Privacy Incident & Breach Management

Policy Owner: Chief Privacy Officer

Effective Date: May 8, 2024

Purpose 

This document establishes the plan for managing Privacy Events. A Privacy Event means that Protected Health Information (PHI) has taken a path it wasn’t intended to take, which potentially exposes it to unauthorized human eyes.  Events are of two kinds: 1) Privacy incidents and 2) Privacy breaches. This document offers information about how employees or incident responders respond to these events.  

Scope 

This policy covers all information security or data privacy events or incidents.

Privacy Incidents and Breaches

The following sections: Definitions, Responsibilities, Reporting and Procedure; are published publicly at https://about.caredove.com/legal/privacy-incident-breach-management

Definitions

A privacy incident includes:

  • A contravention of the privacy policies, procedures or practices implemented by Caredove, where this contravention does not result in unauthorized collection, use, disclosure and destruction of Protected Health Information (PHI) and remains in compliance with applicable privacy law.
  • A contravention of agreements which Caredove enters into with external stakeholders and third party service providers, including but not limited to data sharing agreements, confidentiality and non-disclosure agreements and agreements with third party service providers retained by Caredove, where this contravention remains in compliance with applicable privacy law.
  • A suspected privacy breach.

A privacy breach includes:

  • The acquisition, access, use or disclosure of PHI that is not in compliance with applicable personal health privacy laws. 

A privacy breach or incident excludes:

  • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under with proper authority, if such acquisition, access, or use was made in good faith and within their scope of authority and does not result in further use or disclosure in a manner not permitted by law;
  • Any inadvertent disclosure by a person who is authorized to access protected health information to another person authorized to access protected health information at the same authorized organization and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by law
  • A disclosure of PHI where the authorized organization has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Except as provided in the exclusions, an acquisition, access, use, or disclosure of PHI in a manner not permitted by Law is presumed to be a Breach unless Caredove or the external stakeholder or third party service provider demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to the PHI has been mitigated
  • Privacy Incidents and Breaches can be intentional or inadvertent.

Responsibilities

The Chief Privacy Officer (CPO) at Caredove is responsible for leading the design and operation of the Agency’s privacy program, including putting processes, practices and tools in place to manage, investigate and remediate privacy incidents or breaches. The CPO is also responsible for handling the end-to-end privacy breach management efforts.

The CPO (or delegate) is responsible for classifying an event as either a breach or an incident. This is done carefully, as the consequence of error in classification can be significant. Employees are to consult the internally available privacy event playbook. 

The CPO is considered the ultimate authority for interpreting, implementing, enforcing and maintaining this Policy. Where a privacy incident or breach is intentional or the result of negligent work practices, disciplinary action will be taken up to and including termination of employment.

The CPO is responsible for monitoring compliance with this Policy. Caredove personnel and third party service providers must comply with this procedure.

All personnel and third party service providers are responsible for actively supporting the CPO in privacy incident or breach containment, investigation and remediation activities as needed. Some of these activities may occur concurrently.

Reporting

It is the Policy of Caredove to provide timely notifications to the affected organizations about all breaches of PHI.

All personnel and third party service providers are responsible for immediately reporting privacy incidents and breaches to the CPO of Caredove. Personnel and third party service providers are required to provide a description of the incident or breach, the individuals involved and immediate steps taken, if any, to contain the incident or breach.

Procedure

Phase 1 – Identification and Containment

Identification

If there is belief that a potential breach of PHI has occurred, the CPO, or their designated representative, must be immediately notified.

The notification of potential breach is to include the following:

  • Names
  • Dates
  • The nature of the PHI potentially breached
  • The manner of the disclosure (fax, email, mail, verbal)
  • All employees involved
  • The recipient
  • All other persons with knowledge
  • Any associated written or electronic documentation that may exist. 

Notification and associated documentation may itself contain PHI and should only be given to the CPO or their designated representative.

Containment

The containment phase of the privacy incident and breach management process focuses on confirming that a privacy incident or breach has transpired, preventing additional information assets from being affected, ensuring affected information assets are not further compromised, minimizing adverse impact to all parties and restoring normal operation as quickly as possible.

Examples of containment activities may include:

  • Suspending the unauthorized practice that resulted in the incident or breach;
  • Recovering affected records containing PI/PHI;
  • Shutting down the system that was breached;
  • Revoking access permanently or temporarily to a system; and
  • Contacting law enforcement (if the breach involves theft or other criminal activity).

It is the policy of Caredove that all reported privacy incidents and breaches shall be contained immediately. Immediate containment of privacy incidents will help to prevent them from becoming breaches and immediate containment of breaches will help to prevent further unauthorized collection, use and/or disclosure of PI/PHI.

Phase 2 – Investigation & Risk Assessment

Investigation

Once a privacy incident or breach has been appropriately contained, it shall be investigated by the CPO. Investigation will identify the root cause of the privacy incident or breach as well as the information assets, individual(s)/organization(s), and IT systems and hardware involved in the incident or breach.

