Effective January 1, 2022
Monmouth University (“University”) sponsors the following self-insured group health plans:
- The following self-insured component benefits under the Monmouth University Group Health InsurancePlan
- Medical and prescription drug coverage
- Health flexible spending account
- Active Health Reimbursement Arrangement
Protected Health Information (PHI). Protected health information (PHI) means information that is created or received by the Health Plan and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information of persons living or deceased.
For purposes of this Policy, PHI does not include the following, referred to in this Policy as “Exempt Information”:
- 1. summary health information, as defined by HIPAA’s privacy rules, that is disclosed to the University solely for purposes of obtaining premium bids, or modifying, amending, or terminating the Health Plan;
- 2. enrollment and disenrollment information concerning the Health Plan that does not include any substantial clinical information;
- 3. PHI disclosed to the Health Plan or the University under a signed authorization that meets the requirements of the HIPAA privacy rules;
- 4. health information related to a person who has been deceased for more than 50 years;
- 5. information disclosed to the University by an individual for functions that the University performs in its role as an employer and not as sponsor of the Plan or in providing administrative services to the Plan.
The University also sponsors other component benefit programs under the Monmouth University Group Health Insurance Plan which are fully insured group health plans that provide benefits solely through an insurance contract with an insurance issuer (“Insurer”), including dental and vision component benefits. The fully insured components of the Monmouth University Group Health Insurance Plan and the University intend to comply with the requirements of 45 CFR §164.530(k) so that the Monmouth University Group Health Insurance Plan is not subject to most of HIPAA’s privacy requirements. The Insurer, however, is subject to HIPAA’s privacy rules.
II. Health Plan’s Responsibilities as Covered Entity
A. Privacy Official and Contact Person
The Director of Human Resources will be the Health Plan’s Contact Person. Participants who have questions, concerns, or complaints about HIPAA may contact the Contact Person.
The Privacy Official is responsible for ensuring that the Health Plan complies with all provisions of the HIPAA privacy rules, including the requirement that the Health Plan have a HIPAA-compliant Business Associate Contract in place with each Business Associate. The Privacy Official shall also be responsible for monitoring compliance by all Business Associates with the terms of their Business Associate Contracts.
B. Workforce Training
C. Safeguards and Firewall
The University will establish on behalf of the Health Plan appropriate administrative, technical, and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards include implementing procedures for use and disclosure of PHI, including identifying workforce members who need access to PHI to perform their jobs. See the Privacy Use and Disclosure Procedures. Technical safeguards include tracking workforce members’ access to PHI. Physical safeguards include locking filing cabinets and doors to rooms storing PHI.
Firewalls will be established to ensure that only authorized workforce members will have access to PHI and that other workforce members do not have access to PHI. Firewalls will also ensure that workforce members have access to only the minimum amount of PHI necessary for the plan administrative functions they perform, and that they will not disclose PHI to workforce members who are not authorized to access PHI.
D. Privacy Notice
Self-Insured Component Benefits
The Privacy Official is responsible for developing and maintaining a notice of the Health Plan’s privacy practices that complies with the HIPAA privacy rules and describes the following:
- the uses and disclosures of PHI that may be made by the Health Plan;
- the rights of individuals under HIPAA privacy rules;
- the Health Plan’s legal duties with respect to the PHI; and
- other information as required by the HIPAA privacy rules.
The privacy notice will inform participants that the University will have access to PHI in connection with its plan administrative functions. The privacy notice will also provide a description of the Plan’s complaint procedures, the name and telephone number of the Contact Person for further information, and the effective date of the notice. The effective date will not be earlier than the date the notice is published.
The notice of privacy practices shall be placed on the Health Plan’s or the University’s website. The notice also will be individually delivered:
- at the time of an individual’s enrollment in the Health Plan;
- to a person requesting the notice; and
- to participants within 60 days after a material change to the notice. However, if the Health Plan posts its notice on the Health Plan’s website and there is a material change to the notice, the Health Plan will prominently post the change or the revised notice on its website by the effective date of the change. It will also provide the change or information about the change and how to obtain the revised notice in its next annual mailing to individuals covered by the Health Plan.
