The Supervisor
    and the HR Department will consult with the Privacy Officer on appropriate
    sanctions to impose on the original source for violating Exterprise policy, up
    to and including termination.
    7. If the Privacy Officer determines that the original source is a Sub-contractor
    associate of Exterprise, the Privacy Officer will report the matter to the
    Exterprise Contract Department, which will take appropriate action with
    regard to the Sub-Contracted Associate.
    8. The Exterprise Privacy Officer is responsible for maintaining this policy and
    communicating this policy to members of the workforce
    .
    Retention:
    Every policy and procedure revision/replacement will be maintained for a
    minimum of six years from the date of its creation or when it was last in effect,
    whichever is later. Other Exterprise requirements may stipulate a longer
    retention. Log-in audit information and logs relevant to security incidents must
    be retained for six years.
    Privacy:
    Failure to comply with this or any other privacy policy will result in disciplinary
    actions. Legal actions also may be taken for violations of applicable regulations
    and standards such as the HIPAA Privacy Rule and others.

    References
     Omnibus HIPAA Final Rulemaking,
    http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html

    EXT/HIPAA/BNP/01 Page 3 of 4
    Breach Notification Policy
    Reference 45 CFR 164.308(b)  164.314 Ver. No. 1.0

     HIPAA Final Privacy Rule, 45 CFR Part 164.514(h), Department of Health and
    Human Services,
    http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/August
    14, 2002.
     HIPAA Breach Notification Rule:
    http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule
    /
     Health Information Privacy, Security, and EHR
    http://www.healthit.gov/providers-professionals/ehr-privacy-security
     Achieve Meaningful Use: Protect Electronic Health Information
    http://www.healthit.gov/providers-professionals/achieve-meaningful-
    use/core-measures/protect-electronic-health-information
    http://www.healthit.gov/providers-professionals/achieve-meaningful-
    use/core-measures-2/protect-electronic-health-information

    EXT/HIPAA/BNP/01 Page 4 of 4

    You might also like