1660 Data Breach Response Policy

Georgia State Seal

Department of Human Services

Policy and Manual Management System

Index:

POL 1660

Revised:

01/31/2023

Next Review:

01/31/2025

Policy

The policy of the Department of Human Services (DHS) is to follow state and federal laws regarding the privacy and security of personal information. In particular, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) established Federal standards for safeguarding the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without authorization. HIPAA mandates rigorous compliance with the requirements for the use and/or disclosure of protected health information (“PHI”).

Additionally, Georgia enacted the Georgia Personal Identity Protection Act (“GPIPA”) of 2005 to protect individuals from the growing threat of identity theft caused by data breaches. GPIPA was expanded in 2007 to include state agencies as a requirement to comply with GPIPA. In strict compliance with the requirements of HIPAA, GPIPA and other confidentiality laws and regulations, as set forth herein, it is the policy of the Georgia Department of Human Services that any known or suspected unauthorized access or disclosure of information be reported internally within DHS to the Privacy Officer and investigated, in accordance with applicable law, in order to evaluate the circumstances and risk to the disclosed information and to determine and mitigate any potential harm.

The purpose of the Data Breach Response Policy is to require all DHS divisions, offices, and sections thereof, including, but not limited to, any HIPAA-covered functions, to complete a Data Breach Security Incident Reporting Form so that DHS may determine whether an incident is a breach of protected health information (“PHI”) or personally identifiable information (“PII”) and establish a clear responsibility regarding the reporting of suspected or known unauthorized disclosures of confidential information.

Authority

O.C.G.A. § 10-1-910 et seq.
5 U.S.C. § 552a
45 C.F.R. Part 160
45 C.F.R. Part 164
42 U.S.C. § 300jj et seq.

Applicability

This policy applies to all DHS employees, management, contractors, student interns, temporary employees, volunteers and any other personnel that may have access to data of which DHS is the custodian.

Definitions

Access

the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Breach

the unauthorized and/or impermissible acquisition, access, use or disclosure of protected health information or unsecured personally identifiable information which compromises the security or privacy of such information.

Data Breach Task Force (DBTF)

a cross-functional incident response team gathered to investigate, mitigate and prevent any suspected or known breaches of PHI and PII.

Management

authoritative personnel within the department including but not limited to the Commissioner, Deputy Commissioner(s), and Divisional Directors.

Personally Identifiable Information (PII)

any information about an individual maintained by DHS, including:

  1. Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and

  2. Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Protected Health Information (PHI)

information that is created or received by a health care provider, health plan, or health care clearinghouse that identifies an individual or provides a reasonable basis to believe the information can be used to identify the individual and that relates to:

  1. The past, present or future physical or mental health or condition of an individual;

  2. The provision of health care to an individual; or

  3. The past, present or future payment for the provision of health care to an individual.

Implementation

DHS Management

  1. Designate a Privacy Officer to which employees can report suspected or known unauthorized disclosures of confidential information to.

  2. Provide knowledgeable employees capable of joining the DBTF that is designed to investigate, mitigate and prevent any future occurrences of any suspected or known breaches of PHI and PII.

  3. Approve policies and necessary procedures to become compliant and maintain compliance with all breach notification regulations.

  4. Provide privacy and security training and updates for workforce and ensure compliance with training schedules.

  5. Enforce sanctions, if necessary, against any employee, staff or contractor who does not comply with this policy and applicable state/federal laws.

Employees

  1. Understand and comply with organization’s policies and procedures regarding confidentiality, privacy and security of all DHS data.

  2. Report any suspected or known breach of personal identifying formation (PII) or protected health information (PHI) of which DHS is the custodian.

Training

DHS shall train all members of the DHS workforce with respect to breach reporting obligations and procedures annually, so employees are able to identify suspected breaches of PHI and PII and know how to immediately report all suspected breaches to the Privacy Officer. Evidence of employees receiving this annual training shall be documented and maintained.

  1. New staff member training: New staff members will be trained on Data Security Awareness and HIPAA Privacy and Security within a reasonable time period after their hire date with the department.

  2. Recurrent training: Staff members are to be trained on Data Security Awareness and HIPAA Privacy and Security as a refresher no less than annually.

  3. Special function training: Staff members are to be trained on HIPAA Privacy and Security within three months after substantive changes are made to this policy or as necessary.

