This Security Incident and breach Notice Policy establishes procedures to ensure that the Company complies with applicable legal requirements governing the maintenance and security of the electronic and hard-copy information that is held, managed or retained by the Company (“Firm Information”).
The Management Committee is responsible for ensuring compliance with legal requirements governing the maintenance and security of Firm Information. The Management Committee has delegated that responsibility to the Company’s Privacy and HIPAA Compliance Committee (the “Committee”).
Any capitalized terms not defined in the body of this Policy are defined in the Glossary. The meaning of terms not specifically defined herein shall be determined by reference to the manner in which those terms are used in HIPAA, applicable Breach Notice Laws, or the Rules of Professional Conduct, as those rules and laws are defined below and as the case may be.
All records created pursuant to this Policy shall be maintained for a minimum of seven years from the date of their creation.
Firm Information is subject to certain privacy and security requirements as stated in the following paragraphs.
The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), signed into law as part of the American Recovery and Reinvestment Act of 2009, expands the scope of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and Security Standards (the “Security Rule”) (collectively, “HIPAA”).
HIPAA requires notification by a Business Associate of certain breaches of unsecured Protected Health Information (“PHI”), as defined in the Glossary, to the applicable Covered Entity and, where provided in an applicable Business Associate Agreement, to Individuals affected by the breach. In certain client engagements, the Company may be deemed to be a Business Associate or Subcontractor to a Business Associate as those terms are used in HIPAA.
In addition, health plans sponsored by the Company may be subject to HIPAA requirements. Accordingly, the Company may have its own reporting requirements in the event of a breach of PHI related to those health plans.
Forty-seven states, the federal government, and many foreign jurisdictions have data breach notification laws with respect to Personally Identifiable Information (“PII”). In addition, certain industries are subject to breach notification laws. These laws require entities, including law firms, that own, license, or maintain personal information, to notify affected individuals in the event the entity discovers a breach of security involving certain types of personal information.
Rule 1.6(e) of the Illinois Rule of Professional Conduct provides that lawyers shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or access to, information relating to the representation of a client. Any inadvertent or unauthorized disclosure of, or access to, client information may, in the discretion of the Company, require notice to the affected client.
In light of the foregoing legal obligations, this Privacy Policy addresses four principal subjects of concern in connection with the security of the Company Information:
The following sections address these subjects in the order listed.
A Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of Firm Information or interference with system operations in an information system that is used for maintaining or transmitting Firm Information.
The Company’s Director of Technology (“DOT”) is responsible for detecting, analyzing, and initial reporting of actual or potential Security Incidents.
Upon detecting an actual or potential Security Incident, the DOT will prepare a Security Incident Record detailing the facts surrounding the event, including (i) date, time, and location; (ii) person who discovered event; (iii) the manner of detection; (iv) identification of evidence establishing the existence of the incident; and (iv) any actions taken to address, ameliorate, or remedy the incident.
The DOT shall provide the Security Incident Record to the Company’s Privacy Officer and the Committee within 24 hours of completion of the investigation of the Security Incident. Under the direction of the Committee, the Company will document and assess all potential Security Incidents in a Security Incident Report. The Security Incident Report shall (i) include a copy of the Security Incident Record; (ii) analyze and assess the significance of the incident; (iii); and identify any policy or procedure changes that have been or should be implemented to avoid recurrence of the event or mitigate its impact.
The Committee shall promptly determine whether a Security Incident has occurred.
As stated in the preamble to the HIPAA Security Rule, the Company may rely upon the information gathered in complying with other security standards, for example, the Company’s risk assessment and risk management procedures and the Privacy Rule standards, to determine what constitutes a Security Incident in the context of the Company’s business operations. As permitted under HIPAA, the Company may decide that different types or patterns of attempted or successful Security Incidents warrant different actions.
For example, the Company may permissibly decide that a particular Security Incident (such as a “ping” (a request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible)) initiated from an external source would require the following actions to comply with the standard; (i) minimal, if any, response; (ii) no mitigation actions since no harmful effects were caused by the incident; and (iii) brief documentation of the security incident and outcome, such as a recording or printout of aggregate statistical information.
