2011.04 Breach of Confidentiality Response

Policy Number 2011.04
Effective Date July 2, 2008
Revision Date March 31, 2012
Subject Matter Expert Branch Manager, Local Responsible Parties
Approval Authority TB/HIV/STD Section Director
Signed by Felipe Rocha, M.S.S.W.

1.0 Purpose

This policy describes the actions required of the Texas Department of State Health Services (DSHS) TB/HIV/STD Section (the Section) and entities with which DSHS has a contractual or professional relationship to handle confidential TB/HIV/STD surveillance, epidemiological, medication, and public health follow-up data in the event of a suspected breach. This policy also outlines how to address negligent or purposeful release of confidential client information.

This policy has been written to align with requirements in the Department of State Health Services (DSHS) HIV and STD Program Operating Procedures and Standards (POPS), the HHS Information Security/Cybersecurity Policy, the Centers for Disease Control and Prevention’s (CDC) Program Operations Guidelines for STD Prevention, and the CDC’s Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Surveillance Programs wherever possible and/or appropriate.

2.0 Background

In fulfilling its mission to prevent, treat, and control the spread of TB, HIV, and STDs and other communicable diseases, the Section, its contractors and external partners obtain confidential information regarding individuals they serve. These individuals trust that the Section will take every precaution to protect that information in order to retain their confidentiality. The Section must be vigilant in maintaining the integrity of systems that contain this confidential information.

3.0 Authority

Vernon’s Texas Statutes and Codes Annotated ( V.T.C.A.), Penal Code, Chapter 16, Chapter 33; V.T.C.A. Health and Safety Code, 81.046 and 81.103-81.104; V.T.C.A., Texas Government Code, Chapter 552

4.0 Definitions

Breach of Confidentiality: breach of protocol resulting in the improper disclosure of confidential information, which includes information: 1) accidentally or purposefully released verbally, electronically, or by paper medium, to an entity or person that by law does not have a right or need to know, or 2) purposefully accessed either in person or electronically by an entity or person that by law does not have a right or need to know.

Breach of Protocol: A departure from the established policies and procedures that may result in the improper disclosure of confidential information; an infraction or violation of a standard or obligation. This includes any unauthorized use of data, including de-identified data

Central Office: the TB/HIV/STD Section, Department of State Health Services (DSHS) main office located in Austin, Texas.

Confidential Information: Any information which pertains to a patient that is intended to be kept in confidence or kept secret and could result in the identification of the patient should that information be released.

Confidentiality: The ethical principle or legal right that a physician or other health professional or researcher will prevent unauthorized disclosure of any confidential information relating to patients and research participants.

External: Entities outside of the DSHS Central Office that the Section contracts with or works in association with to conduct public health activities related to TB/HIV/STD surveillance, epidemiology, public health follow-up and the medication program.

Internal: Refers to staff and occurrences located at DSHS Central Office in Austin, Texas.

Local Responsible Party (LRP): An official who accepts responsibility for implementing and enforcing HIV/STD security and confidentiality polices and procedures related to HIV/STD surveillance, epidemiology, public health follow-up and medication program data and information; the LRP also has the responsibility of reporting and assisting in the investigative breach process.

Negligence: failure to use reasonable care, including failure to do (or not to do) something that a reasonably prudent person would do (or not do) under like circumstances. A departure from what an ordinary reasonable member of the community would do in the same community. Negligence is a 'legal cause' of damage if it directly, and in natural and continuous sequence, produces or contributes substantially to loss, injury, or damage, so it can reasonably be said that if not for the negligence, the loss, injury, or damage would not have occurred.

Overall Responsible Party (ORP): DSHS official who accepts overall responsibility for implementing and enforcing TB/HIV/STD security standards and practices. The ORP is responsible for protecting data as they are collected, stored, analyzed, and released and must certify to CDC annually that all security program requirements are being met. The THS Section Director will be designated at the Overall Responsible party.

Purposeful: deliberate and with the intention to cause harm to another

Security Officer: Internally, the individual designated by each Branch in the Section to be part of the Security Team. The Security Officer assists in the investigative process of reported suspected breaches when the incident is directly related to the security officer’s program area.

Security Team: Internally, the Security Team consists of a security officer, Group manger, and the Local Responsible Party(s) and sometimes the Overall Responsible Party if the incident involves multiple program areas. Externally, this team consists of appropriate staff designated to serve in this team. The Security Team is responsible for investigating suspected breaches, gathering all facts related to the incident, drawing conclusions, making recommendations for further action, and providing a closing report.

