University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
POLICY
University of Minnesota
University of Minnesota
University M logo on red background
ADMINISTRATIVE POLICY
Home : Information Technology : Acceptable Use and Information Security

Reporting and Notifying Individuals of Security Breaches

Effective Date: May 2006
Last Update: February 2010
Responsible University Officer:
  • Vice President for Information Technology
Policy Owner:
  • Vice President for Information Technology
Policy Contact:

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

The University will provide timely and appropriate notice to affected individuals when there has been a breach of security of private data about them.

Report to University. University employees and students must report all known or suspected breaches of security of private data to the CIO, to enable the CIO to determine whether notification is required. Suspected breaches can be reported at abuse@umn.edu or your campus help-desk. Additionally, all suspected or known data security breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University’s Privacy and Security Office at privacy@umn.edu.

Notification to Individuals. The Chief Information Officer or delegate, in consultation with the General Counsel's Office and appropriate compliance officers, will be responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation.

REASON FOR POLICY

This policy requires communication regarding security breaches in order to protect individuals from potential harm arising from the unauthorized acquisition of private information about them, and promotes compliance with state and federal privacy and data security laws.

PROCEDURES

FORMS/INSTRUCTIONS

There are no forms for this policy.

APPENDICES

FREQUENTLY ASKED QUESTIONS

ADDITIONAL CONTACTS

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-625-1505
Breaches/electronic
Maria Peluso
612-626-9310
Security
Brian Dahlin
612-625-1505
Medical records/PHI
HIPAA Privacy/ Security Ofc
Lori Ketola
University Chief Health Information Compliance Officer
612-626-5844
Student records
Tina Falkner
612-625-1064
Legal
Tracy Smith
612-624-9546

Campus Help Desks

Campus
Help Desk
Phone
Help Desk Contacts
Security questions, concerns, or suspected incidents E-mail: abuse@umn.edu
University of Minnesota - Twin Cities (TC)
TC Help Desk
1-HELP
(612) 301-4357
University of Minnesota - Duluth (UMD)
UMD Help Desk
218-726-8847
University of Minnesota - Morris (UMM)
UMM Help Desk
320-589-6391
University of Minnesota - Crookston (UMC)
UMC Help Desk
218-281-8000
University of Minnesota - Rochester (UMR)
UMR Help Desk
507-258-8050

DEFINITIONS

Breach of security
For purposes of this policy this means unauthorized acquisition, access, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University , if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving de-identified data.
Business Associate
With respect to a health care component, a person or entity not a part of the University who, on behalf of the health care component performs or assists in the performance of certain functions requiring use or disclosure of protected health information. Members of the workforce of one University health care component who perform the business function for another University health care component are not business associates.
Data
Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.
Private data
University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. Payment Card Industry for credit cards, some research contracts).
Protected health information ("PHI")
Health information transmitted or maintained in any form or medium that:
  1. Identifies or could be used to identify an individual;
  2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
  3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
The following records are exempted from the definition of PHI:
  1. Student records maintained by an educational institution;
  2. Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
  3. Employment records held by a covered entity in its role as employer.
Unauthorized acquisition

For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.

RESPONSIBILITIES

All Employees
Report good faith concerns about security breaches of private data.
Chief Information Officer
Make determinations, in consultation with the General Counsel's Office and appropriate compliance officers, as to whether notification is required, and direct responsible departments in complying with notification obligations.
Collegiate/Unit Administrators
Provide timely and effective notification to individuals as directed by the CIO when there has been a security breach of private data in their area.
General Counsel
Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.

RELATED INFORMATION

Laws and Regulations

HISTORY

Amended:
February 2010 - Policy and Procedure updated to comply with HITECH regulations.
Effective:
May 2006

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2014 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on November 19, 2014