Reporting a Breach

REPORTING A BREACH TO THE OFFICE OF CIVIL RIGHTS (OCR) AND HEALTHIX REQUIREMENT FOR INVESTIGATION

Healthix regularly reviews the OCR Breach Portal for any breaches submitted by our Participants.  This is done to assure our Participant’s compliance with the Healthix Privacy and Security Policy  Section 7 which sets forth minimum standards that shall be followed in the event of a breach:

“7.1 Obligation of Participants to Report Actual or Suspected Breaches: Participants shall notify Healthix in the event that a Participant becomes aware of any actual or suspected Breach involving Protected Health Information accessed via Healthix.”

Breach Determination

In the event that it is determined that the suspected Breach is not an actual Breach, Healthix will document (or require the applicable Participant to document) a risk assessment that describes why there is a low probability that Protected Health Information was compromised.

Breach Not Involving SHIN-NY/Healthix Data

Cases of breach at the participant involving PHI which was not accessed or transmitted via the SHIN-NY may not need to be reported to Healthix.

Investigation

In the event that Healthix discovers a participant organization who has submitted a breach notification to OCR, our IT Security and Compliance teams will investigate the nature of the reported breach to determine whether Healthix and SHIN-NY patient data has been impacted. We ask for your full cooperation and timeliness, should you be asked to provide information to validate the nature and the extend of the reported breach.

Your Obligation as a Healthix Participant

By signing a Healthix Participation and Business Associate Agreement, you obligate your organization and all authorized users of Healthix and the SHIN-NY to comply with Healthix Policies.  It is imperative that users take every and all precautions to follow these guidelines, to protect patient privacy and prevent risk of a breach:

Access to Healthix data is strictly for the following purposes:

  • Treatment Services
  • Insurance Eligibility Verification
  • Care Management Activities.
  • Quality Improvement Activities

Authorized users who are not directly involved in activities outlined above with a patient may not access patient records. Please review Healthix Policy: Section 7 Breach and Section 9 Sanctions.  Questions? Please contact compliance@healthix.org should you wish to report a suspected breach of Healthix records or ask questions.