Suspected Breach: An alleged infraction or violation of a standard that may result in unauthorized disclosure of confidential information

TB/HIV/STD Section: a Section within the DSHS Division of Laboratories and Infectious Disease Services which includes the Health Communications and Community Engagement Group, the HIV/STD Prevention and Care Branch, the TB/HIV/STD Epidemiology and Surveillance Branch and the TB Services Branch.

5.0 Policy

The Section ensures that appropriate DSHS staff members will respond to suspected breaches by reporting, investigating and providing follow-up to these incidents. This policy prescribes guidelines for addressing deviations from the established policies and procedures as specified in the DSHS TB/HIV/STD Section Confidential Information Security Policy (Policy 2011.01), the TB/HIV/STD Section TB Program Confidential Information Security Procedures (Policy 2011.02), HIV/STD Epidemiology and Surveillance Confidential Information Security Procedures (Policy 323.001), Medical Monitoring Project (MMP) Confidential Information Security Procedures (Policy 321.001), Texas HIV Medication Program Security Procedures (Policy 324.001), HIV/STD Public Health Follow-Up (PHFU) Confidential Information Security Procedures (Policy 322.00) and the Release of TB/HIV/STD Data Policy (Policy 2011.05).

6.0 Persons Affected/Applicability

This policy applies to all DSHS employees, IT staff, temporary employees, volunteers, students, DSHS program contractors, and any other persons who could potentially view and/or have access to Section confidential information.

7.0 Responsibilities

All persons affected by this policy, as specified in section 6.0, are responsible for the reporting of suspected breaches.

DSHS central office is responsible for designating an LRP or LRPs and an Overall Responsible Party (ORP). External sites are also responsible for designating an LRP or LRPs. Internally at the Central Office, the TB/HIV/STD Section Director will be designated as the ORP. TB/HIV/STD Epidemiology and Surveillance, the HIV/STD Prevention and Care and the TB Program Services Branch Managers will be designated LRPs. The TB/HIV/STD Epidemiology and Surveillance Branch Manager will be responsible for investigating and responding to breaches related to TB/HIV/STD surveillance and epidemiological data and information. The HIV/STD Prevention and Care Branch Manager will be responsible for investigating and responding to breaches related to HIV prevention, HIV services and medication data and information. The TB Program Services Branch manager will be responsible for investigating and responding to breaches related to TB prevention and control services. The TB/HIV/STD Epidemiology and Surveillance and HIV/STD Prevention and Care or the TB Program Services Branch managers will be jointly responsible for investigating and responding to breaches related to public health follow-up information and data. The LRP will be responsible for implementing and enforcing security and confidentiality polices and procedures and for investigating suspected breaches.

Internal (DSHS Central Office) and external sites are responsible for designating a Security Team. The Security Team will be responsible for assisting the LRP investigate suspected breaches, gathering all facts related to the incident, drawing conclusions, making recommendations for further action, and providing a closing report.

For HIV data, in the event an incident occurs that results in the release of private information about one or more individuals (beach of confidentiality), the Overall Responsible Party (ORP) shall report it immediately to the Team Leader of the Reporting, Analysis, and Evaluation Team, HIV Incidence and Case Surveillance Branch, Division of HIV/AIDS Prevention (DHAP), National Center for HIV/STD/TB Prevention (NCHSTP), Centers for Disease Control and Prevention (CDC).

8.0 Reporting and Investigating a Suspected Breach

Internally, each Branch of the Section will create and identify a Security Team. Internally, the Security Team consists of a Security Officer, Group Manager, and the LRP. The Group Manager and the Security Officer will assist the LRP (Branch Manager) in the investigative process of reported suspected breaches when the incident is directly related to their respective program area. When reporting a suspected breach, confidential patient information will not be submitted on the DSHS TB/HIV/STD Section breach reporting form. In response to a suspected breach, the breach will be reported to the appropriate Branch LRP and internal procedures for breach reporting, documenting and investigating the incident will be followed. If a suspected breach has not been identified but confidential information is potentially at risk of being divulged, the LRP will be notified directly. The breach report form will not be used in these instances.

