Skip to content

12. Breach Policy

To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law.

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010.

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacts the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities and business associates may have chosen to include notification as part of the mitigation process. HITECH does require notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media. The effective implementation for this provision is September 23, 2009 (pending publication HHS regulations).

In the case of a breach, W2H shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.

12.1 Applicable Standards

12.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 11.a Reporting Information Security Events
  • 11.c Responsibilities and Procedures

12.1.2 Applicable Standards from the HIPAA Security Rule

  • Security Incident Procedures - 164.308(a)(6)(i)
  • HITECH Notification in the Case of Breach - 13402(a) and 13402(b)
  • HITECH Timeliness of Notification - 13402(d)(1)
  • HITECH Content of Notification - 13402(f)(1)

12.2 W2H Breach Policy

Discovery of Breach: A breach of ePHI shall be treated as "discovered" as of the first day on which such breach is known to the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. W2H shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)

The processes to be followed are described in more detail in the ยง11 - Incident Response Policy section.

12.3 W2H Platform Customer Responsibilities

  1. The W2H Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured ePHI shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify W2H of such breach. The Customer shall provide W2H with the following information:
  2. A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
  3. A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
  4. A description of the action taken with regard to notification of patients regarding the breach.
  5. Resolution steps taken to mitigate the breach and prevent future occurrences.
  6. Notice to Media: W2H Customers are responsible for providing notice to prominent media outlets at the Customer's discretion.
  7. Notice to Secretary of HHS: W2H Customers are responsible for providing notice to the Secretary of HHS at the Customer's discretion.
Back to top