A data breach is defined in the HITECH Act (43 USC 17932) as an unauthorized acquisition, access, or use of protected health information (PHI) that compromises the security or privacy of such information.
The HITECH Act requires the University to notify patients, including human subjects, whose “unsecured PHI” has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach, if the breach poses a risk of significant harm as defined by the HITECH regulations.
The HITECH Act applies to breaches of both electronic data and data in paper form.
Examples of a Data Breach That Must Be Reported:
- Stolen or lost computer or other electronic device which contains identifiable patient/subject health information. A report must be made even if the data was encrypted.
- Identifiable patient/subject health information in paper or electronic form left unattended in a non-secure area for others to read (e.g. lab results left in a restroom or cafeteria).
- Subject HIPAA identifiers (such as initials) shared with sponsor in a screening log. It was not disclosed in the IRB protocol that there was a screening log and that the identifiers would be shared with the sponsor prior to consent obtained.
- Identifiable patient/subject health information faxed to incorrect number outside the study team.
- You become suspicious that your computer, which contains identifiable patient/subject health information may have been “hacked into”.
- The following situations may lead you to suspect your computer may have been “hacked into”:
- Your computer or other electronic device becomes sluggish or noticeably slower doing routine work.
- You see a number of advertising pop-ups, or pop-up offers to fix or scan your computer, or pop-up warnings that your computer is in trouble, etc.
- You suspect something is wrong with your computer but you're not quite sure what.
- You notice unusual activity, things you have never seen before, when you are using your computer.
Unsecured electronic PHI is any PHI not secured by encryption processes that meet the National Institute of Standards and Technology (NIST) standards adopted by HHS, which enforces the HITECH Act. UVA offers encryption solutions to employees that meet these standards: see http://www.virginia.edu/informationsecurity/encryption/home.html.
Timeline and Procedures for Reporting a Data Breach
- A data breach of PHI must be reported as soon as possible and no later than 24 hours from the time the incident is identified. If the data breach involves lost or stolen electronic devices and media it must be reported to the UVa Police Department IMMEDIATELY.
- A data breach of even partially de-identified data that meets the criteria of a Limited Data Set should be reported.
- There are potential criminal and civil penalties for the researcher and the institution for noncompliance with HITECH obligations.
- The Corporate Compliance and Privacy Office, at 924-9741. The Corporate Compliance and Privacy Office will investigate to determine whether a notification of breach must be given to affected patients, the media and the Secretary of HHS under the HITECH Act, and make any required notifications.
- ITS if the breach involves electronic data. Use the UVa Information Security Incident Reporting procedure, http://www.virginia.edu/informationsecurity/reporting.html
- UVa Police Department if the data breach involves lost or stolen electronic devices and media. The data breach must be reported immediately
Data Breach Caused By or resulting from A Protocol Violation or Other Issues of Noncompliance
If a data breach results from a protocol violation or other issues of noncompliance with the protocol, including not following data security issues in the Data and Safety Plan, the issue should be reported to the IRB within 7 calendar days using the Protocol Violation/Noncompliance/ Enrollment Form. This event may result in an unanticipated problem but the information is best captured using the Protocol Violation/Noncompliance/ Enrollment Form so there is no need to double report using the Unanticipated Problem Report Form.
Data Breach that was NOT Caused by a Protocol Violation or Other Issues of Noncompliance that meets the criteria for Unanticipated Problem.
A data breach may also meet the criteria for an Unanticipated Problem if the Data Breach meets all 3 of the following criteria:
- Unexpected in terms of nature, severity or frequency given the research procedures that are described in the protocol –related documents AND the characteristics of the subject population being studied.
- Related or possibly related to participation in the research. This means that there is a reasonable possibility that the incident, experience or outcome may have been caused by the procedures involved in the research study
- The event, experience, issue, instance, problem or outcome suggests that the research places the subject or others at greater risk of harm than was previously known or recognized.
If the Data Breach meets the criteria of an Unanticipated Problem and was not caused by a protocol violation or other issue of noncompliance, the researcher must follow the IRB-HSR requirements for reporting an Unanticipated Problem IN ADDITION TO the UVa requirements for reporting a Data Breach.
PROCEDURES FOR REPORTING UNANTICIPATED PROBLEMS TO IRB-HSR
Click on the link above for additional information on procedures for reporting unanticipated problems to the IRB-HSR
UVa has policies covering the protection of PHI and reporting requirements for a data breach. These policies include: