Notifications to Individuals Policy (UBIT HIPAA)

Category: HIPAA Security
Responsible Office: UBIT HIPAA Compliance
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Approved By (Name/Title): J. Brice Bible, VPCIO

CATEGORY: Notification in the Case of Breach of Unsecured Protected Health Information
TYPE: Standard 
CITATION: 45 CFR 164.404 Notification to Individuals

The University at Buffalo Information Technology (UBIT) operates as a covered entity as defined by the U.S. Department of Health and Human Services Office of Civil Rights. HIPAA Regulation Text 45 CFR Part 164.404 requires a covered entity, following the discovery of a breach of unsecured PHI, to notify the appropriate individuals.

UBIT shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by UBIT to have been, accessed, acquired, used, or disclosed as a result of such breach.

A breach is treated as discovered by UBIT as of the first day on which such breach is known, or, by exercising reasonable diligence would have been known. 

UBIT is deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the individual(s) committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).

This policy applies to all UBIT workforce members.

Workforce members: Adhere to policies and procedures as written.

HIPAA Security and Privacy Officer: Ensures the Information Security Office coordinates with covered components to submit notification.

Compliance Officer: Participates in ensuring the security of ePHI is effective and enforced, in conjunction with the HIPAA Security and Privacy Officer.

Date Approved: 12/6/2017