Suspect a HIPAA Breach- Who you Gonna Call?
Albeit unintentional or inadvertent, we all may be able to gain access to Protected Health Information (PHI). Perhaps we use a computer that was left logged into? Found a patient medical record on a fax machine, wastebasket or printer? Or overheard a conversation in the cafeteria or hallway? As UIC workforce (employees, volunteers, trainees, and others whose conduct, in the performance of work for UIC, is under the control of UIC) we are required to communicate all potential breaches and quickly.
What is a breach?
The unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. A Breach may occur with respect to PHI in any form, and not only in electronic form.
What is a potential breach?
A potential breach is an event that could be a breach, but it has not been confirmed as a breach by the Privacy Official. All potential breaches are presumed to be breaches unless and until an investigation establishes otherwise.
What is the process for communicating a potential breach?
If you are a COM workforce member and you become aware of a potential breach, you should immediately notify either of the COM HIPAA liaisons:
Todd Van Neck
Associate Dean for Administration
UI College of Medicine
College of Medicine West Tower, room 131
1853 West Polk Street, m/c 784
Chicago, Illinois, 60612
P: 312.996.3500 | E: firstname.lastname@example.org
Director of Compliance
UI College of Medicine
914 South Wood Street, 218 MCA (M/C 904)
P: 312.413.0573 | E: email@example.com
Alternatively, you may contact:
- Privacy Official:Cynthia Herrera Lindstrom
Vice Provost for IT & CIO
Uof I HIPAA Privacy and Security Officer
Executive Director, Academic Computing and Communications Center
Univ of Illinois at Chicago
1940 W Taylor Street
Chicago, IL 60612
P: 312.413.2495 | E: Cynthiar@uic.edu
- Ethics Line at 866-758-2146 or firstname.lastname@example.org.
Your notification should include:
- the nature and extent of PHI involved, including types of identifiers;
- Unauthorized person who used the PHI or to whom the disclosure was made; and
- Whether the PHI was actually acquired or used (if known).
Your notification should NOT include the actual PHI. If you did acquire written PHI, please keep it secure and do not forward with your initial communication.
Who to Contact with Questions?
Feel free to contact me, Todd Van Neck or Cynthia Herrera Lindstrom with any questions regarding HIPAA compliance.