Externally, policies and procedures that are consonant with the Section policy for documenting, investigating, and reporting suspected breaches will be created. External sites will designate an LRP who will inform the appropriate internal LRP of a suspected breach within 24 hours after the incident is first reported.

8.1 Action Steps in Response to a Suspected Breach

Internally, the Branch with the suspected breach will follow established procedures for responding to a suspected breach. The Security Team will be responsible for determining the validity of a suspected breach and determining the type of breach that has occurred. Recommended corrective actions will be taken based on the type of breach determined to have occurred.

Externally, regional and contracting offices will implement policies and procedures that adhere to the guidelines set forth in the Section policy for responding to suspected breaches. The external LRP will communicate recommended corrective actions to the appropriate internal LRP. Recommended corrective actions will be based on local personnel policies for dealing with employees who violate protocols and/or confidentiality. Once the external and internal LRP are in agreement with the proposed recommendations, the external LRP will be responsible for providing a final closing report to the internal LRP. However, when a response to a confirmed breach is deemed insufficient by the internal LRP, DSHS may place the DSHS contracted site on sanctions as referenced in Policy AA-5116 (Sanctions and Remedies for Contract Non-Compliance).

8.2 Follow-up to a Breach and Maintenance of Files

Internally, the Branch that had a breach will follow established procedures requiring follow-up to a confirmed breach. The LRP is responsible for implementation and monitoring the progress of the corrective action plan and determining when the corrective action plan is complete. All hard copies of final reports and electronic data will be maintained by the TB/HIV/STD Epidemiology and Surveillance Branch Overall Responsible Party (ORP) and/or designee(s) as outlined in the Section policies and procedures. The Breach Report Form can be electronically submitted and routed and electronic signatures of the reporter, LRP and ORP are acceptable documentation.

External sites will adopt policy and procedures requiring follow-up to a confirmed breach that meet the guidelines of the Section policy and procedures. The external LRP will responsible for implementation and monitoring of the corrective action plan and determining when the corrective action plan is complete. The Section will maintain breach-reporting forms of suspected breaches in the DSHS contractor file. Breach reporting forms that are kept with the DSHS contractor file will be redacted of any confidential information pertaining to the person who committed the suspected breach.

To prevent further breaches or breaches in protocol, internal and external sites involved in a potential breach or breach of confidential information will be thoroughly retrained on the policies of the agency and the program. As part of the training, examples should be given to illustrate what constitutes a breach and describe the consequences if someone releases confidential information. It should be stressed that the individual and the agency may be held liable for breaches.

9.0 Procedures

9.1 Reporting a Suspected Breach

  1. The DSHS staff member who receives the initial notice of the suspected breach will document the incident using the Breach Report Form (“Section 1: Initial Report”).
  2. The initial part of the breach report must be completed and submitted via email to the appropriate LRP(s) and Group Manager, within 24 hours of the incident with a cc to the other internal LRPs (Branch Managers) if involves their program area and the ORP (Section Director) if involves the whole Section.
  3. The DSHS staff person must receive an email confirmation from the LRP review of the initial Breach Report Form. If no email confirmation received staff person should contact the appropriate LRP or ORP by phone or in-person to assure notification was received.
  4. The LRP reviews the initial breach report and determines if further investigation or action is needed or can close-out the report when sufficient and reasonable information confirms that a breach or breach of protocol has not occurred.

9.2 Investigating a Suspected Breach

  1. After the LRP has received the breach report, the LRP will inform the Security Team of the suspected breach.
  2. The LRP and Security team will determine what immediate steps need to be taken to mitigate the breach or breach in protocol.
  3. If multiple program areas or a widespread/serious breach is suspected, the LRP should report the breach or breach in protocol to the ORP.
  4. The Security Team is responsible for further investigating the incident. The Security Team may request further information regarding the incident to be submitted.
  5. The Security Team will review the initial breach report and complete “Section 2: Security Team Closing Report.” The investigation should be finished no later than 7 days following the initial incident date.
  6. The final completed report (Sections 1 and 2) will be sent to the appropriate internal LRPs and the ORP via email for review and signature. Electronic signatures are acceptable.
  7. All media calls related to an internal suspected breach must be referred to the DSHS Communications Public Relations Officer according to DSHS Policy AA-5036 (News Media Policy)
  8. Any breach of confidentiality will be investigated immediately to assess causes and implement corrective actions. If a breach of confidentiality is related to a federally sponsored program, the LRP or ORP will report it promptly to the appropriate federal program contact.

