This policy sets forth the responsibilities of Brown University’s (the “Employer”) self-funded group health plans for notification of breaches of unsecured protected health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

All members of the Employer’s workforce who have access to Protected Health Information (PHI) must comply with this HIPAA Breach Notification Policy. For the purposes of this HIPAA Breach Notification Policy, the Employer’s workforce includes individuals who would be considered part of the workforce under HIPAA, such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the Employer, whether or not they are paid by the Employer. The term “employee” includes all of these types of workers.

The self-funded group health benefits offered by the Employer (collectively, the “Plan”) and the Plan’s contractors and vendors will strive to prevent breaches of Unsecured Protected Health Information (“PHI”) electronically or otherwise, and maintain privacy and security measures to protect the confidentiality of PHI. Pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) and regulations promulgated thereunder, and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the Plan will notify individuals when Unsecured PHI was, or was reasonably believed to have been, accessed, acquired, used, or disclosed by an unauthorized person, when a confirmed breach of the security of Unsecured PHI does not fall within a statutory exception or there is a low probability that the PHI has been compromised. Confirmed breaches of the security or confidentiality of Unsecured PHI will invoke certain actions to determine the degree of risk and impact of the breach upon an individual(s) and, under specific circumstances, notification of the breach to the affected individual(s).

The Plan has implemented reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI in its possession. Additionally, the Plan has implemented reasonable systems for the discovery and reporting of a breach of PHI. A “breach” is the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI except where an unauthorized person to whom such information was disclosed would not reasonably have been able to retain the information.

When a breach has been reported to the Plan’s HIPAA Security Officer (“Security Officer”) or HIPAA Privacy Officer (“Privacy Officer”), the breach response team will be assembled and an investigation into the breach will be conducted. The response team will be comprised of the Security Officer, the Privacy Officer, legal counsel, and any other personnel deemed appropriate for the circumstance.

The investigation and steps taken by the response team will be thoroughly documented. The Privacy Officer will document the investigation, as well as any investigation conducted by a business associate, contractor, or vendor and maintain a record of the investigation and the basis for determining that a breach did not occur for six (6) years from the date of the response team’s decision.

If the Security Officer confirms that a breach of security or confidentiality has occurred and has resulted in the unauthorized disclosure of PHI, the response team will take the following risk assessment steps:

• Determine whether or not the information breached was Unsecured PHI. Unsecured PHI includes information not secured through encryption or destruction and is not rendered unusable, unreadable, or indecipherable to unauthorized individuals as defined by the HIPAA security rule and HITECH breach notification regulations.
• Determine the probability that the PHI has been compromised based on a risk assessment of at least the following factors: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated.

The risk assessment will be documented thoroughly, including the actions taken, the conclusions of the assessment, and the basis for the determination that there was or was not a low probability that the PHI was compromised.

If it is determined that the information breached was secured and there is no reasonable likelihood that the secured information was rendered viewable by an unauthorized person, no further action is necessary, but the determination and conclusion will be documented.

If it is determined that the information breached was Unsecured PHI, but the circumstance of the breach falls within one of the exceptions to the breach notification regulations, so notification is not required, such determination will be documented.

If it is determined that the breach of the security of the system demonstrates that there is more than a low probability that the PHI was compromised, the Plan will as soon as possible, but no later than 60 days after the discovery of the breach, notify the individual(s) whose information was disclosed as a result of the breach, and the determination and conclusion will be documented.

If it is determined that the information breached was Unsecured PHI, an analysis of the requirements for notification of the State in which the individual resides will be conducted and documented.

If notification to law enforcement or another regulatory body or agency is required under State law, such notification will be made to the regulatory body or agency in accordance with State law.

If State law requires notification to the individual, notification will be made in accordance with State law.

Notification to the individual may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and the notification will be made after law enforcement determines it will not compromise its investigation.

Notification of a breach to affected individuals will be in plain language and include:

• a brief description of what happened, including the date of the breach and discovery of the breach;
• a description of the type of Unsecured PHI or other personal information that was involved in the breach;
• any steps individuals should take to protect themselves from potential harm resulting from the breach;
• a description of the investigation into the breach, mitigation of harm to individuals, and protection against further breaches; and
• contact procedures, which will include a toll-free telephone number, an e-mail address, website, or postal address.

The notification must include any additional information required by applicable State law.

If the breach involves more than 500 individuals, the Plan will provide notice to a prominent local media outlet and to the Secretary of the Department of Health and Human Services (“HHS”) through a press release.

The Plan will maintain a log of any and all breaches of Unsecured PHI and shall report such breaches to the Secretary of HHS on an annual basis by providing the log to the Secretary.

The Plan will require business associates and vendors, through their contracts and/or business associate agreements with the Plan to provide notification of a breach to the Plan so that the Plan can notify affected individuals, as necessary. Business associates must provide all available information to the Plan without delay.

The Plan shall maintain documentation of each individual notified, each log provided to HHS, and any other notification to the Secretary of HHS as required by law. Such documentation will be maintained by the Privacy Officer.

N/A

All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure compliance with it.

Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures.

This policy is not a legal document. This policy does not confer a term of employment, nor is the language intended to establish a contract of employment, express or implied, between any employee and Brown University. The University reserves the right to change, amend or terminate any of its human resources policies at any time for any reason.

Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).

The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.