Policies
Information Privacy and Security Incident Handling Standard
Information Privacy and Security Incident Handling
The increasing use of data and electronic communications equally increases the risk or likelihood of privacy and security threats. This standard provides guidance on what to do when threats happen to the security of systems and information and how to mitigate potential risk to prevent or respond to incidents quickly to get operations back to normal
- Protect human life and safety
- Protect Tenet’s patient information
- Protect Tenet’s confidential and proprietary information
- Collect and analyze data to see ifTenet’s Information Privacy and Security Policies have been violated or a computer crime has occurred
- Prevent damage to systems and quickly restore systems to routine operation
- Ensure breach protocols are followed for disclosure of unsecured or unencrypted PHI
- Protect human life and safety
- Protect Tenet’s patient information
- Protect Tenet’s confidential and proprietary information
- Collect and analyze data to see ifTenet’s Information Privacy and Security Policies have been violated or a computer crime has occurred
- Prevent damage to systems and quickly restore systems to routine operation
- Ensure breach protocols are followed for disclosure of unsecured or unencrypted PHI
Tenet Facility
- Privacy and Security Compliance Officer
- Internal contact for Information Privacy and Security Incidents
- Supervisors
- Report incidents to Privacy and Security Compliance Officer or designee
- Tenet Facility Privacy Incident Response Team
- Determined by Compliance Committeeand Privacy and Security Compliance Officer
Corporate Office
- Privacy and Security Compliance Officers
- Internal contacts for Information Privacy and Security Incidents
- Supervisors
- Report incidents to Privacy and Security Compliance Officers
- Information Privacy and Security Committee
- Members of the Corporate Office Privacy Incident Response Team
Privacy Incident Response Team
- Membership
- Team of managers and professionals with the authority to resolve an incident
- Led by Privacy and Security Compliance Officer
- Responsibilities
- Evaluate reported potential incidents within 24 hours of discovery
- Verify incident with the department leader where it occurred
- Determine impact
- Document department leader’s investigation
- Develop, modify,update and test incident response procedures
- Be available on a 24/7 basis to respond to events
- Privacy and Security Compliance Officer
- Internal contact for Information Privacy and Security Incidents
- Supervisors
- Report incidents to Privacy and Security Compliance Officer or designee
- Tenet Facility Privacy Incident Response Team
- Determined by Compliance Committeeand Privacy and Security Compliance Officer
Corporate Office
- Privacy and Security Compliance Officers
- Internal contacts for Information Privacy and Security Incidents
- Supervisors
- Report incidents to Privacy and Security Compliance Officers
- Information Privacy and Security Committee
- Members of the Corporate Office Privacy Incident Response Team
Privacy Incident Response Team
- Membership
- Team of managers and professionals with the authority to resolve an incident
- Led by Privacy and Security Compliance Officer
- Responsibilities
- Evaluate reported potential incidents within 24 hours of discovery
- Verify incident with the department leader where it occurred
- Determine impact
- Document department leader’s investigation
- Develop, modify,update and test incident response procedures
- Be available on a 24/7 basis to respond to events
- Cybersecurity Incidents
- Notify Cybersecurity Incident Response at [email protected]
- Collect data and evidence
- Track evidence with chain of custody process
- Analyze data without modifying evidence
- Establish priorities
- Contain and resolve the incident
- Remove threat
- Return to normal operations
- Perform post-incident activities
- Document the investigation, mitigation/remediation and reporting obligations
- Non-Cybersecurity Incidents
- Contain the incident
- Initiate internal investigation
- Initiate disciplinary action
- Set up Information Security Awareness training
- Communicate with disaster recovery team for environmental hazards
- Stop work processes that may expose risk of information exposure
- Escort unauthorized visitors from the building or area
- Disaster Recovery
- Follow procedures and work with Disaster Recovery team
- Suspected Crime
- Notify the Director of Corporate Security
- Third Party Notifications
- Work with Legal to obtain authorization to release of information to a third party (e.g.,federal, state or local law enforcement, third parties fixing systems)
- Do not release or make any statements to the news media
- Notify Cybersecurity Incident Response at [email protected]
- Collect data and evidence
- Track evidence with chain of custody process
- Analyze data without modifying evidence
- Establish priorities
- Contain and resolve the incident
- Remove threat
- Return to normal operations
- Perform post-incident activities
- Document the investigation, mitigation/remediation and reporting obligations
- Non-Cybersecurity Incidents
- Contain the incident
- Initiate internal investigation
- Initiate disciplinary action
- Set up Information Security Awareness training
- Communicate with disaster recovery team for environmental hazards