The Health Plan will also provide notice of availability of the privacy notice (or a copy of the privacy notice) at least once every three years in compliance with the HIPAA privacy regulations.
Insured Component Benefits
The insurer for insured group health plans under the Plan will provide the Plan’s Notice of Privacy Practices and will satisfy the other requirements under HIPAA’s privacy rules related to Notice of Privacy Practices, including Notices of Availability of the Privacy Practices. The Notice of Privacy Practices, among other things, will notify participants of the potential disclosure of the summary health information and enrollment and disenrollment information to the Plan and the University.
The Contact Person will be the Health Plan’s designated person to receive complaints regarding the Health Plan. The Privacy Official is responsible for creating a process for individuals to lodge complaints about the Health Plan’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any participant upon request.
G. Mitigation of Inadvertent Disclosures of PHI
H. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No workforce member may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against participants for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No participant shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility under the Health Plan.
I. Health Plan Document
The Health Plan document shall include provisions to describe the permitted and required uses by, and disclosures to, the University of PHI for plan administrative or other permitted purposes. Specifically, the Health Plan document shall require the University to:
- not use or further disclose PHI other than as permitted by the Health Plan documents or as required by law;
- ensure that there is adequate separation (also known as a firewall) between the Health Plan and the University as sponsor of the Health Plan;
- ensure that any agents to whom it provides PHI agree to the same restrictions and conditions that apply to the University;
- not use or disclose PHI for employment-related actions or for any other benefit or employee benefit plan of the University;
- report to the Privacy Official any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
- make PHI available to Health Plan participants, consider their requests for amendments, and, upon request, provide them with an accounting of PHI disclosures in accordance with the HIPAA privacy rules;
- make the University’s internal practices and records relating to the use and disclosure of PHI received from the Health Plan available to the Department of Health and Human Services (HHS) upon request; and
- if feasible, return or destroy all PHI received from the Health Plan that the University still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
The Health Plan document must also require the University to (1) certify to the Privacy Official that the Health Plan documents have been amended to include the above restrictions and that the University agrees to those restrictions; and (2) provide adequate firewalls in compliance with the HIPAA privacy rule.
The Health Plan’s privacy policies and procedures shall be documented and maintained for at least six years from the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations), as well as any changes in the Health Plan’s operations or operating environment. Any changes to policies or procedures must be promptly documented and incorporated into workforce training.
The Health Plan shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights. The Health Plan shall also document the dates, content, and attendance of workforce members at training sessions.
The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. The Health Plan will maintain such documentation for at least six years.
K. Fully Insured Group Health Plan Component Benefits
Neither the Plan nor the University (or any member of the University’s workforce) shall create or receive PHI for fully insured component benefit programs that are group health plans except for the following:
- summary health information, as defined by HIPAA’s privacy rules, for purposes of (a) obtaining premium bids or (b) modifying, amending, or terminating the Plan;
- enrollment and disenrollment information concerning the Plan which does not include any substantial clinical information; or
- PHI disclosed to the Plan and/or University under a signed authorization that meets the requirements of the HIPAA privacy rules.
III. Policies on Use and Disclosure of PHI
A. Use and Disclosure Defined
The Health Plan will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:
- Use. The sharing, employment, application, utilization, examination, or analysis of PHI by any University workforce member working within the following classes of employees of the University, or by a Business Associate of the Health Plan.
- Disclosure. The release, transfer, provision of access to, or divulging in any other manner of PHI to persons who are not University workforce members working within the following classes of employees of the University, or to a person or entity who is not a Business Associate of the Health Plan.