9.3 Action Steps Specific to the Type of Breach

  1. Suspected Breach (Non-breach in protocol):
    • A suspected breach is reported and the Security Team investigates the suspected breach.
    • The Security Team determines that the suspected breach is neither a breach of protocol nor a breach of confidentiality.
    • The Security Team will ensure that the Group/Branch Manager communicates the findings to the appropriate DSHS staff member.
    • The LRP will be responsible for closing out the report.
  2. Breach in Protocol:
    • A suspected breach is reported and the Security Team investigates the suspected breach.
    • The Security Team determines that the suspected breach is a breach in protocol but not a breach in confidentiality. (In this case the Security Team has determined that no confidential information has been divulged in any manner but a breach in protocol poses a risk to a breach in confidentiality and recommendations will need to be made accordingly.)
    • When only a breach in protocol has occurred, the Security Team will need to determine if the breach was negligent or purposeful.
    • The Security Team will recommend the necessary actions to be taken based on the type of breach (negligent or purposeful) to the Group/Branch Manager.
    • Subsequently, it is the responsibility of the Group/Branch Manager to monitor the employee and assure that further breaches in protocol do not occur that may ultimately result in a breach of confidentiality.
    • The Group/Branch Manager will also assure that the employee causing this breach in protocol receives emergency training on security and confidentiality.
    • Additionally, disciplinary action may need to be taken by the Group/Branch Manager especially when repeated breaches in protocol have occurred. If the employee continues to pose a threat to security of confidentiality, the employee’s access to Section information will be limited or rescinded until further personnel actions have been determined.
  3. Breach in protocol and confidentiality:
    • A suspected breach is reported and the Security Team investigates the suspected breach.
    • The Security Team determines that the suspected breach is a breach in protocol and a breach in confidentiality. (In this case the Security Team has determined that confidential information has been divulged and an immediate response is necessary.)
    • When the suspected breach is found to be both a breach of protocol and breach of confidentiality, the Security Team will make appropriate recommendations regarding actions that will need to be taken based on whether the breach is determined to be purposeful or due to negligence.
    • Regardless of the type of breach (purposeful or negligent), the following recommendations may be required based on the severity of the breach of confidentiality:
      • The employee’s access to physical and electronic resources must be limited or rescinded until an investigation of the incident is complete. Options for handling the situation include: immediately reassigning the employee to a temporary duty station; obtaining permission from the Section Director (to whom the employee is assigned) to send the employee home pending investigation of the breach; or calling law enforcement in extreme situations.
      • At the discretion of the LRP/ORP the following entities may be notified: the Communications Office, the Office of General Counsel, the Commissioner of Health, the Assistant Commissioner for Prevention and Preparedness, the Director, Infectious Disease Prevention Section, the TB/HIV/STD Section Director and the TB/HIV/STD Epidemiology and Surveillance Branch Manager and other appropriate senior departmental staff, if appropriate.
      • Implement new or additional processes to address any deficiencies in the TB/HIV/STD Section security and confidentiality policies and procedures.

9.4 Follow-Up to a Breach and Maintenance of Files

  1. The investigating LRP with assistance from the Group Manager and Security Officer will implement and monitor the corrective action plan on the Breach report form and determine when the corrective action plan is complete.
  2. The ORP or designee will retain a file of all completed breach response forms in a locking file cabinet. (Breach Report Forms will be maintained separate from the employees personnel file.)
  3. The ORP designee will enter all information into the Breach Report Database. The Breach Report Database will be password protected and only the ORP, LRP(s) and designee(s) will have access to the database.
  4. The ORP designee will be responsible for periodically running reports based on the Breach Report Database and determine if any patterns in breaches exist that need to be further addressed.

10.0 Revision History

Date Action Section
9/1/2017 Changed "TB/HIV/STD Unit" to "TB/HIV/STD Section" to reflect new program designation -
9/3/2014 Converted format (Word to HTML) -
8/31/2011 Revised to reflect changes from Program to Section Wide Policy. Policy previously identified as HIV/STD 303.001 All
9/28/2010 Added statement on requirement to report any breach to CDC 7.0 Responsibilities
Corrected formatting errors  All
7/2/2008 Revisions too numerous to list; therefore treated as new policy. Policy previously identified as 020.051 All
HIV/STD Program

HIV/STD Program

HIV/STD Program Policies