- Stop work processes that may expose risk of information exposure
- Escort unauthorized visitors from the building or area
- Disaster Recovery
- Follow procedures and work with Disaster Recovery team
- Suspected Crime
- Notify the Director of Corporate Security
- Third Party Notifications
- Work with Legal to obtain authorization to release of information to a third party (e.g.,federal, state or local law enforcement, third parties fixing systems)
- Do not release or make any statements to the news media
- Restore the System
- Restore operating system
- Reconfigure to fix the security problems
- Correct or restrict methods used to create the incident
- Restore programs
- Restore User data from trusted backup media
- Review system configurations (e.g., user accounts, system services, audit and monitoring facilities, access control lists)
- Compare system configuration files to authoritative copies of these files
- Compare cryptographic checksums with trusted checksums collected before an intrusion
- Reconnect Restored System to Network
- Validate restored system
- Review restored data files residing on the compromised system
- Monitor restored system
- Failed login attempts
- Attempts to access back doors
- Attempts to re-exploit the original vulnerability
- Attempts to exploit new vulnerabilities
- Update Network Protection
- Review protection methods (e.g., firewalls, intrusion detection systems)
- Adjust configurations based on incident analysis
- Different configurations needed
- New or additional protections methods needed
- Review latest on vulnerabilities, patches and new versions of protection software
- Update the methods so similar attacks are detected or handled
- Update conditions when alertscgenerate to system and network administrators
- Improve Processes
- Monitor system that it is restored to normal and no back doors or “traps” exist
- Perform inventory of the system and network assets
- Determine if vulnerable systems or network vulnerabilities exist
- Conduct security audit or evaluation of the system
- Resolve improper access to systems and resources
- Perform a complete backup of the system
- Develop a set of “lessons learned” for future security efforts
- Document actions to resolve incident/attack for possible future incidents/attacks
- Conduct Risk Analysis
- Perform risk analysis based on severity and impact of the incident and ask yourself
- Were the policies and procedures adequate?
- What methods of discovery and monitoring procedures would have improved Tenet’s ability to detect this incident?
- What tools or procedures would have made responding to this incident easier or quicker?
- What tools or procedures would have enhanced Tenet’s ability to contain this incident?
- What was the loss in monetary damages and downtime?
- Document the Incident
- Compliance Incident Management System (CIMS), Privacy Matters
- Document the events surrounding an incident Record the actions taken in response to anincident
- Record the actions taken in response to an incident
- Describe the corrective actions taken
Annual Reviews
- Review and test plan annually
- Restore operating system
- Reconfigure to fix the security problems
- Correct or restrict methods used to create the incident
- Restore programs
- Restore User data from trusted backup media
- Review system configurations (e.g., user accounts, system services, audit and monitoring facilities, access control lists)
- Compare system configuration files to authoritative copies of these files
- Compare cryptographic checksums with trusted checksums collected before an intrusion
- Reconnect Restored System to Network
- Validate restored system
- Review restored data files residing on the compromised system
- Monitor restored system
- Failed login attempts
- Attempts to access back doors
- Attempts to re-exploit the original vulnerability
- Attempts to exploit new vulnerabilities
- Update Network Protection
- Review protection methods (e.g., firewalls, intrusion detection systems)
- Adjust configurations based on incident analysis
- Different configurations needed
- New or additional protections methods needed
- Review latest on vulnerabilities, patches and new versions of protection software
- Update the methods so similar attacks are detected or handled
- Update conditions when alertscgenerate to system and network administrators
- Improve Processes
- Monitor system that it is restored to normal and no back doors or “traps” exist
- Perform inventory of the system and network assets
- Determine if vulnerable systems or network vulnerabilities exist
- Conduct security audit or evaluation of the system
- Resolve improper access to systems and resources
- Perform a complete backup of the system
- Develop a set of “lessons learned” for future security efforts
- Document actions to resolve incident/attack for possible future incidents/attacks
- Conduct Risk Analysis
- Perform risk analysis based on severity and impact of the incident and ask yourself
- Were the policies and procedures adequate?
- What methods of discovery and monitoring procedures would have improved Tenet’s ability to detect this incident?
- What tools or procedures would have made responding to this incident easier or quicker?
- What tools or procedures would have enhanced Tenet’s ability to contain this incident?
- What was the loss in monetary damages and downtime?
