Reporting and Notifying Individuals of Security Breaches
Last Update: February 2010
Responsible University Officer:
- Chief Information Officer
- Vice President for Information Technology
- Updated: February 2010
- Primary Contact : Brian Dahlin
Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.
The University will provide timely and appropriate notice to affected individuals when there has been a breach of security of private data about them.
Report to University. University employees and students must report all known or suspected breaches of security of private data to the CIO, to enable the CIO to determine whether notification is required. Suspected breaches can be reported at email@example.com or your campus help-desk. Additionally, all suspected or known data security breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University’s Privacy and Security Office at firstname.lastname@example.org.
Notification to Individuals. The Chief Information Officer or delegate, in consultation with the General Counsel's Office and appropriate compliance officers, will be responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation.
REASON FOR POLICY
This policy requires communication regarding security breaches in order to protect individuals from potential harm arising from the unauthorized acquisition of private information about them, and promotes compliance with state and federal privacy and data security laws.
There are no forms for this policy.
HIPAA Privacy/ Security Ofc
- Breach of security
- For purposes of this policy this means unauthorized acquisition, access, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University , if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving de-identified data.
- Business Associate
- With respect to a health care component, a person or entity not a part of the University who, on behalf of the health care component performs or assists in the performance of certain functions requiring use or disclosure of protected health information. Members of the workforce of one University health care component who perform the business function for another University health care component are not business associates.
- Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.
- Private data
- University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. Payment Card Industry for credit cards, some research contracts).
- Protected health information ("PHI")
- Health information transmitted or maintained in any form or medium that:
- Identifies or could be used to identify an individual;
- Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
- Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
- The following records are exempted from the definition of PHI:
- Student records maintained by an educational institution;
- Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
- Employment records held by a covered entity in its role as employer.
For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.
- All Employees
- Report good faith concerns about security breaches of private data.
- Chief Information Officer
- Make determinations, in consultation with the General Counsel's Office and appropriate compliance officers, as to whether notification is required, and direct responsible departments in complying with notification obligations.
- Collegiate/Unit Administrators
- Provide timely and effective notification to individuals as directed by the CIO when there has been a security breach of private data in their area.
- General Counsel
- Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.
FREQUENTLY ASKED QUESTIONS
- Administrative Policy: Managing Student Records
- Administrative Policy: Administration and Oversight for Protection of Individual Health Information
- Administrative Policy: Use and Disclosure of Individual Health Information for Research
- Administrative Policy: Protection of Individual Health Information by University Health Care Components (HIPAA)
- Administrative Policy: Reporting and Addressing Concerns of Misconduct
- Safe Computing: Identity Theft
- Examples of Public, Private and Confidential Information
Laws and Regulations
- Minnesota Government Data Practices Act, including Minn. Stat. section 13.055
- Minnesota Statutes section 325E.61
- HIPAA Regulations, 45 CFR Part 164, Subpart D
- February 2010 - Policy and Procedure updated to comply with HITECH regulations.
- May 2006