Privacy Incidents FAQs

Privacy issues are administrative or failed loss, compromise or unauthorized disclosure, access, access to protected health information (PHI), or electronically protected health information (ePHI). Common examples of privacy incidents include the following:

We will send an incorrect email - an email containing confidential data (including high risk and medium risk data) to the wrong party.

Unsafe e-mail - that is, according to our university security: e-mail policy, we will send e-mail containing confidential data to the right or wrong party without sending e-mail securely.

The fax or print job is incorrect - You are using the fax number incorrectly or are sending the print job to the wrong printer.

Disallowed Disclosure - Sending a test sample, patient list, or other file to an inappropriate recipient, or a recipient of a business partner agreement (BAA) or data license agreement (DUA) that is not properly implemented

Lost / stolen equipment - Lost or stolen any mobile device or computing device (including USB memory, mobile phone, tablet, laptop, desktop), whether encrypted or not

Privacy infringement is a protective or unauthorized acquisition, disclosure or use in case of a successful infringement of PHI or ePHI and causes an obligation of personal information leakage based on federal law and / or state law.

Even if it seems to be harmless, if you believe that a privacy issue has occurred, report it to the university's privacy office in one of three ways:

127 Crothers Way, normal working hours at Stanford CA 94305

* Do not include any PHI or other sensitive data other than the information necessary to complete the initial report that you submitted to our office.

Members of the University Privacy Office will follow up your first report and you can provide additional details about the event. We appreciate the ongoing cooperation to support prompt response and completion of the survey.

 - Required items within 72 hours of discovery - Within known limits - Department of Health and Human Services (HHS) requests summary of privacy incident - (Include privacy event location, privacy right) Any kind of media related to privacy issues and any information about protected health information. The case is considered a violation. 45 CFR 164. 402 (2) If there is evidence of (i), (ii), (iii), (iv), the evidence and provisions applicable to HIPAA to find that there are no violations Please provide. This can be submitted in a separate file. In that case, please enter "attach" below.

According to the definition of the US Department of Homeland Security, privacy incidents are adverse events that occur due to violating DHS's privacy policy and procedures. The privacy problem must be "related to misuse or disclosure" of regulatory data such as personally identifiable information and protected health information. Security incidents are "upgraded" to privacy incidents if data related to security incidents is regulated. In other words, most electronic privacy events are security incidents, but it can be certainly said that not all security incidents are privacy incidents. Privacy issues may also arise from sources other than electronics, such as documents that are incorrectly handled, oral or visual disclosure of PII or PHI.

Organizations encounter daily privacy and security issues, including regulated data. The privacy team responds to the ever-changing global data breach notice law and, based on increasingly complicated data breach regulatory patchwork, quickly and efficiently dispatches events that need to be notified to regulators or customers We are confronted with the task of judging. This is the reason we made the radar.

If the privacy issue complies with certain legal definitions, it is considered a data breach based on state law and / or federal law breach. Data breaches should be notified to affected individuals, regulators, and in some cases credit bureau or media. In addition, if the event affects the customer's employees or customers, it is necessary to inform the corporate customer of the contractual obligations. Only a small percentage of privacy incidents will expand to data breaches when conducting effective reporting and risk mitigation using multifactor risk assessment in response to privacy incidents and verifying them. Multi-factor risk assessment is the key to avoid risks of excessive notice and no notice. If the incident contains regulatory data, the organization should document the risk assessment of the accident and notify decisions and schedule.