9.1 PURPOSE: The purpose of this policy is to define policy surrounding identification, investigation, notification, and mitigation of a breach within the Saudi Health Information Exchange system. 9.2 SCOPE/APPLICABILITY This policy applies to the Saudi Health Information Exchange, to all individuals and organizations that have access to Saudi Health Information Exchange managed health records, including • Participating Healthcare Subscriber (PHCSs), • their business associates, • any subcontractors of business associates that perform functions or provide services involving the use and disclosure of personal health information, • any Saudi Health Information Exchange Infrastructure Service Provider, and • any other subcontractor of Saudi Health Information Exchange. This policy applies to all personal health information provided to or retrieved from Saudi Health Information Exchange systems. 9.3 POLICY 9.3.1 Access Monitoring 1. The Saudi Health Information Exchange privacy and security officer or designee SHALL monitor PHCSs access to the Saudi Health Information Exchange at least monthly by reviewing the Saudi Health Information Exchange systems audit reports. 2. The Saudi Health Information Exchange privacy and security officer SHALL contact the PHCSs to review any suspicious activity. In case of a Reportable Event, the privacy and security officer of the PHCS SHALL investigate the suspicious activity and generate a report of the event (see 10.3.2). 9.3.2 Events Notification 1. The Saudi Health Information Exchange and PHCSs are obligated to create a notification of all Reportable Events involving the PHI managed by the Saudi Health Information Exchange. 1.1. The PHCSs individual SHALL notify the organization’s privacy and security officer(s) within two business days of the discovery of a Reportable Event. 1.2. The PHCS privacy and security officer(s) or PHCS designated person SHALL communicate the review of the Reportable Event to the Saudi Health Information Exchange within two (2) business days of notification, documenting whether or not there is a need for further investigation. 2. Subject of care initiated notification of Reportable Events MAY be accepted by the Saudi Health Information Exchange privacy and security officer. 3. The Saudi Health Information Exchange will establish and publish a process for filing reports to inform and guide those required or eligible to file Saudi Health Information Exchange related Reportable Events. This process will take into account the private nature of Subject of Care reportable events. All reports SHALL follow the aforementioned process. 9.3.3 Reportable Event Review and Breach Investigation 1. Upon receipt of a Reportable Event Report, the report SHALL be reviewed by the Saudi Health Information Exchange privacy and security officer to determine whether or not a review is required. 2. Review by the Saudi Health Information Exchange privacy and security officer is required only to the extent that it involves the Saudi Health Information Exchange. 3. If it is determined that no further action is needed, this determination SHALL be communicated to the originator of the Reportable Event Report, thus terminating the review process. Such decisions are subject to review through internal or external audit. 4. The privacy and security officer of the Saudi Health Information Exchange or designated person receiving the Reportable Event Report SHOULD log the Reportable Event, acknowledge receipt of the Reportable Event Report to the person or system filing it, inform the affected PHCS privacy and security officer(s) of the event if they do not already have knowledge of it, and begin a review of the event. 5. Time and scope constraints for the review and mitigation actions taken on the Reportable Event Report will depend on the nature of the risk and sensitivity of information. 5.1. In the case of an imminent threat to data security in the Saudi Health Information Exchange systems, the Saudi Health Information Exchange privacy and security officer SHALL take immediate actions to secure the data. 5.2. Suspension of access privileges MAY be enforced until the source has mitigated the issue locally or possibly permanently as considered on a case-by-case basis. 5.3. PHCS SHALL fully cooperate with the Saudi Health Information Exchange Security and Privacy Officer in identification and mitigation of the threat that could result in a breach event. 6. Once the review is done, the Saudi Health Information Exchange privacy and security officer SHALL determine whether a violation of privacy and security policies, procedures, or relevant law has occurred. 7. The Saudi Health Information Exchange privacy and security officer and/or the PHCS privacy and security officer(s) involved in the incident SHALL collaborate to develop, approve, and implement the mitigation plan to proactively prevent a similar event from re-occurring. 8. Breach Investigation SHALL be completed within thirty (30) days of receiving the reportable event review by the Saudi Health Information Exchange. This timeframe MAY be extended for another 30 days upon Saudi Health Information Exchange privacy and security officer approval. 9. An investigation report of the breach SHALL be prepared documenting the facts gathered from the review, event mitigations, and measures to be taken to prevent recurrence of such an event. This report SHALL be communicated to the originator of the Reportable Event Report. This report SHALL be retained for a minimum of ten (10) years. 9.3.4 Notification of Privacy Breach 1. In circumstances where it has been determined that a Reportable Event constitutes a privacy breach, the Saudi Health Information Exchange SHALL notify the PHCSs whose information was subject to the unauthorized acquisition, access, use, or disclosure, no later than ten (10) business days following the discovery of the breach. 2. The PHCS is responsible for notifying any Subject of Care who’s PHI has been breached within thirty (30) days following discovery of the breach. 3. If a breach occurs at the PHCS, then any required public notification is the responsibility of the PHCS. If the breach occurs at the Saudi Health Information Exchange level, then the responsibility is of the Saudi Health Information Exchange to report the breach, or, in some situations, to report to the PHCS, which SHALL in turn make any required public notifications. 4. Individual and contained breach should be reported to the Subject of Care. Breaches affecting large numbers of individuals, typically more than five hundred and involving continuous risk, SHOULD be reported publicly. Such decision would be made by the privacy and security officer in collaboration with the Saudi Health Information Exchange governing body and law enforcement authorities. 5. Public Notification of a breach SHALL include the time and date of the breach discovery and the identification of each individual whose PHI is involved. 6. The notification to the affected individual(s) SHALL contain, to the extent possible, the following: 6.1. a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known, 6.2. a description of the types of PHI that were involved in the breach (such as full name, national identification number, date of birth, home address, account number, or disability code), 6.3. the steps individuals should take to protect themselves from potential harm resulting from the breach, 6.4. a brief description of what the PHCS and the Saudi Health Information Exchange are doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches, and 6.5. contact procedures for individuals to ask questions or learn additional information, which SHALL include a toll-free telephone number, an e-mail address, a web site, or postal address. 9.4 POLICY MAINTENANCE The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of policies.
|