Incident Response

Contents

  • Reporting policy
  • Incident response
  • Incident response plan
  • Notification to individuals
  • Written in plain language
  • Substitute notice
  • Law enforcement delay
  • Related documents

What are your notification procedures for a data breach and a system unavailability event?

ER Express’ reporting policy:

  • The Company shall, following the discovery of a breach of unsecured protected health information, notify affected clients within sixty (60) minutes whenever possible, and if not, by the end of the day unless legal constraints require us to wait.
  • In addition to a phone call, the Company will provide written notification to the Client’s Privacy and / or Compliance Officer(s), written in plain language.
  • The Company shall provide written notification sent by first-class mail to the Client and by electronic mail.
  • ER Express will contact Clients with an explanation of the breach, current status, impact to the Client, and remediation steps.
  • The communication will happen the same day that the breach occurs.

Incident Response

  • All initial reports of what appears to be a serious incident must be reported to the ER Express Product VP, which in turn will pass urgent matters to the ER Express Incident Coordinator.
  • The Product Team will, in this respect, provide an initial screening on reports of incidents, violations, and problems, determining whether these reports require immediate attention.
  • The Incident Coordinator will investigate whether an incident actually occurred, the severity of the incident, and the urgency of the response.
  • All reported incidents that are designated as legitimate incidents will be promptly classified according to their severity and urgency.
  • Incidents may require reclassification as further information comes to light.
  • The Incident Coordinator will decide which methods and processes will be followed in response to an incident.
  • These methods and processes ideally are documented in the Incident Response Plan, but they may also be determined on an ad hoc basis, in response to the needs of the situation.
  • The Incident Coordinator will determine whether the CSIRT should be mobilized and escalate the incident response effort so that it includes management at various levels of the organization.
  • Escalations may include the Crisis Management Team, the Legal Department, the Public Relations Department, and ER Express' vendors.
  • All decisions about the involvement of law enforcement personnel must be made by the Information Security Officer in consultation with the Legal Counsel.

 

Incident Response Plan

  • All PHI security incident response procedures and methods must follow the best commercially reasonable practices as published by well-known professional associations.
  • The Incident response plan must include processes to gather evidence so that subsequent criminal investigations may effectively be conducted, and to preserve this evidence so that it can be admissible in court.
  • The Chief Information Security Officer (CISO) is responsible for the development and maintenance of the Incident Response Plan.

Notifications to Individuals

  • The Company shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. (§164.404(a)(1))
    • A breach shall be treated as discovered as of the first day on it is known to the Company or any individual in the Company, other than the person committing the breach. (§164.404(a)(2))
    • The Company shall provide the required notification without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. (§164.404(b)).
  • Breach notifications shall include: (§164.404(c)(1))
    • A description of what happened, including the date of the breach and the date of the discovery of the breach. (§164.404(c)(1)(A))
    • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved). (§164.404(c)(1)(B))
    • Any steps individuals should take to protect themselves from potential harm resulting from the breach. (§164.404(c)(1)(C))
    • A brief description of what the Company is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches. (§164.404(c)(1)(D))
    • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. (§164.404(c)(1)(E))

All notifications must be written in plain language. (§164.404(c)(2))

  • The Company shall provide written notification sent by first-class mail to the individual at the last known address of the individual. If the individual has agreed to electronic notice and such agreement has not been withdrawn, notification shall be sent by electronic mail. (§164.404(d)(1)(i))

Substitute Notice

  • In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual shall be provided.
  • Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual. (§164.404(d)(2))
    • In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. (§164.404(d)(2)(i))
    • In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: (§164.404(d)(2)(ii))
    • Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Company Web site, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. (§164.404(d)(2)(ii)(A))
    • Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. (§164.404(d)(2)(ii)(B))
    • In any case deemed urgent by the Company because of possible imminent misuse of unsecured protected health information, the Company may provide information to individuals by telephone or other means, as appropriate. (§164.404(d)(3))

Law Enforcement Delay

  • If required by law enforcement officials, the Company shall delay notification. All requests for delay shall be documented in the Incident Response Form and must include the date of the request and the requesting official.
    • Written requests for delay shall include the requested delay timeframe. (§164.412(a))
    • Oral requests for delay will be no longer than 30 days. (§164.412(b))

For more information, please review our documents here: Documents & Certificates

  • 3a. HIPAA – Incident Response Policy
  • 5. HIPAA – Information Security Policy
Have more questions? Submit a request