Classes of employees with access to PHI include:
- Privacy Official
- Office of Human Resources
- Office of Payroll
- Office of the Controller
- Office of Internal Audit
- Information Management
- Office of the General Counsel
- Such other classes of individuals identified by the Plan’s Privacy Official as necessary for the Plan’s administration
B. Workforce Must Comply With Health Plan’s Policy and Procedures
C. Permitted Uses and Disclosures for Plan Administration Purposes
The Health Plan may disclose Exempt Information to the University. Exempt Information is not governed by this Policy, and the University may use and disclose it for any lawful purpose.
D. Permitted Uses and Disclosures: Payment and Health Care Operations
PHI may be disclosed for the Health Plan’s own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity.
Payment. Payment includes activities undertaken to obtain participants’ contributions to the Health Plan or to determine or fulfill the Health Plan’s responsibility to obtain or provide reimbursement for health care. Payment also includes the following:
- eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;
- risk-adjusting based on characteristics of the covered group of participants;
- billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance), and related health care data processing; and
- any other payment activity permitted by the HIPAA privacy regulations.
PHI may be disclosed for purposes of the Plan’s own health care operations. PHI may be disclosed to another covered entity for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.
Health Care Operations. Health care operations means any of the following activities:
- conducting quality assessment and improvement activities;
- reviewing health plan performance;
- underwriting and premium rating;
- conducting or arranging for medical review, legal services, and auditing functions;
- business planning and development;
- business management and general administrative activities; and
- other health care operations permitted by the HIPAA privacy regulations.
E. No Disclosure of PHI for Non-Health Plan Purposes
PHI may not be used or disclosed for the payment or operations of the University’s “non-health” benefits (e.g., disability, workers’ compensation, life insurance), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required or allowed by applicable state law and all applicable requirements under HIPAA are met.
F. Mandatory Disclosures of PHI
A participant’s PHI must be disclosed, in accordance with the Health Plan’s Privacy Use and Disclosure Procedures, in the following situations:
- The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Information and Request for Amendment” that follows);
- The disclosure is required by law; or
- The disclosure is made to HHS for purposes of enforcing HIPAA.
G. Other Permitted Disclosures of PHI
PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. The Health Plan’s Privacy Use and Disclosure Procedures describe specific requirements that must be met before these types of disclosures may be made. The requirements include prior approval of the Privacy Official. Permitted are disclosures-
- about victims of abuse, neglect, or domestic violence;
- to a health care provider for treatment purposes;
- for judicial and administrative proceedings;
- for law-enforcement purposes;
- for public health activities;
- for health oversight activities;
- about decedents;
- for cadaveric organ-, eye-, or tissue-donation purposes;
- for certain limited research purposes;
- to avert a serious threat to health or safety;
- for specialized government functions; and
- that relate to workers’ compensation programs.
H. Disclosures of PHI Pursuant to an Authorization
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
I. Complying With the “Minimum-Necessary” Standard
HIPAA requires that when PHI is used, disclosed, or requested, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use, disclosure, or request.
The “minimum-necessary” standard does not apply to any of the following:
- uses or disclosures made to the individual;
- uses or disclosures made pursuant to a valid authorization;
- disclosures made to HHS;
- uses or disclosures required by law; and
- uses or disclosures required to comply with HIPAA.
Minimum Necessary When Disclosing PHI. The Health Plan, when disclosing PHI subject to the minimum-necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI that is necessary for the requestor is disclosed. More details on the requirements are found in the Health Plan’s Privacy Use and Disclosure Procedures. All disclosures not discussed in the Health Plan’s Privacy Use and Disclosure Procedures must be reviewed on an individual basis with the Privacy Official to ensure that the amount of PHI disclosed is the minimum necessary to accomplish the purpose of the disclosure.
Minimum Necessary When Requesting PHI. The Health Plan, when requesting PHI subject to the minimum-necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary for the Health Plan is requested. More details on the requirements are found in the Health Plan’s Privacy Use and Disclosure Procedures. All requests not discussed in the Health Plan’s Privacy Use and Disclosure Procedures must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.
