Breach Notification Policy Statement
HIPAA regulations require Covered Entities and their Business Associates to investigate and mitigate any security or other incidents that involve potential unauthorized access, acquisition, use and/or disclosure of Electronic Protected Health Information (ePHI). Except in very limited instances, any unauthorized access to a Covered Entity's PHI constitutes a breach. Breaches impacting 500 or more individuals must be reported to the U.S. Department of Health & Human Services, the media and the impacted individuals within 60 days of discovery. Breaches impacting fewer than 500 individuals must be reported to the impacted individuals within 60 days of discovery and reported on an annual basis to HHS.
Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law. Kenz Innovation HCM is a Business Associate and is required to comply with these regulations. It is the policy of Kenz Innovation to comply with these regulations at all times. This policy applies to all Kenz Innovation employees, contractors, third parties or business associates who provide services to or conducts business on behalf of Kenz Innovation.
To provide guidance for breach notification when unauthorized access, acquisition, use and/or disclosure of the ePHI occurs.
This policy applies to all Kenz Innovation employees, contractors, third parties or business associates who provide services to or conducts business on behalf of the Kenz Innovation.
Discovery of Breach: A breach of ePHI shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Kenz Innovation (includes breaches by the organization’s Customers, Partners, or subcontractors). Kenz Innovation shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational process for security incident management) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Kenz Innovation shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)
- Breach Investigation: The Kenz Innovation Security Officer/ISM shall act as an investigator and be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years. Breach log is prepared and stored at central repository.
- Risk Assessment: For an acquisition, access, use or disclosure of ePHI to constitute a breach, it must constitute a violation of the HIPAA Privacy Rule. A use or disclosure of ePHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. To determine if an impermissible use or disclosure of ePHI constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of the impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address:
- Consideration of who impermissibly used or to whom the information was impermissibly disclosed.
- The type and amount of ePHI involved.
- The cause of the breach, and the entity responsible for the breach, either Customer, Kenz Innovation, or Partner.
- The potential for significant risk of financial, reputational, or other harm.
- Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected Kenz Innovation Customers no later than 4 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
- Content of the Notice: The notice shall be written in plain language and shall contain the following information:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known.
- Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
- A brief description of what Kenz Innovation is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which may include a contact number, an e-mail address, a web site, or postal address.
- Methods of Notification: Kenz Innovation Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.
- Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Kenz Innovation shall maintain a process to record or log all breaches of unsecured ePHI regardless of the number of records and Customers affected. The following information should be collected/logged for each breach.
- A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
- A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
- A description of the action taken with regard to notification of individuals/patients regarding the breach.
- Resolution steps taken to mitigate the breach and prevent future occurrences.
- Workforce Training: Kenz Innovation shall train all members of its workforce on the policies and procedures with respect to ePHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.
- Complaints: Kenz Innovation shall provide a process for individuals to make complaints concerning the organization’s privacy policies and procedures or its compliance with such policies and procedures.
- Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.
- Retaliation/Waiver: Kenz Innovation may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organization may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
This Policy is Last updated on 21st July 2021