- Document the Incident
- Compliance Incident Management System (CIMS), Privacy Matters
- Document the events surrounding an incident Record the actions taken in response to anincident
- Record the actions taken in response to an incident
- Describe the corrective actions taken
Annual Reviews
- Review and test plan annually
- Reporting Identity Theft
- Reports of potential Identity theft must be made immediately when you find out
- Notify the Privacy and Security Compliance Officer even when you have reported to your supervisor or manager
- Identifying Theft Red Flags
- Suspicious Documents
- Suspicious Personal Identifying Information
- Suspicious or Unusual Use of Covered Account
- Alerts from Others (e.g. patient, Identity Theft victim, consumer reporting agency or law enforcement)
- Verifying Patient Identification (Red Flag Detection)
- New Patients/Accounts
- Ask for identification information
- Full name
- Date of birth
- Address
- Government-issued ID
- Insurance card
- Verify additional information when available
- Insurance company’s information
- Information with consumer report
- Existing Accounts
- Verify requests to change of billing address
- Verify patient’s identification before giving any personal information
- Reports of potential Identity theft must be made immediately when you find out
- Notify the Privacy and Security Compliance Officer even when you have reported to your supervisor or manager
- Identifying Theft Red Flags
- Suspicious Documents
- Suspicious Personal Identifying Information
- Suspicious or Unusual Use of Covered Account
- Alerts from Others (e.g. patient, Identity Theft victim, consumer reporting agency or law enforcement)
- Verifying Patient Identification (Red Flag Detection)
- New Patients/Accounts
- Ask for identification information
- Full name
- Date of birth
- Address
- Government-issued ID
- Insurance card
- Verify additional information when available
- Insurance company’s information
- Information with consumer report
- Existing Accounts
- Verify requests to change of billing address
- Verify patient’s identification before giving any personal information
- Altered or Forged Documents
- Information does not seem consistent with other identifying information
- Stop admissions/billing process
- Ask for additional information to verify identity
- Check additional information to resolve discrepancies
- Continue admissions/billing process
- Social Security Number
- SSN appears to be same as another patient’s information
- Stop admissions/billing process
- Ask for additional information to verify identity
- Check additional information to resolve discrepancies
- Continue admissions/billing process
- Physical Insurance Card or Documentation
- Insurance Number is provided by patient but cannot produce a physical card
- Stop admissions/billing process
- Ask for additional information to verify identity
- Check additional information to resolve discrepancies
- Continue admissions/billing process
- Patient Access notifies the insurance carrier or payor
- Undeliverable Mail
- Patient’s mail is returned repeatedly as undeliverable even though transactions continueto occur
- Conduct skip-tracing procedures to find patient’s mailing address
- Update patient’s current mailing address and contact information
- Inconsistent Treatment on Medical Records
- Treatments seem inconsistent with the physical exams or medical history
- Review prior files for potential inaccurate records
- Check things like,blood type, age, race for medical identity
- Delay or stop opening a new covered account or terminate services
- Re-verify contact and verifying information with patient
- Complaints and Inquiries
- Patients
- Information added to credit report by a health care provider or insurer
- Receipt of a collection notice from a bill collector
- Other Individuals or Representatives
- Bill for another individual
- Bill for a product or service that the patient denies receiving
- Bill from a health care provider that the patient never went to
- Notice of insuranceor explanation of benefits for health services never received
- Resolution of complaints or inquiries
- Complaint/Inquiry Review
- Send to Patient Access to review if a billing error occurred
- Terminate treatment/credit until identity is resolved
- Stop collection attempts on the account
- Patient Identity and Services Confirmed
- Process claims with patient/guarantor info from registration
- Make no changes to the medical record for this patient
- Patient Identify or Errors Confirmed
- Contact Health Information Management about the errors
- Review medical records
- Correct billing information so patient is not charged
- Stop collection efforts
- Notifying insurance carrier or payor for the patient is not needed
- Patient Identify Theft Confirmed
- Work with law enforcement and determine reporting obligations
- Fraudulent Accounts
- PII is related to known fraudulent activity and reported by internal or third-parties
- Fraudulent Account Review
- Send to Patient Access to review if a billing error occurred
- Terminate treatment/credit until identity is resolved
- Stop collection attempts on the account
- Ask for copies of police reports, fraud affidavits, FTC complaints, or otherapplicable reports from third-parties
- File a police report or FTC consumer identity theft complaint if not previously done by patient
- Notify patient’s health insurance carrier
- Patient Identity and Services Confirmed
- Process claims with patient/guarantor info from registration
- Make no changes to the medical record for this patient
- Patient Identify or Errors Confirmed
- Contact Health Information Management about the errors
- Review medical records
- Correctbilling information so patient is not charged
- Stop collection efforts
- Notifying insurance carrier or payor for the patient is not needed
- Patient Identify Theft Confirmed
- Work with law enforcement and determine reporting obligations
Ethics and Compliance Training
Employee Performance Management
Internal Reporting of Potential Compliance Matters
Patient Information Privacy Policy
Disciplinary Guidelines Standard