4.3.E HIPAA/Breach Notification: Notifications to Individuals (including Substitute Notice)

  • POLICY:

    Lister Healthcare Corporation has a duty to protect the confidentiality and integrity of confidential medical and personal information as required by law, professional ethics and accreditation requirements. PHI may only be disposed of by means that ensure that it will not be accidentally released to an outside party. In the event of a breach LHCC will abide by all federal guidelines in notifying patients and appropriate authorities of said such action as identified by 45 C.F. R 164.404(a) (Notice to Individuals), 45 C.F. R 164.404(d)(2) (Substitute Notice).

    PROCEDURE:

    LHCC shall following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach. 

    Breaches treated as discovered by a covered entity or by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known or by exercising reason diligence would have known to any person, other than the person committing the breach who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).

    Implementation specification: Timeliness of notification. LHCC shall provide notification without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. 

    Content of notification; A brief description of what happened including the date of the breach and the date of the discovery of the breach if known.

    1. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved).
    2. Any steps individuals should take to protect themselves from potential harm resulting from the breach;
    3. A brief description of what the covered involved is doing to investigate the breach, to mitigate harm to the individuals and to protect against any further breaches;
    4. Contact procedures for individuals to ask questions or learn additional information which shall include a toll free telephone number, an email address, website or postal address. 
    5. Plan language requirement. The notification shall be written in plain language. 

    Implementation of specifications: Methods of individual notification. 

    1. Written notice by first class mail to the individual at the last known address of the individual or if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail.  The notification may be provided in one or more mailings as information is available. 
    2. If LHCC knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notice by first class mail may be provided as information is available. 
    3. Substitute notice: In the case in which there is insufficient or out of date contact information that precludes written notification to the individual a substitute form of notice reasonably calculated to reach the individual shall be provided.  Substitute notice need not be provided in the case in where there is insufficient or out of date contact information that precludes written notification to the next of kin or personal representative of the individual. 
    4. In the case in which there is insufficient or out of date contact information for fewer than 10 individuals then such substitute notice may be provided by an alternative form of written notice, telephone or other means. 
    5. In the case which there is insufficient or out of date contact information for 10 or more individuals then such substitute notice shall: 
      1. Be in the form of either a conspicuous posting for a period of 90 days on the homepage of the website of the covered entity involved or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and 
      2. Include a toll free phone number that remains active for at least 90 days where an individual’s unsecured protected health information may be included in the breach. 

    Additional notice in urgent situations in any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information to the covered entity may provide information to individuals by telephone or other means as appropriate in addition to notice provided.

    Revised 11/2016

  • Date Format: MM slash DD slash YYYY