Breach Notification and Response
Purpose
A privacy breach obligates ABAS to notify the people affected and, in defined cases, regulators and the media, on statutory clocks that start at discovery. This policy establishes how ABAS detects, assesses, and responds to breaches of protected health information and of Massachusetts residents' personal information, in compliance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400 through 164.414) and the Massachusetts Data Breach Notification Law (M.G.L. c. 93H). It exists so that every suspected breach is reported at once, assessed consistently, and notified correctly, by the right person, to the right recipients, on time.
The Employee Handbook carries the short-form workforce duty: report any suspected breach the same day to the Privacy Officer. This policy is the full procedure that duty feeds.
Scope
This policy applies to all ABAS workforce members, including administration, clinical and administrative personnel, volunteers, students, and contractors, and to ABAS's business associates.
It covers two categories of information in any form, paper or electronic:
- Protected health information (PHI): individually identifiable information about a client's health, health care, or payment for health care, as defined by the HIPAA Privacy Rule.
- Personal information of Massachusetts residents: a resident's first name or initial and last name combined with a Social Security number, driver's license or state identification card number, or financial account or payment card number that would permit access to the account, as defined by M.G.L. c. 93H.
A single incident can involve both categories; when it does, both notification tracks in the Procedures section apply.
Definitions
Breach (HIPAA). An unauthorized acquisition, access, use, or disclosure of unsecured PHI. A breach is presumed unless ABAS demonstrates, through the documented risk assessment in the Procedures section, a low probability that the information was compromised, or the incident fits one of these exceptions (45 CFR § 164.402):
- An unintentional acquisition, access, or use of PHI by a workforce member acting in good faith and within the scope of authority, with no further impermissible use or disclosure.
- An inadvertent disclosure between two people at ABAS who are each authorized to access PHI, with no further impermissible use or disclosure.
- A disclosure where ABAS has a good faith belief the recipient could not reasonably have retained the information.
Unsecured PHI. PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons under HHS guidance. Today that means properly encrypted electronic PHI is secured; an incident involving only secured PHI is not a breach.
Personal information (M.G.L. c. 93H). A Massachusetts resident's first name or initial and last name combined with a Social Security number, driver's license or state ID number, or financial account or payment card number permitting account access.
Security breach (M.G.L. c. 93H). Unauthorized acquisition or use of unencrypted personal information, or of encrypted personal information together with its key, that creates a substantial risk of identity theft or fraud against a Massachusetts resident.
Discovery date. The first day the breach is known to ABAS, or would have been known with reasonable diligence, by any workforce member or agent other than the person who committed the breach. Notification clocks run from this date.
Business associate. A person or entity that creates, receives, maintains, or transmits PHI on ABAS's behalf under a business associate agreement.
Privacy Officer. The ABAS official designated to receive breach reports, run investigations, and direct all notifications under this policy (privacy@abaswma.org, 413-461-7120). The Compliance Officer holds this designation.
Policy Statement
ABAS maintains the privacy and security of client PHI and of personal information consistent with its policies and applicable law. When a suspected breach occurs:
- Every workforce member must report it to the Privacy Officer the same day it is suspected. Failure to report promptly is itself a policy violation subject to sanctions.
- ABAS presumes a reportable breach unless the Privacy Officer documents a low probability of compromise under the four-factor risk assessment, or an exception applies.
- When a breach of unsecured PHI is confirmed, ABAS notifies affected individuals, the Secretary of HHS, and, for breaches affecting more than 500 residents of a state, prominent media outlets, within the timeframes of the HIPAA Breach Notification Rule.
- When a security breach involves a Massachusetts resident's personal information, ABAS also notifies the Massachusetts Attorney General, the Office of Consumer Affairs and Business Regulation (OCABR), and the affected residents as soon as practicable, as required by M.G.L. c. 93H. Notice is never delayed to determine the total number of residents affected.
- Only the Privacy Officer and ABAS Administration issue or approve external notices. No other workforce member may notify clients, families, regulators, media, or any outside party unless expressly directed by the Privacy Officer or Administration.
- ABAS documents every reported incident, investigation, and notification decision and retains the documentation for six years.
Violations of this policy, including failure to report a suspected breach and unauthorized external notification, are subject to sanctions up to and including termination.
Procedures
1. Immediate Mitigation
A workforce member who improperly accesses, acquires, uses, or discloses PHI or personal information, or who discovers such an incident, takes any immediate action that can cure or mitigate it: stop and close the record, return or delete the information, ask the unintended recipient to return it and confirm no further disclosure. If the incident is significant or mitigation needs direction, contact a supervisor or the Privacy Officer immediately.
2. Internal Reporting
Every suspected breach is reported to the Privacy Officer the same day it is suspected, regardless of how minor it appears. Reporting channels are listed in the Reporting section.
