Breach Notice, Reporting and Correction Requirements
Section 11.09 of the Uniform Managed Care Contract (UMCC) with HHSC requires Cook Children’s Health Plan (CCHP), along with our subcontractors and providers, to comply with the following Breach notice requirements. In compliance with the requirements outlined below, all providers must immediately notify HHSC and/or CCHP of any unauthorized disclosure or suspected disclosure of Confidential Information.
Breach means the acquisition, access, use, or disclosure of protected health information in a manner as described in 45 C.F.R. § 164.402.
Confidential Information means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) consisting of:
- Confidential Member information, including HIPAA-defined protected health information;
- All non-public budget, expense, payment and other financial information;
- All Privileged Work Product;
- All information designated by HHSC or any other State agency as confidential, and all information designated as confidential under the Texas Public Information Act;
- Information utilized, developed, received, or maintained by HHSC, the MCO, or participating State agencies for the purpose of fulfilling a duty or obligation under this Contract and that has not been disclosed publicly.
Discovery/Discovered mean the terms as defined in 45 CFR §164.410, and as amended.
Notification to HHSC.
- Provider will cooperate fully with HHSC in investigating, mitigating to the extent practicable and issuing notifications directed by HHSC, for any unauthorized disclosure or suspected disclosure of HHSC Confidential Information to the extent and in the manner determined by HHSC.
- Provider’s obligation begins at discovery of unauthorized disclosure or suspected disclosure and continues as long as related activity continues, until all effects of the incident are mitigated to HHSC’s satisfaction (the "incident response period").
- Provider will require that its subcontractors and providers comply with all of the following breach notice requirements.
- Initial Notice.
- For federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Member Information, within the first, consecutive clock hour of discovery, and for all other types of Confidential Information not more than 24 hours after discovery, or in a timeframe otherwise approved by HHSC in writing, initially report to HHSC's Privacy and Security Officers via email at: privacy@HHSCC.state.tx.us and to the HHSC division responsible for this provider agreement and to the CCHP Regulatory Compliance Director at CCHPCompliance@cookchildrens.org or by phone at 682-885-2866;
- Report all information reasonably available to provider about the privacy or security incident; and
- Name, and provide contact information to HHSC and to CCHP for, provider’s single point of contact who will communicate with HHSC and CCHP both on and off business hours during the incident response period.
- 48-Hour Formal Notice. No later than 48 consecutive clock hours after discovery, or a time within which discovery reasonably should have been made by provider, provide formal notification to HHSC and to CCHP, including all reasonably available information about the incident or breach, and provider’s investigation, including without limitation and to the extent available:
- The date the incident or breach occurred;
- The date of provider’s and, if applicable, subcontractor's discovery;
- A brief description of the incident or breach; including how it occurred and who is responsible (or hypotheses, if not yet determined);
- A brief description of provider’s investigation and the status of the investigation;
- A description of the types and amount of Confidential Information involved;
- Identification of and number of all individuals reasonably believed to be affected, including first and last name of the individual and if applicable the, legally authorized representative, last known address, age, telephone number, and email address if it is a preferred contact method, to the extent known or can be reasonably determined by the provider at that time;
- Provider’s initial risk assessment of the incident or breach demonstrating whether individual or other notices are required by applicable law or this DUA for HHSC approval, including an analysis of whether there is a low probability of compromise of the Confidential Information or whether any legal exceptions to notification apply;
- Provider’s recommendation for HHSC’s approval as to the steps individuals and/or provider on behalf of Individuals, should take to protect the Individuals from potential harm, including without limitation provider’s provision of notifications, credit protection, claims monitoring, and any specific protections for a legally authorized representative to take on behalf of an Individual with special capacity or circumstances;
- The steps provider has taken to mitigate the harm or potential harm caused (including without limitation the provision of sufficient resources to mitigate;
- The steps provider has taken, or will take, to prevent or reduce the likelihood of recurrence;
- The identification, description or estimation of the persons, workforce, subcontractor, or individuals and any law enforcement that may be involved in the incident or breach;
- A reasonable schedule for provider to provide regular updates to the foregoing in the future for response to the incident or breach, but no less than every three (3) business days or as otherwise directed by HHSC, including information about risk estimations, reporting, notification, if any, mitigation, corrective action, root cause analysis and when such activities are expected to be completed; and
- Any reasonably available, pertinent information, documents or reports related to an incident or breach that HHSC requests following discovery.
Investigation, Response and Mitigation.
- Provider will immediately conduct a full and complete investigation, respond to the incident or breach, commit necessary and appropriate staff and resources to expeditiously respond, and report as required to and by HHSC or CCHP for incident response purposes and for purposes of HHSC’s or CCHP’s compliance with report and notification requirements, to the satisfaction of HHSC and CCHP.
- Provider will complete or participate in a risk assessment as directed by HHSC or CCHP following an incident or breach, and provide the final assessment, corrective actions and mitigations to HHSC and CCHP for review and approval.
- Provider will fully cooperate with HHSC and CCHP to respond to inquiries and/or proceedings by state and federal authorities, persons and/or incident about the incident or breach.
- Provider will fully cooperate with HHSC's and CCHP’s efforts to seek appropriate injunctive relief or otherwise prevent or curtail such incident or breach, or to recover or protect any HHSC Confidential Information, including complying with reasonable corrective action or measures, as specified by HHSC in a Corrective Action Plan.
Breach Notification to Individuals and Reporting to Authorities.
- HHSC may direct provider to provide breach notification to individuals, regulators or third parties, as specified by HHSC following a breach.
- Provider must obtain HHSC’s prior written approval of the time, manner and content of any notification to individuals, regulators or third parties, or any notice required by other state or federal authorities. Notice letters will be in provider’s name and on provider’s letterhead, unless otherwise directed by HHSC, and will contain contact information, including the name and title of provider’s representative, an email address and a toll-free telephone number, for the Individual to obtain additional information.
- Provider will provide HHSC and CCHP with copies of distributed and approved communications.
- Provider will have the burden of demonstrating to the satisfaction of HHSC that any notification required by HHSC was timely made. If there are delays outside of provider’s control, provider will provide written documentation of the reasons for the delay.
- If HHSC delegates notice requirements to provider, HHSC shall, in the time and manner reasonably requested by provider, cooperate and assist with provider’s information requests in order to make such notifications and reports.