Privacy Incident & Breach Management

Date of Last Revision: Nov. 18, 2018.

1. Definitions

A privacy incident includes:

• A contravention of the privacy policies, procedures or practices implemented by Caredove, where this contravention does not result in unauthorized collection, use, disclosure and destruction of PI/PHI or does not result in non-compliance with applicable privacy law.
• A contravention of agreements which Caredove enters into with external stakeholders and third party service providers, including but not limited to data sharing agreements, confidentiality and non-disclosure agreements and agreements with third party service providers retained by Caredove, where this contravention does not constitute non-compliance with applicable privacy law.
• A suspected privacy breach.

A privacy breach includes:

• The acquisition, access, use or disclosure of PHI that is not in compliance with applicable personal health privacy laws. 

A privacy breach excludes:

1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under with proper authority, if such acquisition, access, or use was made in good faith and within their scope of authority and does not result in further use or disclosure in a manner not permitted by law;
2. Any inadvertent disclosure by a person who is authorized to access protected health information to another person authorized to access protected health information at the same authorized organization and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by law
3. A disclosure of protected health information where the authorized organization has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Except as provided in the exclusions, an acquisition, access, use, or disclosure of protected health information in a manner not permitted by Law is presumed to be a breach unless Caredove or the external stakeholder or third party service provider demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the protected health information or to whom the disclosure was made;
• Whether the protected health information was actually acquired or viewed; and
• The extent to which the risk to the protected health information has been mitigated.

Privacy incidents and breaches can be intentional or inadvertent.

2. Policy

The Chief Privacy Officer (CPO) at Caredove is responsible for leading the design and operation of the Agency’s privacy program, including putting processes, practices and tools in place to manage, investigate and remediate privacy incidents or breaches. The CPO is also responsible for handling the end-to end privacy breach management efforts.

It is the Policy of Caredove to provide timely notifications to the affected organizations about all breaches of PHI.

Caredove shall notify the affected organization when any breach of PHI is discovered. A breach is treated as “discovered” by Caredove the first day on which such breach is known or should reasonably have been known to any employee or agent of Caredove other than the person who committed the breach.

All personnel and third party service providers are responsible for immediately reporting privacy incident and breaches to the CPO of Caredove. Personnel and third party service providers are required to provide a description of the incident or breach, the individuals involved and immediate steps taken, if any, to contain the incident or breach.

All personnel and third party service providers are responsible for actively supporting the CPO in privacy incident or breach containment, investigation and remediation activities as needed. Some of these activities may occur concurrently.

3. Procedure

Phase 1 – Containment

The containment phase of the privacy incident and breach management process focuses on the confirming a privacy incident or breach has transpired, preventing additional information assets from being affected, ensuring affected information assets are not further compromised, minimizing adverse impact to all parties and restoring normal operation as quickly as possible.

Examples of containment activities may include:

• Suspending the unauthorized practice that resulted in the incident or breach;
• Recovering affected records containing PI/PHI;
• Shutting down the system that was breached;
• Revoking access permanently or temporarily to a system; and
• Contacting law enforcement (if the breach involves theft or other criminal activity).

It is the policy of Caredove that all reported privacy incidents and breaches shall be contained immediately. Immediate containment of privacy incidents will help to prevent them from becoming breaches and immediate containment of breaches will help to prevent further unauthorized collection, use and/or disclosure of PI/PHI.

Phase 2 – Investigation & Remediation

Once a privacy incident or breach has been appropriately contained, it shall be investigated by the CPO. Investigation will identify the root cause of the privacy incident or breach as well as the information assets, individual(s)/organization(s), and IT systems and hardware involved in the incident or breach.

Based on the findings of the investigation, the CPO determines short-term and long-term remediation strategies which are documented in a Privacy Breach Management Report. The recommendations from the investigation shall be implemented within the stated timeframe. The Privacy Breach Management Report shall be logged in the corporate compliance database.

Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the breach to occur, according to Caredove's Sanction Policy

Phase 3 – Communication and Notification

Caredove will notify custodians of PI/PHI, individuals to whom the PI/PHI pertains or other external stakeholders of a privacy incident/breach as mandated through applicable legislation. Breach Notices must include a brief description of what happened, a description of the types of PHI involved, a brief description of the actions taken in response to the breach, and contact procedures for the Covered Entity to ask questions and obtain further information.

Logging and Document Retention

The Privacy Officer shall maintain a log of privacy incidents and breaches, including the findings of, and the recommendations from investigations of these incidents and breaches in accordance with Caredove's Documentation Policy.

4. Responsibilities

The CPO is considered the ultimate authority for interpreting, implementing, enforcing and maintaining this Policy. Where a privacy incident or breach is intentional or the result of negligent work practices, disciplinary action will be taken up to and including termination of employment.

The CPO is responsible for monitoring compliance with this Policy. Caredove personnel and third party service providers must comply with this procedure.