Date of Last Revision: Nov. 18, 2018.
A privacy incident includes:
A privacy breach includes:
A privacy breach excludes:
Except as provided in the exclusions, an acquisition, access, use, or disclosure of protected health information in a manner not permitted by Law is presumed to be a breach unless Caredove or the external stakeholder or third party service provider demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
Privacy incidents and breaches can be intentional or inadvertent.
The Chief Privacy Officer (CPO) at Caredove is responsible for leading the design and operation of the Agency’s privacy program, including putting processes, practices and tools in place to manage, investigate and remediate privacy incidents or breaches. The CPO is also responsible for handling the end-to end privacy breach management efforts.
It is the Policy of Caredove to provide timely notifications to the affected organizations about all breaches of PHI.
Caredove shall notify the affected organization when any breach of PHI is discovered. A breach is treated as “discovered” by Caredove the first day on which such breach is known or should reasonably have been known to any employee or agent of Caredove other than the person who committed the breach.
All personnel and third party service providers are responsible for immediately reporting privacy incident and breaches to the CPO of Caredove. Personnel and third party service providers are required to provide a description of the incident or breach, the individuals involved and immediate steps taken, if any, to contain the incident or breach.
All personnel and third party service providers are responsible for actively supporting the CPO in privacy incident or breach containment, investigation and remediation activities as needed. Some of these activities may occur concurrently.
The containment phase of the privacy incident and breach management process focuses on the confirming a privacy incident or breach has transpired, preventing additional information assets from being affected, ensuring affected information assets are not further compromised, minimizing adverse impact to all parties and restoring normal operation as quickly as possible.
Examples of containment activities may include:
It is the policy of Caredove that all reported privacy incidents and breaches shall be contained immediately. Immediate containment of privacy incidents will help to prevent them from becoming breaches and immediate containment of breaches will help to prevent further unauthorized collection, use and/or disclosure of PI/PHI.
Once a privacy incident or breach has been appropriately contained, it shall be investigated by the CPO. Investigation will identify the root cause of the privacy incident or breach as well as the information assets, individual(s)/organization(s), and IT systems and hardware involved in the incident or breach.
Based on the findings of the investigation, the CPO determines short-term and long-term remediation strategies which are documented in a Privacy Breach Management Report. The recommendations from the investigation shall be implemented within the stated timeframe. The Privacy Breach Management Report shall be logged in the corporate compliance database.
Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the breach to occur, according to Caredove's Sanction Policy
Caredove will notify custodians of PI/PHI, individuals to whom the PI/PHI pertains or other external stakeholders of a privacy incident/breach as mandated through applicable legislation. Breach Notices must include a brief description of what happened, a description of the types of PHI involved, a brief description of the actions taken in response to the breach, and contact procedures for the Covered Entity to ask questions and obtain further information.
The Privacy Officer shall maintain a log of privacy incidents and breaches, including the findings of, and the recommendations from investigations of these incidents and breaches in accordance with Caredove's Documentation Policy.
The CPO is considered the ultimate authority for interpreting, implementing, enforcing and maintaining this Policy. Where a privacy incident or breach is intentional or the result of negligent work practices, disciplinary action will be taken up to and including termination of employment.
The CPO is responsible for monitoring compliance with this Policy. Caredove personnel and third party service providers must comply with this procedure.
Caredove Privacy Officer
Tim Berezny, Chief Technology Officer, Caredove Inc.
PO Box 2307, Orillia, Ontario L3V 6S2