Breach management is the process to manage a privacy breach or security incident that affects the privacy of personal health information.
An incident is the contravention of a policy, procedure, duty or contract, or a situation that results in the potential exposure of sensitive personal information and/or personal health information to unauthorized parties. Not all incidents affect the client’s privacy; but when it affects the client’s privacy, it becomes privacy breach that requires special response activities as prescribed in the privacy legislation.
Examples of privacy breach and security incidents that may occur in a shared environment:
- A printed assessment record is left in a public area (e.g. a coffee shop or restaurant)
- Theft, loss, damage, unauthorized destruction or modification of assessment records
- Inappropriate access to assessment records by unauthorized users
- A large number of health records are accessed by a single individual in a short period of time (out of the ordinary)
- A user account and password is compromised which results in unauthorized access to PI/PHI
- Violation of privacy policies or procedures
A general breach management process includes the following key activities:
-Detection
-Escalation
-Handling
-Reporting