J. Disclosures of PHI to Business Associates
A Business Associate is an entity that-
- creates, receives, maintains, or transmits PHI on behalf of the Health Plan (including for claims processing or administration, data analysis, or underwriting); or
- provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services to or for the Health Plan, where the performance of such services involves giving the service provider access to PHI.
Workforce members may disclose PHI to Business Associates and allow Business Associates to create, receive, maintain, or transmit PHI on the Health Plan’s behalf. However, prior to doing so, the Health Plan must first obtain satisfactory assurances from the Business Associate, in the form of a business associate contract, that it will appropriately safeguard PHI. The Privacy Official shall maintain a log of all Business Associates and shall maintain all Business Associate Contracts in a readily accessible and retrievable form and format. Before sharing PHI with a Business Associate, workforce members must contact the Privacy Official and verify that a Business Associate contract is in place.
K. Disclosures of De-Identified Information
The Health Plan may use and disclose information that has been “de-identified” in accordance with the HIPAA privacy regulations. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
L. Breach Notification Requirements
IV. Policies on Individual Rights
A. Right to Access PHI
HIPAA gives participants the right to access and obtain copies of their PHI that the Health Plan (or its Business Associates) maintains in a designated record set. A participant’s personal representative may request access to PHI on behalf of the participant. The Plan will provide access to PHI in accordance with HIPAA.
A Designated Record Set is a group of records maintained by or for the Health Plan that includes-
- the enrollment, payment, and claims adjudication record of a participant that is maintained by or for the Health Plan; or
- other PHI used, in whole or in part, by or for the Health Plan to make coverage decisions about an individual.
Participants will be instructed to send their requests for access to the Health Plan’s Contact Person. The Health Plan will take reasonable efforts to verify the identity of the requesting participant following procedures approved by the Privacy Official. The Health Plan will attempt to provide participants with access to their PHI as soon as possible, and within 30 days, after receiving a written request. If the Health Plan is unable to provide access within 30 days, it may extend the response by up to 30 additional days so long as it communicates the reason for the extension to the participant and the estimated response date within the initial 30-day period.
The Health Plan will send requested information in a Designated Record Set to a third party identified by the participant, so long as the request is signed and in writing, and clearly identifies the third party and where to send the information.
Generally, the Health Plan will not deny participants access to their own PHI. However, if an exception to the right to access set forth in 45 CFR §164.524 exists, the Privacy Official will review the request for access and will respond within the timeframe and with the information required by the privacy rule.
If information in one or more Designated Record Sets is maintained electronically, and an individual requests an electronic copy of the information, the Health Plan will provide the individual with access to the requested information in the electronic form and format requested by the individual, if it is readily producible in that form and format. If the requested information is not readily producible in that form and format, the requested information will be produced in a readable electronic form and format as agreed by the Health Plan and the individual. If the Health Plan and the individual are unable to agree on an electronic form and format, the Health Plan will provide a paper copy of the information to the individual.
The Health Plan will send information to the participant by mail or email, as requested by the participant. However, if a participant asks to receive a copy of PHI by unencrypted email, the Health Plan will provide a brief warning to the participant that there is some level of risk that the participant’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the participant still wants to receive PHI by unencrypted email. If the participant says yes, the Health Plan will comply with the request. Because of the security risk, the Health Plan will not copy information onto participant-supplied storage media.
If a participant requests a copy of information in a Designated Record Set, the Health Plan may impose a reasonable, cost-based fee, provided that the fee includes only the cost of (1) labor for copying the information requested by the participant, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media if the participant requests that the electronic copy be provided on portable media; and (3) postage, when the participant has requested that the copy be mailed. If the participant agrees to receive an explanation or summary, the Health Plan may charge for preparing the explanation or summary, if the participant agrees in advance. The Health Plan may not charge a fee to participants who merely request access to (but not copies of) information.
