Policy Owner: Chief Privacy Officer
Effective Date: Nov 17, 2022
This document establishes the plan for managing incidents of two kinds: 1) Privacy incidents and breaches; 2) Platform functionality outages. It offers guidance for employees or incident responders who believe they have discovered, or are responding to, these events.
This policy covers all information security or data privacy events or incidents, as well as platform outage incidents.
The following sections: Definitions, Responsibilities, Reporting and Procedure; are published publicly at https://about.caredove.com/legal/privacy-incident-breach-management
A privacy incident includes:
A privacy breach includes:
A privacy breach or incident excludes:
Except as provided in the exclusions, an acquisition, access, use, or disclosure of PHI in a manner not permitted by Law is presumed to be a Breach unless Caredove or the external stakeholder or third party service provider demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
The Chief Privacy Officer (CPO) at Caredove is responsible for leading the design and operation of the Agency’s privacy program, including putting processes, practices and tools in place to manage, investigate and remediate privacy incidents or breaches. The CPO is also responsible for handling the end-to-end privacy breach management efforts.
The CPO is considered the ultimate authority for interpreting, implementing, enforcing and maintaining this Policy. Where a privacy incident or breach is intentional or the result of negligent work practices, disciplinary action will be taken up to and including termination of employment.
The CPO is responsible for monitoring compliance with this Policy. Caredove personnel and third party service providers must comply with this procedure.
All personnel and third party service providers are responsible for actively supporting the CPO in privacy incident or breach containment, investigation and remediation activities as needed. Some of these activities may occur concurrently.
It is the Policy of Caredove to provide timely notifications to the affected organizations about all breaches of PHI.
All personnel and third party service providers are responsible for immediately reporting privacy incidents and breaches to the CPO of Caredove. Personnel and third party service providers are required to provide a description of the incident or breach, the individuals involved and immediate steps taken, if any, to contain the incident or breach.
If there is belief that a potential breach of PHI has occurred, the CPO, or their designated representative, must be immediately notified.
The notification of potential breach is to include the following:
Notification and associated documentation may itself contain PHI and should only be given to the CPO or their designated representative.
The containment phase of the privacy incident and breach management process focuses on confirming that a privacy incident or breach has transpired, preventing additional information assets from being affected, ensuring affected information assets are not further compromised, minimizing adverse impact to all parties and restoring normal operation as quickly as possible.
Examples of containment activities may include:
It is the policy of Caredove that all reported privacy incidents and breaches shall be contained immediately. Immediate containment of privacy incidents will help to prevent them from becoming breaches and immediate containment of breaches will help to prevent further unauthorized collection, use and/or disclosure of PI/PHI.
Once a privacy incident or breach has been appropriately contained, it shall be investigated by the CPO. Investigation will identify the root cause of the privacy incident or breach as well as the information assets, individual(s)/organization(s), and IT systems and hardware involved in the incident or breach.
The investigation shall include the following activities:
Based on the findings of the investigation, the CPO determines short-term and long-term remediation strategies which are documented in a Privacy Breach Management Report. The recommendations from the investigation shall be implemented within the stated time frame. The Privacy Breach Management Report shall be logged in the corporate compliance database.
Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the breach to occur, according to Caredove's Sanction Policy
Upon completion of the investigation, the CPO, or their designated representative, shall perform and document the Risk Assessment and make a recommendation to executive management and/or legal counsel regarding whether notification to the Covered Entity of the potential breach would be prudent.
When executing the risk assessment, a “reasoned judgment” standard will be applied to the incident which shall be fact specific, and shall include consideration of the following factors:
Legal and executive staff shall determine any immediate or long term mitigations or remedial actions that need to be taken as a result of an incident or breach. In the event that mitigations or remedial actions are needed, executive staff shall direct personnel with respect to planning, communicating and executing those activities.
The Company complies with local jurisdictional privacy laws and investigations. The Company shall provide all documentation or assistance required by law in connection with privacy-related investigations, and shall not impede or obstruct these investigations.
In the event that Caredove Inc.’s executive management and/or legal counsel determines that notice to the Covered Entity is warranted, Caredove Inc.’s executive management and/or legal counsel or the designated representative shall promptly prepare and transmit a notice to the Covered Entity.
Caredove Inc. shall notify the Covered Entity “without unreasonable delay” but no later than 60 days after discovery and/or notification of the breach, as required by law.
If it appears to the CPO, or their designated representative, that their investigation will not be completed within a reasonable time, executive management and/or legal counsel shall be informed to ensure that the Covered Entity will be notified before completion of the investigation.
A delay in notification is permissible if a law enforcement official states that a breach notification would impede a criminal investigation or cause damage to national security
Any notification to the Covered Entity provided by Caredove Inc. shall include all information as required by law, but at a minimum, will contain the following content:
Any additional information regarding the breach that Caredove Inc. discovers after the initial notice to the Covered Entity be promptly provided to the Covered Entity as required by law.
Any notice to the Covered Entity shall be sent via first class mail with a return receipt requested and the return receipt as well as a copy of the Covered Entity Notice shall be kept with related documentation.
The Privacy Officer shall maintain a log of privacy incidents and breaches, including the findings of, and the recommendations from investigations of these incidents and breaches in accordance with Caredove's Documentation Policy, for a minimum of six years, or in accordance with established record retention requirements, whichever is greater.
Incident responders shall collect, store, and preserve incident-related evidence in accordance with industry guidance and best practices such as NIST SP 800-86 ‘Guide to Integrating Forensic Techniques into Incident Response’
United States: In the US jurisdiction, Caredove complies with HIPAA laws and regulations
Canada: In the Canadian jurisdiction, Caredove complies with the following laws and regulations:
Caredove Privacy Officer
Tim Berezny, Chief Technology Officer, Caredove Inc.
PO Box 2307, Orillia, Ontario L3V 6S2