3. Investigation and Risk Assessment
The Privacy Officer promptly investigates every reported incident and determines whether a breach occurred and what notice is required. For PHI, the assessment considers whether the information is PHI, whether the HIPAA Privacy Rule was violated (incidental disclosures against reasonable safeguards are not violations), whether an exception in the Definitions section applies, and whether there is a low probability of compromise based on at least these four factors (45 CFR § 164.402):
- The nature and extent of the information involved
- The unauthorized person who used or received it
- Whether the information was actually acquired or viewed
- The extent to which the risk has been mitigated
For personal information, the Privacy Officer determines whether the incident meets the c. 93H definition of a security breach. The investigation, the risk-assessment facts, and the conclusion are documented in every case.
4. Notice to Individuals (HIPAA)
If a breach of unsecured PHI is confirmed, the Privacy Officer notifies affected clients without unreasonable delay and no later than 60 days after discovery. The notice is written in plain language and includes, to the extent possible: what happened and when; the types of information involved; steps individuals should take to protect themselves; what ABAS is doing to investigate, mitigate, and prevent recurrence; and contact procedures including a telephone number, email address, website, or postal address.
Notice is sent by first-class mail to the last known address, or by email if the individual agreed to electronic notice. If ABAS lacks sufficient contact information: for fewer than 10 affected individuals, substitute notice by telephone, email, or other means reasonably calculated to reach them; for 10 or more, either a conspicuous posting on the ABAS website home page for 90 days or notice in major print or broadcast media, in each case with a telephone number active for at least 90 days. If PHI may be subject to imminent misuse, the Privacy Officer may give immediate notice by telephone in addition to written notice. For a deceased client, written notice goes to the next of kin or personal representative if their address is known.
5. Notice to HHS
For breaches affecting fewer than 500 individuals, the Privacy Officer either reports promptly or logs the breach and submits the log to HHS within 60 days after the end of the calendar year. For breaches affecting 500 or more individuals, the Privacy Officer notifies HHS at the same time individual notices are sent, using the HHS web portal.
6. Notice to Media
If a breach involves more than 500 residents of a state, the Privacy Officer works with Administration to notify prominent media outlets serving that state, without unreasonable delay and no later than 60 days after discovery, with the same content elements as the individual notice.
7. Massachusetts Notice (M.G.L. c. 93H)
When a security breach involves a Massachusetts resident's personal information, the Privacy Officer provides notice as soon as practicable and without unreasonable delay. This track has two distinct notices whose content requirements differ from each other and from the HIPAA notice:
- To the Attorney General and OCABR: the nature of the breach, the number of Massachusetts residents affected, and the steps taken or planned in response. If ABAS knows the breach resulted from its own or a parent organization's security failure, the report says so as required by the statute and its regulations.
- To affected residents: the resident's right to obtain a police report, instructions for requesting a security freeze (including that no fee applies), and information about credit monitoring where the statute requires it. The resident notice must NOT describe the nature of the breach or state the number of residents affected. Do not reuse the HIPAA notice template for this notice.
Notice is not delayed to determine the total number of residents affected; ABAS provides additional notice as information develops.
8. Business Associates
A business associate that discovers a breach must notify the Privacy Officer immediately and, to the extent possible, identify each affected individual and provide the information ABAS needs to meet its notification duties. Unless otherwise agreed, ABAS (not the business associate) issues the notices under this policy.
9. Law Enforcement Delay
If a law enforcement official states that notification would impede a criminal investigation or threaten national security, the Privacy Officer delays notice. A written request specifying the period is honored for that period; a verbal request is documented, including the official's identity, and honored for no more than 30 days unless a written request follows.
10. Documentation
The Privacy Officer prepares and retains for six years all documentation required by this policy: incident reports, investigation records and risk assessments, notices issued, the HHS breach log, sanction records, and law-enforcement delay documentation.
11. Safeguards
Administrative, technical, and physical safeguards for personal information, including the Written Information Security Program required by 201 CMR 17.00, are governed by a separate forthcoming policy, not this one.
Training
Breach recognition and the same-day reporting duty are covered in new-hire onboarding and in periodic refresher training under the Compliance Training Program (TRN-001), matched to each role's access to PHI and personal information. The Privacy Officer owns the currency of the training content and confirms that this policy is reflected in training materials whenever the policy changes. Completion is documented in each workforce member's training record.
Reporting
Report every suspected breach to the Privacy Officer the same day it is suspected: privacy@abaswma.org or 413-461-7120. A report may also be made through any channel described in POL-003 (Compliance Reporting, Investigation, and Resolution), including the anonymous web form; POL-003 reports involving privacy incidents are routed to the Privacy Officer.
When in doubt about whether something is a breach, report it; the Privacy Officer, not the reporter, makes that determination.
ABAS will not retaliate against any person who reports a suspected breach in good faith. Failure to report a suspected breach, and any unauthorized notification of clients, families, regulators, media, or other outside parties, are violations of this policy subject to sanctions up to and including termination. Questions about this policy go to the Privacy Officer.