B. Right to Amend PHI
If a participant believes that PHI about the participant in a Designated Record Set is incorrect or incomplete, the participant may ask the Health Plan to amend the PHI. The participant has the right to request an amendment for as long as the information is kept by or for the Health Plan. The request for amendment must be made in writing and submitted to the Health Plan’s Contact Person. In addition, the participant must provide a reason that supports the request. The Health Plan may deny the request for an amendment if it is not in writing or does not include a reason to support the request.
The Health Plan will act on the request as soon as possible, and within 60 days, after receiving the request. If the Health Plan is unable to act on the request within 60 days, it may extend the period for up to 30 additional days, provided that the Health Plan notifies the participant of the reason for the delay and the date it will act on the request during the original 60-day period.
In addition, the Health Plan may deny the request if the request is to amend information that-
- was not created by the Health Plan, unless the participant provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
- is not part of a Designated Record Set;
- is not subject to the right of access described above; or
- is accurate and complete.
If the Health Plan denies the request, it will provide the participant with a written explanation of the basis for the denial, the participant’s right to file a statement of disagreement with the Health Plan, and the Health Plan’s complaint procedures. Any future disclosures of the disputed information will include that statement.
C. Right to Accounting of Disclosures
A participant has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the most recent six years, other than disclosures:
- to carry out treatment, payment, or health care operations;
- to individuals about their own PHI;
- incident to an otherwise permitted use or disclosure;
- pursuant to an authorization;
- to persons involved in the individual’s care or payment for the individual’s care or for certain other notification purposes;
- to correctional institutions or law enforcement when the disclosure was permitted without authorization;
- as part of a limited data set;
- for specific national security or law-enforcement purposes; or
- disclosures that occurred prior to the compliance date.
Participants shall be instructed to send their requests for an accounting to the Health Plan’s Contact Person. The Health Plan shall respond to an accounting request within 60 days. If the Plan is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.
The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure (or a copy of the written request for disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to reasonably inform the individual of the basis of the disclosure.
The first accounting in any 12-month period shall be provided free of charge. The Privacy Official may impose reasonable production and mailing costs for additional accountings.
D. Requests for Confidential Communications
Participants may ask to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may request that Health Plan information be sent only to their work address rather than a home address, or may request that communications be made by phone. Participants will be instructed to send their requests to the Health Plan’s Contact Person. The decision to honor a request shall be made by the Privacy Official.
E. Requests for Restrictions on Use and Disclosure of PHI
A participant may request restrictions on the use and disclosure of the participant’s PHI. For example, a participant can ask that the Health Plan not use or disclose information about a surgery that the participant had. Participants will be instructed to send their requests to the Health Plan’s Contact Person. The Health Plan may, but need not, honor such requests. However, the Health Plan will comply with a restriction request if (1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and (2) the PHI pertains solely to a health care item or service for which the health care provider involved has been paid in full by the individual or another person, other than the Plan. The decision to honor restriction requests shall be made by the Privacy Official.
V. Reportable Breach Notification Policy
A. Identifying a Reportable Breach
The first step is to determine whether a Reportable Breach has occurred. If a Reportable Breach has not occurred, the notice requirements do not apply.
The Privacy Official is responsible for reviewing the circumstances of possible breaches brought to his or her attention and determining whether a Reportable Breach has occurred in accordance with this Reportable Breach Notification Policy and the Breach Regulations. All Business Associates, and all workforce members who have access to PHI, are required to report to the Privacy Official any incidents involving possible breaches.
Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the privacy rules is presumed to be a Reportable Breach, unless the Privacy Official determines that there is a low probability that the privacy or security of the PHI has been or will be compromised.
The Privacy Official’s determination of whether a Reportable Breach has occurred must include the following considerations:
- Was there a violation of HIPAA Privacy Rules? There must be an impermissible use or disclosure resulting from or in connection with a violation of the HIPAA Privacy Rules by the Plan or a Business Associate of the Plan. If not, then the notice requirements do not apply.
- Was PHI involved? If not, then the notice requirements do not apply.
