Reporting and Notifying Individuals of Security Breaches

• Updated: February 2010
• Primary Contact : Brian Dahlin

The University will provide timely and appropriate notice to affected individuals when there has been a breach of security of private data about them.

Report to University. University employees and students must report all known or suspected breaches of security of private data to the CIO, to enable the CIO to determine whether notification is required. Suspected breaches can be reported at abuse@umn.edu or your campus help-desk. Additionally, all suspected or known data security breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University’s Privacy and Security Office at privacy@umn.edu.

Notification to Individuals. The Chief Information Officer or delegate, in consultation with the General Counsel's Office and appropriate compliance officers, will be responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation.

This policy requires communication regarding security breaches in order to protect individuals from potential harm arising from the unauthorized acquisition of private information about them, and promotes compliance with state and federal privacy and data security laws.

• Reporting Security Incidents and Making Notification

There are no forms for this policy.

Campus Help Desks

Breach of security

For purposes of this policy this means unauthorized acquisition, access, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University , if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving de-identified data.

Business Associate

With respect to a health care component, a person or entity not a part of the University who, on behalf of the health care component performs or assists in the performance of certain functions requiring use or disclosure of protected health information. Members of the workforce of one University health care component who perform the business function for another University health care component are not business associates.

Data

Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.

Private data

University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. Payment Card Industry for credit cards, some research contracts).

Protected health information ("PHI")

Health information transmitted or maintained in any form or medium that:

1. Identifies or could be used to identify an individual;
2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

The following records are exempted from the definition of PHI:

1. Student records maintained by an educational institution;
2. Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
3. Employment records held by a covered entity in its role as employer.

Unauthorized acquisition

For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.

All Employees

Report good faith concerns about security breaches of private data.

Chief Information Officer

Make determinations, in consultation with the General Counsel's Office and appropriate compliance officers, as to whether notification is required, and direct responsible departments in complying with notification obligations.

Collegiate/Unit Administrators

Provide timely and effective notification to individuals as directed by the CIO when there has been a security breach of private data in their area.

General Counsel

Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.

• Examples of Public, Private and Confidential Information

• Reporting and Notifying Individuals of Security Breaches FAQ

• Administrative Policy: Managing Student Records
• Administrative Policy: Administration and Oversight for Protection of Individual Health Information
• Administrative Policy: Use and Disclosure of Individual Health Information for Research
• Administrative Policy: Protection of Individual Health Information by University Health Care Components (HIPAA)
• Administrative Policy: Reporting and Addressing Concerns of Misconduct
• Safe Computing: Identity Theft
• Examples of Public, Private and Confidential Information

Laws and Regulations

• Minnesota Government Data Practices Act, including Minn. Stat. section 13.055
• Minnesota Statutes section 325E.61
• HIPAA Regulations, 45 CFR Part 164, Subpart D

Amended:

February 2010 - Policy and Procedure updated to comply with HITECH regulations.

Effective:

May 2006