Suspect a HIPAA Breach- Who you Gonna Call?

Albeit unintentional or inadvertent, we all may be able to gain access to Protected Health Information (PHI).  Perhaps we use a computer that was left logged into?  Found a patient medical record on a fax machine, wastebasket or printer?  Or overheard a conversation in the cafeteria or hallway?  As UIC workforce (employees, volunteers, trainees, and others whose conduct, in the performance of work for UIC, is under the control of UIC) we are required to communicate all potential breaches and quickly.

What is a breach?

The unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. A Breach may occur with respect to PHI in any form, and not only in electronic form.

What is a potential breach?

A potential breach is an event that could be a breach, but it has not been confirmed as a breach by the Privacy Official.  All potential breaches are presumed to be breaches unless and until an investigation establishes otherwise.

What is the process for communicating a potential breach?

If you are a COM workforce member and you become aware of a potential breach, you should immediately notify either of the COM HIPAA liaisons:

Todd Van Neck

Associate Dean for Administration

UI College of Medicine

College of Medicine West Tower, room 131

1853 West Polk Street, m/c 784

Chicago, Illinois, 60612

P: 312.996.3500 | E: [email protected]

Nicole Almiro

Director of Compliance

UI College of Medicine

914 South Wood Street, 218 MCA (M/C 904)

P: 312.413.0573 | E: [email protected]

Alternatively, you may contact:

  • Privacy Official:Cynthia Herrera Lindstrom

    Vice Provost for IT & CIO

    Uof I HIPAA Privacy and Security Officer

    Executive Director, Academic Computing and Communications Center

    Univ of Illinois at Chicago

    1940 W Taylor Street

    Chicago, IL 60612

    P: 312.413.2495 | E: [email protected]

  • Ethics Line at 866-758-2146 or [email protected]

Your notification should include:

  • the nature and extent of PHI involved, including types of identifiers;
  • Unauthorized person who used the PHI or to whom the disclosure was made; and
  • Whether the PHI was actually acquired or used (if known).

Your notification should NOT include the actual PHI.  If you did acquire written PHI, please keep it secure and do not forward with your initial communication.

Who to Contact with Questions?

Feel free to contact me, Todd Van Neck or Cynthia Herrera Lindstrom with any questions regarding HIPAA compliance.