- Was the PHI secured? For electronic PHI to be “secured,” it must have been encrypted to NIST standards or destroyed. For paper PHI to be “secured,” it must have been destroyed. If yes, then the notice requirements do not apply.
- Was there unauthorized access, use, acquisition, or disclosure of PHI? The violation of HIPAA Privacy Rules must have involved one of these. If it did not, then the notice requirements do not apply.
- Does an exception apply? The regulations contain three narrow exceptions to breach notification (described below).
- Is there a low probability that privacy or security was compromised? If the Privacy Official determines that there is only a low probability of compromise, then the notice requirements do not apply.
If one of the following three exceptions applies, then a Reportable Breach has not occurred, and the notice requirements are not applicable.
- Exception 1: A Reportable Breach does not occur if the breach involved an unintentional access, use, or acquisition of PHI by a workforce member or Business Associate, if the unauthorized access, use, acquisition, or disclosure-(a) was in good faith; (b) was within the scope of authority of the workforce member or Business Associate; and (c) does not involve further use or disclosure in violation of the HIPAA privacy rules. For example, the exception might apply if an employee providing administrative services to the Plan were to mistakenly access the claim file of a participant whose name is similar to the name of the intended participant. However, the exception would not apply if an employee intentionally looked up a coworker’s claim file out of curiosity.
- Exception 2: A Reportable Breach has not occurred if the breach involved an inadvertent disclosure from one person authorized by the Health Plan to have access to PHI to another person at the same covered entity or Business Associate also authorized to have access to the PHI, provided that there is no further use or disclosure in violation of the HIPAA privacy rules. For example, the exception might apply if an employee providing administrative services to the Plan inadvertently emailed PHI to the wrong coworker. However, if the same employee emailed the information to an unrelated third party, the exception likely does not apply.
- Exception 3: A Reportable Breach has not occurred if the breach involved a disclosure where the Health Plan has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI. For example, the exception may apply to an EOB mailed to the wrong person and returned to the Health Plan unopened, or if a report containing PHI is handed to the wrong person, but is immediately retrieved before the person can read it. However, the exception does not apply if an EOB was mailed to the wrong person and the unintended recipient opened the envelope before realizing the mistake.
To determine whether there is only a low probability that the privacy or security of the PHI was compromised, the Privacy Official must perform a risk assessment that considers at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. For example, did the disclosure involve financial information, such as credit card numbers, Social Security numbers, or other information that increases the risk of identity theft or financial fraud? Did the disclosure involve clinical information such as a treatment plan, diagnosis, medication, medical history, or test results that could be used in a manner adverse to the individual? Did the use or disclosure otherwise further the unauthorized recipient’s own interests?
- The unauthorized person who used the PHI or to whom the disclosure was made. For example, does the unauthorized recipient of the PHI have obligations to protect the privacy and security of the PHI, such as another entity subject to the HIPAA privacy and security rules or an entity required to comply with the Privacy Act of 1974? Would those obligations lower the probability that the recipient would use or further disclose the PHI inappropriately? Also, was the PHI impermissibly used within a covered entity or business associate, or was it disclosed outside a covered entity or business associate?
- Whether the PHI was actually acquired or viewed. If there was only an opportunity to actually view the information, but the Privacy Official determines that the information was not, in fact, viewed, there may be a lower (or no) probability of compromise. For example, if a laptop computer was lost or stolen and subsequently recovered, and the Privacy Official is able to determine (based on a forensic examination of the computer) that none of the information was actually viewed, there may be no probability of compromise.
- The extent to which the risk to the PHI has been mitigated. For example, if the Health Plan can obtain satisfactory assurances (in the form of a confidentiality agreement or similar documentation) from the unauthorized recipient that the information will not be further used or disclosed or will be destroyed, the probability that the privacy or security of the information has been compromised may be lowered. The identity of the recipient (e.g., another covered entity) may be relevant in determining what assurances are satisfactory.