Sanctions

DHS expects all employees to comply with all laws, regulations, standards, policies, procedures, guidelines and expectations regarding confidential information, including the privacy and security of protected health information and personally identifiable information. Applicable consequences of non-compliance with this policy and state/federal laws may include reprimand, suspension, removal or other actions in accordance with applicable law and DHS policy. The minimum consequence DHS may consider is prompt removal of authority to access information or systems from individuals who demonstrate egregious disregard or a pattern of error in safeguarding personally identifiable information and/or protected health information.

Responsibilities

Reporting

  1. All potential data breaches are to be immediately reported to the DHS Privacy Officer as soon as a breach is suspected or discovered. If the DHS Privacy Officer is not available then the breach should be reported to the General Counsel, Deputy General Counsel or the Associate General Counsel associated with the Division that is the custodian of the data suspected of being breached.

  2. A written report detailing the known or suspected facts involving the breach is the preferred method of reporting, however depending on the urgency of the circumstances, alternative means of reporting the breach are acceptable but should be followed up with a written report within two (2) business days of discovering the breach. The breach is to be reported using the Data Breach Security Incident Reporting Form. A Microsoft word version of the Data Breach Security Incident Reporting Form can be found on the Office of General Counsel’s page on the DHS website. See: dhs.georgia.gov/organization/about/division-offices/office-general-counsel.

Investigation

  1. The DHS Privacy Officer will perform a risk assessment by using the following factors to determine whether the PHI or PII at issue has been compromised:

    1. The nature and extent of the PHI or PIl involved, including the types of identifiers and the likelihood of re-identification;

    2. The unauthorized person who used the PHI or PII or to whom the disclosure was made;

    3. Whether PHI or PII was actually acquired or viewed; and

    4. The extent to which the risk to the PHI or PII has been mitigated.

  2. Depending on the analysis by the DHS Privacy Officer or a representative substitute, the Privacy Officer will determine:

    1. If the event meets the criteria of a breach; and, if applicable,

    2. The type of breach and the subsequent regulatory reporting protocols that must be followed, i.e., HIPAA, Privacy Act, Social Security Act, FNS, etc.

    Once it is determined that a breach either has occurred or if it can reasonably be expected that a breach may have occurred or is continuing to occur, the Privacy Officer will alert the Data Breach Task Force and/or contact the division manager to provide the next steps.

Response

Upon review of the incident and regardless of whether or not PHI or Pll is breached, the DBTF shall develop and implement a plan to accomplish the following:

  1. Ensure that the conditions that made the incident possible are corrected to prevent future incidents. This may include recommendations for further training of employees, or changes to office technology, training, policy, or procedures;

  2. Identify individuals whose PHI or PII was or may have been disclosed, and the persons or entities to whom PHI or PII was or may have been disclosed; and

  3. Mitigate any possible harm that may have resulted from the incident.

Notification

Upon determination and mitigation of the breach, the DBTF or Privacy Officer will take the necessary steps to adhere to all noticing requirements for the individuals' whose information was compromised and comply with all noticing requirements, of applicable, regulatory agencies, as required by statute, rules or regulation. The DBTF or Privacy Officer will follow the appropriate DHS procedures consistent with the type of data or information that has been disclosed including but not limited to any of the following or any combination of the following:

  1. HIPAA Data Breach Protocol

  2. Privacy Act Data Breach Protocol

  3. Social Security Act (SSA) Data Breach Protocol

  4. Georgia Personal Identity Protection Act (GPIPA) Protocol

  5. Internal Revenue Service (IRS) Data Breach Protocol

  6. Office of Child Support Enforcement (OCSE) Data Breach Protocol

  7. Food and Nutrition Service (FNS) Data Breach Protocol

  8. Any other contractual Data Breach Requirements (e.g., Accurint, etc.)

The DBTF or Privacy Officer will also provide guidance on how to prevent additional incidents from occurring in the future and any remedial efforts that are recommended.

Documentation

DHS, through its Privacy Officer, will keep a record of each reported breach in compliance with applicable regulations or requirements. If no time is prescribed for records retention, then records will be retained for a minimum period of six (6) years from when the breach is discovered.

History

Replaces POL 1660, last reviewed 03/22/2020.

Evaluation

All security incidents that are reported, are tracked by the Privacy Officer and reviewed by the General Counsel.

Additional Information

For additional information or assistance, please contact the Privacy Officer at privacy@dhs.ga.gov.