View Categories

Breach of Information SOP

Two Types of Information that can be breached: #

  1. Personal Identifying Information (PII)
    1. What is PII?
      • PII is information that may not be associated with health information but can be used to directly identify someone.
      • PII can also be information that, on its own, may not identify someone-but when combined with another piece of information could reasonably identify a specific person.
    2. Information Considered PII:
      • Name
      • Address
      • D.O.B
      • DCN
      • SSN
  2. Personal Health Information (PHI)
    1. What is PHI?
      • PHI is information that can be used to identify someone.
      • Relates to the individual’s physical or mental health condition. This includes past, present, and future conditions.
      • Relates to the provision of health care to the individual.
      • Relates to the payment for health care services for the individual (including past, present, and future payments.)
    2. Information Considered PHI:
      • Name
      • SSN
      • D.O.B
      • DCN
      • Email
      • Account Number
      • Phone Number
      • Billing Address
      • Photos of someone’s face, tattoos, or scars
      • Biometric identifiers including- finger prints or voice prints, such as recordings of someone’s voice.

Avoiding Data Breach #

  1. Privacy DO’s/DON’Ts:
    1. DO:
      • Avoid conversations about participants in public places
      • Return PHI/PII to its appropriate location or destroy properly
      • Dispose of participant information by shredding it or putting it in a locked box for destruction
      • Notify your divisional privacy officer if information is ever inappropriately accessed/shared, or before releasing information if unsure.
    2. DON’T:
      • Have discussion with participants about treatment/coverage in public areas
      • Leave medical records or participant information on printers, fax machines, or other public places
      • Throw away client PHI/PII without proper shredding or placing in locked secure shred box
      • Use social media messaging groups or post/discuss any DSS related issues to social media accounts.

What to do when a Breach of Information Identified: #

  1. Fill out the Information Disclosure Incident Report MO866-4456
  2. Gather all notices or documentation that is associated with the data breach.
  3. Email imprivacy@dss.mo.gov
    1. Subject: Breach Notification
    2. Body: Include a description of the breach of information and any information that was unable to be included on the Information Disclosure Incident Report form.
    3. Attach all notices or documentation that is associated with the data breach.

Notifying the Participant: #

  1. HIPAA requires that individuals be notified of any breach of their PHI as soon as possible, but no later than 60 days from the discovery of breach.
Was this guide helpful?