If the Privacy Official determines that there is only a low probability that the privacy or security of the information was compromised, then the Plan will document the determination in writing, keep the documentation on file, and not provide notifications. On the other hand, if the Privacy Official is not able to determine that there is only a low probability that the privacy or security of the information was compromised, the Plan will provide notifications.
B. If a Reportable Breach Has Occurred: Notice Timing and Responsibilities
If the Privacy Official determines that a Reportable Breach has occurred, the Privacy Official will determine (in accordance with the Breach Regulations) the date the breach was discovered in order to determine the time periods for giving notice of the Reportable Breach. The Plan has reasonable systems and procedures in place to discover the existence of possible breaches, and workforce members are trained to notify the Privacy Official or other responsible person immediately so the Plan can act within the applicable time periods.
The Privacy Official is responsible for the content of notices and for the timely delivery of notices in accordance with the Breach Regulations. However, the Privacy Official may, on behalf of the Plan, engage a third party (including a Business Associate) to assist with preparation and delivery of any required notices.
The Breach Regulations may require a breach to be treated as discovered on a date that is earlier than the date the Plan had actual knowledge of the breach. The Privacy Official will determine the date of discovery as the earlier of (1) the date that a workforce member (other than a workforce member who committed the breach) knows of the events giving rise to the breach; and (2) the date that a workforce member or agent of the Plan, such as a Business Associate (other than the person who committed the breach) would have known of the events giving rise to the breach by exercising reasonable diligence.
Except as otherwise specified in the notice sections that follow, notices must be given “without unreasonable delay” and in no event later than 60 calendar days after the discovery date of the breach. It is important to recognize that 60 days is an outside limit; in most cases, notification should be given much sooner. Accordingly, the investigation of a possible breach, to determine whether it is a Reportable Breach and the individuals who are affected, must be undertaken in a timely manner that does not compromise the notice deadline.
There is an exception to the timing requirements if a law-enforcement official asks the Health Plan to delay giving notices.
C. Business Associates
If a Business Associate commits or identifies a possible Reportable Breach relating to Health Plan participants, the Business Associate must give notice to the Health Plan’s Privacy Official. The Health Plan is responsible for providing any required notices of a Reportable Breach to individuals, HHS, and (if necessary) the media. The Health Plan may delegate responsibility for the notice requirement to a Business Associate, but only through a business associate contract.
Unless otherwise required under the Breach Regulations, the discovery date for purposes of the Plan’s notice obligations is the date that the Plan receives notice from the Business Associate.
In its Business Associate contracts, the Plan will require Business Associates to-
- report incidents involving breaches or possible breaches to the Privacy Official in a timely manner;
- provide to the Plan any and all information requested by the Plan regarding the breach or possible breach, including, but not limited to, the information required to be included in notices (as described below); and
- establish and maintain procedures and policies to comply with the Breach Regulations, including workforce training.
D. Notice to Individuals
Notice to the affected individual(s) is always required in the event of a Reportable Breach. Notice will be given without unreasonable delay and in no event later than 60 calendar days after the date of discovery (as determined above).
Content of Notice to Individuals
Notices to individuals will be written in plain language and contain all of the following, in accordance with the Breach Regulations:
- A brief description of the incident.
- If known, the date of the Reportable Breach and the Discovery Date.
- A description of the types of unsecured PHI involved in the Reportable Breach (for example, full name, Social Security numbers, address, diagnosis, date of birth, account number, disability code, or other).
- The steps individuals should take to protect themselves (such as contacting credit card companies and credit monitoring services).
- A description of what the Plan is doing to investigate the Reportable Breach, such as filing a police report or reviewing security logs or tapes.
- A description of what the Plan is doing to mitigate harm to individuals.
- A description of what measures the Plan is taking to protect against further breaches (such as sanctions imposed on workforce members involved in the Reportable Breach, encryption, installation of new firewalls).
- Contact information for individuals to learn more about the Reportable Breach or ask other questions, which must include at least one of the following: Toll-free phone number, email address, website, or postal address.
Types of Notice to Individuals
The Health Plan will deliver individual notices using the following methods, depending on the circumstances of the breach and the Health Plan’s contact information for affected individuals.
Actual Notice will be given in all cases, unless the Plan has insufficient or out-of-date addresses for the affected individuals. Actual written notice-
- will be sent via first-class mail to last known address of the individual(s);
- may be sent via email instead, if the individual has agreed to receive electronic notices;
- will be sent to the parent on behalf of a minor child; and
- will be sent to the next-of-kin or personal representative of a deceased person, if the Health Plan knows the individual is deceased and has the address of the next-of-kin or personal representative.
Substitute Notice will be given if the Plan has insufficient or out-of-date addresses for the affected individuals.
- If addresses of fewer than ten living affected individuals are insufficient or out-of-date, substitute notice may be given by telephone, an alternate written notice, or other means.
- If addresses of ten or more living affected individuals are insufficient or out-of-date, substitute notice must be given via either website or media.
- Substitute notice via website. Conspicuous posting on home page of the website of the Health Plan or University for 90 days, including a toll-free number that remains active for at least 90 days where individuals can learn whether the individual’s unsecured information may have been included in the breach. Contents of the notice can be provided directly on the website or via hyperlink.
- Substitute notice via media. Conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely reside, including a toll-free number that remains active for at least 90 days where individuals can learn whether the individual’s unsecured information may have been included in the breach. It may be necessary to give the substitute notice in both local media outlet(s) and statewide media outlet(s) and in more than one state.
- Substitute Notice is not required if the individual is deceased and the Plan has insufficient or out-of-date information that precludes written notice to the next-of-kin or personal representative of the individual.
Urgent Notice will be given, in addition to other required notice, in circumstances where imminent misuse of unsecured PHI may occur. Urgent notice must be given by telephone or other appropriate means.
- Example: Urgent notice is given to an individual by telephone. The Plan must also send an individual notice via first-class mail.
E. Notice to HHS
Notice of all Reportable Breaches will be given to HHS. The time and manner of the notice depends on the number of individuals affected. The Privacy Official is responsible for both types of notice to HHS.
Immediate Notice to HHS. If the Reportable Breach involves 500 or more affected individuals, regardless of where the individuals reside, notice will be given to HHS without unreasonable delay, and in no event later than 60 calendar days after the date of discovery (as determined above). Notice will be given in the manner directed on the HHS website.
Annual Report to HHS. The Privacy Official will maintain a log of Reportable Breaches that involve fewer than 500 affected individuals, and will report to HHS the Reportable Breaches that were discovered in the preceding calendar year. The reports are due within 60 days after the end of the calendar year. The reports will be submitted as directed on the HHS website.
F. Notice to Media (Press Release)
Notice to media (generally in the form of a press release) will be given if a Reportable Breach affects more than 500 residents of any one state or jurisdiction. The Health Plan is not required to incur any costs to publish a media notice-the publication decision rests with the media outlet.
Unlike notice to HHS, the residence of affected individuals is relevant for notice to the media. For example,
- If a Reportable Breach affects 600 individuals who are residents of New Jersey, notice to media is required.
- If a Reportable Breach affects 450 individuals who are residents of New Jersey and 60 individuals who are residents of Pennsylvania, notice to media is not required.
If notice to media is required, notice will be given to prominent media outlets serving the state or jurisdiction. For example:
- If a Reportable Breach involves residents of one city, the prominent media outlet would be the city’s newspaper or TV station.
- If a Reportable Breach involves residents of various parts of the state, the prominent media outlet would be a statewide newspaper or TV station.
- If a Reportable Breach affects 600 individuals who are residents of one state, and 510 individuals who are residents of another state, notice to media in both states is required.
If notice to media is required, it will be given without unreasonable delay, and in no event more than 60 calendar days after the date of discovery (as determined above). The content requirements for a notice to media are the same as the requirements for a notice to individuals. The Privacy Official is responsible for giving notice to media.