The Company will consult any applicable Business Associate agreements to determine whether these agreements require reporting of Security Incidents and the timing of such reporting.
The Company will also determine whether notification of insurance carriers is appropriate by review of the Company’s insurance policies.
The Company’s decision as to whether and to what extent a Security Incident requires notification and the reasons underlying its decision will be documented.
D. Determination of Whether Breach Reporting is Required
Within 48 hours of notice of a Security Incident to the Privacy Officer and Committee, or as soon thereafter as possible, the Company will determine whether the Security Incident constitutes or led to (i) a Breach of PHI under HIPAA (Section IV below); (ii) a Breach of PII under Breach Notice Laws (Section V below); or (iii) a breach of Privacy Organization Client Information (Section VI below).
Protected Health Information (PHI) means Individually Identifiable Health Information, as defined in the Glossary, that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium. Unsecured PHI means PHI that is not secured through the use of a particular technology or methodology to render the Protected Information unusable, unreadable, or indecipherable to unauthorized persons, as stated more particularly in the Glossary.
A Breach of Unsecured PHI is the unauthorized acquisition, access, use, or disclosure of Unsecured PHI that compromises the security, confidentiality or integrity of the information, as stated in the HIPAA Privacy Rule.
Upon notice to the Committee by the DOT of a Security Incident involving Unsecured PHI, the Company will determine, as stated more particularly below, whether there has been a Breach of Unsecured PHI. The Company will also determine whether (i) the Security Incident must be reported to any of the Company’s clients and (ii) the Company has any reporting obligations under HIPAA, applicable state law, or the Company’s Business Associate agreements. The Company’s risk assessment shall be conducted without unreasonable delay and each step in the assessment shall be documented in writing.
A Breach of Unsecured PHI does not include situations in which the Company has a good faith belief that the unauthorized person to whom the Unsecured PHI is disclosed would not reasonably have been able to retain such information.
For example, there is likely no Breach of PHI where mailed information is returned as undeliverable and the envelope had not been opened or where an email is inadvertently sent to the wrong recipient and the recipient confirms in writing both that the recipient did not read the email and also confirms deletion of the email.
A Breach of PHI also does not include the following:
In determining whether there has been a Breach, Privacy Organization will also consult the other standards set forth in the HIPAA Privacy Rule.
As part of its assessment of whether there has been a Breach of Unsecured PHI, once the Company determines that a Security Incident violates the HIPAA Privacy Rule, it will conduct a risk analysis to determine, in accordance with the HIPAA Breach Notification Rule, whether there is a low probability that the Unsecured PHI has been compromised. Any acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under Subpart E of Part 164 under the HIPAA Privacy Rule is presumed to be a Breach unless the Company demonstrates, after its risk analysis, that there was a low probability that the PHI has been compromised. In the event that there has been a violation of the standards set forth in Subpart E of Part 164 of the HIPAA Privacy Rule, the Breach Notification Rule places on the Company the burden of demonstrating that a Breach did not occur.
The Company shall take into account at least the following factors:
a. The nature and extent of the PHI involved, including the types of personal identifiers and the likelihood of re-identification.
For example, with respect to financial information, whether there is an increased risk of identity theft (through social security numbers and other sensitive data), or, with respect to clinical information, the type and amount of clinical data disclosed (e.g., treatment plan, diagnosis, medication, medical history or lab test results).
b. The identity and duties of the unauthorized person who used the PHI or to whom the disclosure was made.
For example, consider whether the person has an independent obligation to protect the privacy and security of the information or whether the person has the ability to re-identify information (e.g., an employer may be able to identify an employee based on limited data).
c. Whether the PHI was actually acquired or viewed.
For example, where a laptop was stolen and a forensic expert determines that the data were not accessed, there may be a low probability that information was compromised.
d. The extent to which the risk to PHI has been mitigated.
