Privacy Breach Management Guide by Health PEI
undefined
Presented by: Access to Information & Privacy Team, Health PEI
Privacy Breach
Management Guide
What is a privacy breach?
If Personal Health Information (PHI) or Personal
Information (PI) is or is suspected to have been;
stolen, lost or used, disclosed, accessed or destroyed
without authorization…
then a privacy breach has potentially occurred!
Preventing a Privacy Breach
8
Before we get into the steps of managing a privacy breach, lets look at some ways that we can prevent
them from occurring!
8
What are some things you can do in your role to prevent privacy breaches??
8
Privacy in the office/clinic/waiting room/all health care settings
– consider who can hear your
telephone conversations, in person conversations, double checking phone/fax numbers, do not leave PHI
or PI on voicemails, consider what information you are revealing when you call out to individuals in
waiting rooms.
8
Transporting information
– keep the information (in all formats) secured on your person, if you must
leave in a vehicle ensure it is not visible, (ie. locked in the trunk).
8
Working from home risks
– be mindful of who can see your work, hear your conversations, connect to
your Teams chats, etc.
8
Release of information
- ensure you are reviewing for and redacting third party info., ensure you have
the right patient, right contact info, double check pages to ensure no one else’s info is included.
8
Keeping accurate records-
always
use 2 patient identifiers, double check and update addresses, phone
numbers, etc. at every encounter.
8
Being mindful of conversations/info sharing/social media posts/etc.
– always consider the “Need to
Know” information, social media platforms that falsely claim privacy, risks of re-identification even
without names being used.
8
What are some other things that you can do to prevent breaches?
How to Determine if a breach occurred
Was PHI or PI involved?
Did access/disclosure occur or was there a risk of same?
Was there a need to know the information?
Was more PHI than necessary accessed or disclosed?
Was the access/disclosure unauthorized?
Discuss with an Access to Information & Privacy (ATIP) Consultant
and/or Quality/Risk Coordinator, for support if you are unsure but
think it is possible that a breach may have occurred.
Breaches, suspected breaches and potential breaches should all
be recorded in PSMS.
Breach Management Basic Steps
Containment and preliminary assessment
Gather initial details of what happened
Take steps to prevent further breach (contain it)
Record incident in PSMS
Document only the facts in the incident report
Determine exactly what PHI or PI has been breached
Recover, retrieve or confirm destruction of the PHI or PI, if possible
Try to get confirmation in writing of deletion or destruction of records by an
unauthorized recipient (ie. confirm emails were deleted from inbox & trash,
etc.)
If the breach involves theft or other criminal activity, Management will report
to the appropriate law enforcement authorities.
Breach Management Basic Steps
Investigation (Manager responsible, Privacy Officer and
others as appropriate)
Gather further information from varied sources
Conduct auditing, if applicable
Confirm facts of the breach and identify factors, failed safeguards,
intentional vs. accidental, etc.
Assess the risks to the Affected Individual(s) with the Privacy team.
If the breach was intentional and caused by a staff person of Health PEI,
Human Resources (HR) will be contacted.
Continue to record all follow up and investigation steps and results in
PSMS.
Breach Management Basic Steps
Notification and reporting
In consultation with Privacy Officer and Quality/Risk Coordinator,
disclosure to affected individual(s) and notification to
Commissioner are required, unless:
No adverse impact on provision of care to or well-being
(mental, physical, economic or social) of the affected
individual(s)
ONLY HPEI CEO (in consult with Privacy Officer) notifies
Commissioner of breaches!
Breach Management Basic Steps
Remediation and prevention
Determine whether new or enhanced safeguards are required
(Technical, physical and administrative measures to protect PHI
and PI)
Discipline, if applicable – HR leads this process
Share findings with affected individual(s) as appropriate.
Health PEI CEO will share with the Information & Privacy
Commissioner (via Privacy Officer)
If you require Assistance…
If you are unsure about the process
or need some support and
guidance, please contact your
Access To Information & Privacy
(ATIP) team at
healthprivacy@ihis.org
or 902-569-7734
Thank you for reviewing this
information, we hope you found it
helpful.
If you have any feedback or suggestions about
improving this information, please send it to the
Access To Information & Privacy (ATIP) team at
healthprivacy@ihis.org
** Privacy Breach & Complaints Management
Protocol is coming soon!
Understanding, Preventing, and Managing Privacy Breaches in Healthcare: Learn about what constitutes a privacy breach, how to prevent breaches, steps to determine and manage breaches effectively, including containment, investigation, and notification processes.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Privacy Breach Management Guide Presented by: Access to Information & Privacy Team, Health PEI
What is a privacy breach? If Personal Health Information (PHI) or Personal Information (PI) is or is suspected to have been; stolen, lost or used, disclosed, accessed or destroyed without authorization then a privacy breach has potentially occurred!
How to Determine if a breach occurred Breaches, suspected breaches and potential breaches should all be recorded in PSMS. Was PHI or PI involved? Did access/disclosure occur or was there a risk of same? Was there a need to know the information? Was more PHI than necessary accessed or disclosed? Was the access/disclosure unauthorized?
Breach Management Basic Steps Containment and preliminary assessment Gather initial details of what happened Take steps to prevent further breach (contain it) Record incident in PSMS Document only the facts in the incident report Determine exactly what PHI or PI has been breached Recover, retrieve or confirm destruction of the PHI or PI, if possible Try to get confirmation in writing of deletion or destruction of records by an unauthorized recipient (ie. confirm emails were deleted from inbox & trash, etc.) If the breach involves theft or other criminal activity, Management will report to the appropriate law enforcement authorities.
Breach Management Basic Steps Investigation (Manager responsible, Privacy Officer and others as appropriate) Gather further information from varied sources Conduct auditing, if applicable Confirm facts of the breach and identify factors, failed safeguards, intentional vs. accidental, etc. Assess the risks to the Affected Individual(s) with the Privacy team. If the breach was intentional and caused by a staff person of Health PEI, Human Resources (HR) will be contacted. Continue to record all follow up and investigation steps and results in PSMS.
Breach Management Basic Steps Notification and reporting In consultation with Privacy Officer and Quality/Risk Coordinator, disclosure to affected individual(s) and notification to Commissioner are required, unless: No adverse impact on provision of care to or well-being (mental, physical, economic or social) of the affected individual(s) ONLY HPEI CEO (in consult with Privacy Officer) notifies Commissioner of breaches!
Breach Management Basic Steps Remediation and prevention Determine whether new or enhanced safeguards are required (Technical, physical and administrative measures to protect PHI and PI) Discipline, if applicable HR leads this process Share findings with affected individual(s) as appropriate. Health PEI CEO will share with the Information & Privacy Commissioner (via Privacy Officer)
If you require Assistance If you are unsure about the process or need some support and guidance, please contact your Access To Information & Privacy (ATIP) team at healthprivacy@ihis.org or 902-569-7734
Thank you for reviewing this information, we hope you found it helpful. If you have any feedback or suggestions about improving this information, please send it to the Access To Information & Privacy (ATIP) team at healthprivacy@ihis.org ** Privacy Breach & Complaints Management Protocol is coming soon!
