ADMINISTRATIVE POLICY

Reporting and Notifying Individuals of Information Security Breaches
Responsible University Officer: Vice President for Information Technology (Interim)
Policy Owner: Vice President for Information Technology (Interim)
Policy Contact: Brian Dahlin

POLICY STATEMENT

The University will provide timely and appropriate notice to affected individuals when there has been a breach of security of private information about them.

Report to University

University employees and students, or other individuals, must report all suspected information security breaches of University data to University Information Security (abuse@umn.edu), by following the Report Information Security Incidents procedure.

Additionally, all suspected  information security breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University Health Information Privacy and Compliance Office at privacy@umn.edu.

Notification to Individuals

The VP CIO or delegate, in consultation with the General Counsel's Office and appropriate privacy officers, is responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation.  See the Notification of an Information Security Breach procedure.

REASON FOR POLICYRETURN TO TOP

This policy requires communication regarding information security breaches in order to protect individuals from potential harm arising from the unauthorized access or acquisition of private information about them, and to comply with state and federal privacy and data security laws.

Subject Contact Phone Email
Primary Contact(s) Brian Dahlin 612-625-1505 bdahlin@umn.edu
Information Security breaches Natascha Shawver 612-625-7885 nshawver@umn.edu
Information Security Brian Dahlin, University Chief Information Security Officer 612-625-1505 bdahlin@umn.edu
Medical records/PHI 
HIPAA Privacy Office
Lori Ketola,  
University Chief Health Information Compliance Officer
612-626-5844 ljketola@umn.edu 
privacy@umn.edu
PCI DSS/Credit cards David Laden 612-624-0929 laden003@umn.edu pmtcard@umn.edu
Student records Stacey Tidball 612- 626-0075 tidball@umn.edu
Legal Dan Herber 612-626-2716 herb0089@umn.edu

DEFINITIONSRETURN TO TOP

Breach of information security
For purposes of this policy this means unauthorized access to, acquisition, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University, if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving de-identified data.
Business Associate
An individual (other than an employee or member of the work force of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a Covered Entity and where the provision of the service involves the disclosure of PHI.
Covered Entity
A Health Care Provider, Health Plan or a health care clearinghouse.
Information
Data collected, stored, transferred or reported for any purpose, whether in electronic, paper, oral, or other media.
Private data
University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. PCI DSS for credit cards, some research contracts).
Protected health information ("PHI")
Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Health Care Provider, Health Plan or health care clearinghouse, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is reasonable basis to believe can be used to identify an individual. PHI specifically excludes information of individuals who have been deceased for more than 50 years.

The following records are exempted from the definition of PHI as defined by HIPAA:

  • Student records maintained by an educational institution;
  • Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
  • Employment records held by a covered entity in its role as employer.
Unauthorized acquisition
For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.

RESPONSIBILITIESRETURN TO TOP

All Individuals
Report concerns regarding suspected security breaches of private information.
Vice President and Chief Information Officer (VP CIO) or delegate
  • Accountable for making determinations, in consultation with the General Counsel's Office and appropriate privacy officers, as to whether notification is required, and direct responsible departments in complying with notification obligations.
  • Delegate to the Chief Information Security Officer the authority and responsibility for the suspected information security breach investigation, oversight of the notification process, and breach determination, where appropriate.
University Chief Information Security Officer
  • Delegate the authority and responsibilities for investigation of the suspected information security breach, and oversight of the notification process.
  • Inform the appropriate privacy officers of suspected information security breaches.
  • Report breach information to the VP CIO.
Office of Information Technology (OIT) – University Information Security (UIS)
  • Investigate the suspected information security breach.
  • Report breach information and status to University Chief Information Security Officer.
  • Report suspected information security breach to the appropriate privacy office.
  • Ensure that appropriate and timely action is taken on a suspected information security breach.
  • Provide oversight of the notification process.
Collegiate/Unit Administrators
Provide timely and effective notification to individuals as directed by the VP CIO when there has been a security breach of private data in their area.  Direct expenses related to the breach notification process are the responsibility of the affected unit.
Privacy Officer
  • Notify external entities in accordance with the respective privacy law or contract (e.g., Federal Department of Health and Human Services for PHI).
  • Provide privacy advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the privacy law or contract they are responsible for.
General Counsel
Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.

RELATED INFORMATIONRETURN TO TOP

Related Policies

Laws and Regulations

Other Related Information

Amended:
December 2015 - Comprehensive Review, Major Revision. Comprehensive Review, Major Revision: 1. Revises the policy title to Reporting and Notifying Individuals of Information Security Breaches which clarifies the type of security breaches are information security breaches. 2. Clarifies the reporting and notification process with links to the relevant procedure for more information. 3. Includes two new procedures for reporting incidents and notification in the event of an information security breach.
Amended:
February 2010 - Policy and Procedure updated to comply with HITECH regulations.
Effective:
May 2006
Document Feedback
Date Revised
December 2015
Date Effective
May 2006