The Company shall seek to mitigate any harmful effects of the use or disclosure of PHI through a confidentiality agreement or destruction of information. The Company must consider the efficacy of such mitigation (e.g., whether the Company can rely on assurances of a third party that information will be destroyed or not further disclosed) in determining the level of probability that the PHI was compromised.
If the Company, through its investigation of the potential Breach, determines that a Breach of Unsecured PHI, in violation of the HIPAA Privacy Rule, occurred, and the risk assessment concludes that there is not a low probability that the PHI has been compromised, Breach notification is required.
1. Discovery Date
A Breach of Unsecured PHI will be treated as discovered as of the first day on which such Breach is known to the Company, or, by exercising reasonable diligence, would have been known, to the Company. The Company shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of the Company. The discovery date is not the date the Company concludes its investigation as to whether a potential Breach requires notification.
If a Breach involving PHI occurs, the Company shall notify any relevant Covered Entity pursuant to the time frame set forth in the applicable Business Associate Agreement. Depending on the terms of the agreement and the nature of the Breach, the Company may be responsible for providing notice of the Breach to individuals affected by the Breach.
2. Timing of Notification
a. In General. The Company is required to provide notice of any Breach without unreasonable delay but in no event later than 60 days after discovery of the Breach. The notification period may be shorter if the Covered Entity and the Company agreed to a shorter period in the Business Associate Agreement or if required by applicable state or federal law. All information relevant to the Breach and available to the Company will be provided within the prescribed time even if such information is incomplete. Any relevant information obtained after the deadline will be provided to the Covered Entity promptly.
b. Law Enforcement Delay. If a Law Enforcement Official advises the Company that notification of the Breach would impede a criminal investigation or cause damage to national security, the Company will delay notification for the period identified by the Law Enforcement Official in writing; or if the statement is made orally, the Company will document the official’s request and delay notification for no longer than 30 days unless the official provides written notification before the expiration of the 30-day period.
3. Content of Notification
a. The Company will provide the Covered Entity, to the extent possible, with:
i. The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; and
ii. Any other available information that the Covered Entity requests and is required to include in notification to the individual.
b. In considering what information will be provided to the Covered Entity, the Company will take into account the Covered Entity’s obligation to notify individuals with regard to:
i. The date of the Breach and its discovery, if known;
ii. The types of unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
iii. Any steps individuals should take to protect themselves from potential harm resulting from the Breach; and
iv. The Covered Entity’s actions to investigate and mitigate the harm to Individuals and to protect against any further Breaches.
Personally Identifiable Information, or PII, is defined in the Glossary. Unsecured PII means PII that is not secured through the use of a particular technology or methodology to render the Protected Information unusable, unreadable, or indecipherable to unauthorized persons, as stated more particularly in the Glossary.
A “Breach of Unsecured PII” means a breach of Unsecured PII under any applicable Breach Notice Laws, subject to any qualifications or exceptions contained in such laws. Under Breach Notice Laws, a Breach of PII is generally considered the unauthorized access to or acquisition of Unsecured PII that compromises the security, confidentiality, or integrity of the PII.
Upon notification of a Security Incident involving PII, the Company will determine whether that Security Incident constitutes or has led to a Breach of Unsecured PII. If a breach has occurred, the Company will determine its obligations under any applicable Breach Notice Law, including, specifically, whether notice to affected individuals or other third parties is required, and the manner thereof. The Company’s assessment of whether a Breach has occurred and the Company’s obligations attendant to the Breach will be fully documented in writing.
1. Discovery Date.
A Breach of Unsecured PII will be treated as discovered as of the first day on which such Breach is known to the Company, or, by exercising reasonable diligence, would have been known, to the Company. The Company shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of the Company.
1. Discovery Date
A Breach of Unsecured PHI will be treated as discovered as of the first day on which such Breach is known to the Company, or, by exercising reasonable diligence, would have been known, to the Company. The Company shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of the Company. The discovery date is not the date the Company concludes its investigation as to whether a potential Breach requires notification.
If a Breach involving PHI occurs, the Company shall notify any relevant Covered Entity pursuant to the time frame set forth in the applicable Business Associate Agreement. Depending on the terms of the agreement and the nature of the Breach, the Company may be responsible for providing notice of the Breach to individuals affected by the Breach.