The investigation shall include the following activities:

  • Interviewing employees involved
  • Collecting written documentation
  • Completing all appropriate documentation
  • Forensic investigation (optional depending on incident)

Based on the findings of the investigation, the CPO determines short-term and long-term remediation strategies which are documented in a Privacy Breach Management Report. The recommendations from the investigation shall be implemented within the stated time frame. The Privacy Breach Management Report shall be logged in the corporate compliance database.

Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the breach to occur, according to Caredove's Sanction Policy

Risk Assessment

Upon completion of the investigation, the CPO, or their designated representative, shall perform and document the Risk Assessment and make a recommendation to executive management and/or legal counsel regarding whether notification to the Covered Entity of the potential breach would be prudent.

When executing the risk assessment, a “reasoned judgment” standard will be applied to the incident which shall be fact specific, and shall include consideration of the following factors:

  • Did the disclosure involve Unsecured PHI in the first place? 
  • Who impermissibly used or disclosed the Unsecured PHI? 
  • To whom was the information impermissibly disclosed? 
  • Was it returned before it could have been accessed for an improper purpose? 
  • What type of Unsecured PHI is involved and in what quantity? 
  • Was the disclosure made for any improper purpose? 
  • Is there the potential for significant risk of financial, reputational, or other harm to the individual whose PHI was disclosed?
  • Was immediate action taken to mitigate any potential harm?
  • Do any of the specific breach exceptions apply?

Legal and executive staff shall determine any immediate or long term mitigations or remedial actions that need to be taken as a result of an incident or breach. In the event that mitigations or remedial actions are needed, executive staff shall direct personnel with respect to planning, communicating and executing those activities.

The Company complies with local jurisdictional privacy laws and investigations. The Company shall provide all documentation or assistance required by law in connection with privacy-related investigations, and shall not impede or obstruct these investigations.

Phase 3 – Communication and Notification

In the event that Caredove Inc.’s executive management and/or legal counsel determines that notice to the Covered Entity is warranted, Caredove Inc.’s executive management and/or legal counsel or the designated representative shall promptly prepare and transmit a notice to the Covered Entity. 

  1. Timing of Notification

Caredove Inc. shall notify the Covered Entity “without unreasonable delay” but no later than 60 days after discovery and/or notification of the breach, as required by law.

  1. Delay of Notification
  1. Unjustified Delay

If it appears to the CPO, or their designated representative, that their investigation will not be completed within a reasonable time, executive management and/or legal counsel shall be informed to ensure that the Covered Entity will be notified before completion of the investigation.

  1. Law Enforcement Delay

A delay in notification is permissible if a law enforcement official states that a breach notification would impede a criminal investigation or cause damage to national security 

  1. If a law enforcement request is received, the law enforcement statement must be in writing and must specify the length of the delay required.
  2. If the request for a delay in notification is oral, Caredove Inc. must document the statement and request written confirmation within 30 days. If no written request for a delay is received within that time, Caredove Inc. must send notification of the breach to the Covered Entity.
  1. Content of Notification

Any notification to the Covered Entity provided by Caredove Inc. shall include all information as required by law, but at a minimum, will contain the following content:

  • Identification of each individual whose PHI is believed to have been breached
  • The date of the incident discovery
  • The date of disclosure
  • The facts and circumstances surrounding the disclosure
  • All associated documentation
  • All other available information known to Caredove Inc. that the Covered Entity will be required to include in its own Notice to the individual(s).

Any additional information regarding the breach that Caredove Inc. discovers after the initial notice to the Covered Entity be promptly provided to the Covered Entity as required by law.

Any notice to the Covered Entity shall be sent via first class mail with a return receipt requested and the return receipt as well as a copy of the Covered Entity Notice shall be kept with related documentation.

Logging and Document Retention

The Privacy Officer shall maintain a log of privacy incidents and breaches, including the findings of, and the recommendations from investigations of these incidents and breaches in accordance with Caredove's Documentation Policy, for a minimum of six years, or in accordance with established record retention requirements, whichever is greater.

Incident responders shall collect, store, and preserve incident-related evidence in accordance with industry guidance and best practices such as NIST SP 800-86 ‘Guide to Integrating Forensic Techniques into Incident Response

Jurisdictional Considerations

United States: In the US jurisdiction, Caredove complies with HIPAA laws and regulations

Canada: In the Canadian jurisdiction, Caredove complies with the following laws and regulations:

  • PIPEDA (Federal Privacy Legislation)
  • PHIPA (Ontario Health Privacy Legislation)

Caredove Privacy Officer
Tim Berezny, Chief Technology Officer, Caredove Inc.
PO Box 2307, Orillia, Ontario L3V 6S2
Tel: 705-717-6359
tim@caredove.com