1011 Data Breach Reporting | ADMINISTRATION-5600-MANUAL

This policy applies to all DHS staff, contractors, subcontractors, volunteers, and vendors of services. Anyone who gathers, enters, sees, accesses, transports, or stores sensitive data with or on behalf of the Department is subject to this policy.

Access: the ability or the means necessary to read, view, record, modify, or communicate program data or information or to otherwise use any program system resource.

Breach or Potential Breach: an unauthorized and/or impermissible acquisition, access, use, or disclosure of protected health information or personally identifiable information which compromises the security or privacy of such information or fact that lead one to believe preliminarily that such an event may likely have occurred.
DHS Management: the DHS Commissioner or her designee.

DHS Privacy Officer: a position officially appointed by the DHS Commissioner to serve as the agency focal point for all HIPAA privacy matters.

Personally Identifiable Information (PII): any information about an individual, maintained by DHS, including:

Protected Health Information (PHI): information that is created or received by a health care provider, health plan, employer, or health care clearinghouse that identifies an individual or provides a reasonable basis to believe the information can be used to identify the individual and that relates to:

All employees, contractors, and subcontractors are required to comply with all confidentiality and information safety requirements including the following:

All potential data breaches are to be immediately reported to the DHS Privacy Officer as soon as a breach or potential breach is suspected or discovered. If the DHS Privacy Officer is not available, then the breach should be reported to the General Counsel, Deputy General Counsel, or Division Associate General Counsel.

The initial report to DHS is to be made on or to include the “Data Breach Security Incident Reporting Form” which is on the Office of General Counsel page on the DHS website. Depending on the urgency of the circumstances, alternative means of reporting the breach are acceptable at first but should be followed up with a written report within two (2) business days of discovering the breach.

Following the initial report of the incident, a more complete report regarding the incident will be required in order for a risk analysis to be conducted.

The DHS Privacy Officer will instruct the relevant program to perform, and will assist in performing, a risk analysis assessing the following factors to determine whether the PHI or PII has been compromised:

The results of the incident investigation will determine the actions to be taken.

Depending on the analysis by the DHS Privacy Officer or a representative substitute, a determination will be made as to:

Once it is determined that a breach either has occurred or it can be reasonably expected that a breach may have occurred or is occurring, the Privacy Officer will determine the need to alert the Data Breach Task Force (DBTF).

Upon review of the incident and regardless of whether or not PHI or PII is breached, the DHS Privacy Officer or the DBTF shall develop and implement a plan to accomplish the following:

Upon determination and immediate mitigation steps of the breach, the DHS Privacy Officer or the DBTF will take necessary steps to adhere to all noticing requirements for the individuals' whose information was compromised and comply with all noticing requirements, or applicable, regulatory agencies, as required by statute, rule, or regulation. The DHS Privacy Officer or the DBTF will follow the appropriate DHS procedures consistent with the type of data or information that has been disclosed including, but not limited to, any of the following or any combination of the following:

The DBTF will also provide guidance on how to prevent additional breaches from occurring in the future and any remedial efforts that are recommended.

DHS, through its Privacy Officer, will keep a record of each reported breach in compliance with applicable regulations or requirements. If no time is prescribed for records retention, then for a reasonable period not to exceed five (5) years from when the breach is discovered.

The DHS Privacy Officer will report on behalf of DHS to applicable regulatory or federal agencies as required by the specific regulations.

DHS shall train all members of the DHS workforce with respect to breach reporting obligations and procedures annually, so employees are able to identify suspected breaches of protected health information and personally identifiable information and know how to immediately report all such events to the DHS Privacy Officer. Evidence of employees receiving this annual training shall be documented and maintained.

DHS expects that all employees, contractors, and subcontractors will comply with all laws, regulations, standards, policies, procedures, guidelines, and expectations regarding the privacy and security of DHS protected health information and personally identifiable information. Applicable consequences on non-compliance with this policy may include reprimand, suspension, removal, or other actions in accordance with applicable law and DHS policy. In cases of egregious disregard or a pattern of error in safe-guarding information, the minimum consequence DHS may consider is prompt removal of or modification of authority to access information. Willful breach of HIPAA or other confidentiality laws may be turned over to appropriate law enforcement, prosecutors, or auditors.

For DHS staff, please contact your Associate General Counsel or the DHS Privacy Officer for more information.

For DHS contractors, please see your contract and Business Associate Agreement for more details. For most questions, you will have to consult your own legal counsel.