2. Timing of Notification.
a. In General. The Company will provide notice of any Breach of Unsecured PII not later than as required by any applicable Breach Notice Law. If multiple Breach Notice Laws apply, the Company will provide notice of any Breach of PII no later than the shortest applicable time frame.
b. Law Enforcement Delay. If a Law Enforcement Official states to the Company in writing that notification of the Breach would impede a criminal investigation or cause damage to national security, the Company may delay notification to the extent and in the manner permitted by law; or if the statement is made orally, the Company will document the official’s request and delay notification for no longer than 30 days unless the official provides written notification before the expiration of the 30-day period.
3. Content of Notification.
a. To the extent notification is required, the Company will provide to the appropriate clients or individuals:
i. The identification of each individual whose Unsecured PII has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach, to the extent such information is known; and
ii. Any other available information that Firm is obligated to provide to affected individuals or clients.
b. In considering what information should be provided, the Company will take into account the requirements of any and all applicable Breach Notice Laws.
Privacy Organization Client Information means all information in the Company’s possession that relates to a Privacy Organization client or the representation of that Client by the Company. Client Information includes any information provided to the Company by the client, or which is created, developed, or transmitted by the Company during the course of the Company’s representation of the client, regardless of whether such information is confidential or publicly available. Unsecured Client Information means Protected Information that is not secured through the use of a particular technology or methodology to render the Protected Information unusable, unreadable, or indecipherable to unauthorized persons, as stated more particularly in the Glossary.
A Breach of Unsecured Client Information generally means the successful unauthorized access, use, or disclosure of such information by or to persons outside of the Company.
Upon notice to the Committee by the DOT of a Security Incident involving Client Information, the Company will determine whether that Security Incident constitutes or has led to a Breach of Unsecured Client Information. The Company’s assessment of whether a Breach has occurred and the Company’s obligations attendant to the Breach will be fully documented in writing.
If a Breach of Unsecured Client Information has occurred, the Company will determine its obligations under the Illinois Rules of Professional Conduct, including, specifically, whether notice to affected clients or third parties is required. The Company will also consider its contractual obligations to its clients. In making this determination, factors to be considered include but are not limited to (i) the sensitivity of the information; (ii) whether the information disclosed outside the Company is public information or available upon reasonable search from public sources; (iii) the identity and nature of the business of the recipients; (iv) whether the information can be retrieved or protected from further disclosure by destruction, enforceable agreement, or other means; and (v) whether the information can be used against the client or to its disadvantage.
The content of any notification of Breach of Unsecured Client Information shall be determined on a case-by-case basis, consistent with applicable law and the Company’s ethical obligations to its clients.
a person or entity who
A Subcontractor to a Business Associate is also a Business Associate.
A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form, including, but not limited to: (i) a client of the Company that is a hospital that transmits PHI electronically; (ii) a client of the Company that is an insurance company that provides coverage under an employer’s group health plan; or (iii) a client of the Company that is a self-insured group health plan that covers 50 or more participants or is administered by a third-party claims administrator.
means the Regulations contained in 45 CFR §§ 164.400-414.
means the Regulations contained in 45 CFR Part 160 and Subparts A and E of Part 164.
means Regulations contained in 45 CFR Part 160 and Subparts A and C of Part 164.
Information that is a subset of health information, including demographic information collected from an individual, and
Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Protected Information includes Protected Health Information, Personally Identifiable Information, and Privacy Organization Client Information.
Protected Information that is not secured through the use of a particular technology or methodology to render the Protected Information unusable, unreadable, or indecipherable to unauthorized persons. Unsecured Protected Information may be information in written, oral or electronic format.
The following is not considered to be Unsecured Protected Information:
A person to whom a Business Associate delegates a function, activity, or service.
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Company, is under the direct control of the Company, whether or not they are compensated by the Company.
Revisit special moments, create a lasting memory, avoid medical risks, and prepare for the future
© 2023 Life Events, LLC, All Rights Reserved
