Reporting a Concern

Overview

At USF Health we are committed to providing quality health care which includes respecting patients’ and clinical research subjects’ rights to maintain the privacy of their health information and ensuring appropriate security of all protected health information. The standards for protecting patient health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). 

Duty to Report Privacy Incidents or Concerns: Everyone has a duty to report any potential privacy breach or concern as soon as they discover it even if they were not involved in the incident.  Concerns regarding privacy incidents or breaches should be reported to Privacy & Healthcare Civil Rights Compliance as outlined below.   Under federal and state law, there is a time deadline we must comply with in reporting any privacy breach (in some cases as soon as possible but no more than 60 days).  Early notification to our office is required to give us sufficient time to investigate the incident and prepare any necessary notifications.  Late reporting can result in significant penalties for the University.  All privacy incidents and concerns should be reported within 48 hours, when possible.  

Individuals who report concerns related to privacy in good faith are protected against any retaliation or harassment as a result of raising the concern.

What is a Privacy Breach:  A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).  An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

How to Report: Reporting a privacy incident or a breach of privacy should be reported to our office so that we can track and respond to events that may involve inappropriate use or disclosure of PHI through mitigation, increased training, and/or investigation where necessary.  Reporting should be done via CompliancePro Solutions (the software our office utilizes to manage reports of privacy incidents) via: https://usf.complianceprohealth.com/report/privacy

What Information is Needed in the Report: When reporting a potential privacy incident, please try to include the following information:

  • Date the incident occurred;
  • Date the incident was discovered;
  • Name and contact information of the person who discovered the potential breach (please provide your name and contact information even if you were not involved in the original privacy incident);
  • The specific information disclosed (for example, patient name, address, MRN, diagnosis, medication list, appointment date, symptoms list);
  • The number of individuals who had their information disclosed (provide information for each patient involved in the privacy incident);
  • How the incident happened (for example, was an AVS handed to the wrong patient, did a patient overhear a conversation between providers about another patient, was a prescription mailed to the wrong patient, was a rounding list found by a patient); 
  • Actions taken following detection (what has occurred between the time the incident was discovered and now, for example, was the patient provided the correct information if they were originally given the information of another patient); and
    The department in which the incident occurred.  

Mitigation Efforts Needed: Once you learn a patient has received a document in error, it is imperative that you first report it via CompliancePro Solutions, but then you arrange to have a courier to call the patient so they can retrieve the document or item that was given to the patient in error.   To arrange for a courier, please call or email Jonathan Steffer, of USF Clinical Affairs, at 813-974-6738 or steffer@usf.edu.   If we determine a breach has occurred, we will be able to inform the patient that his or her document was retrieved by our courier and then destroyed by the clinical workforce member. 

You will not be retaliated against for reporting a potential privacy breach in good faith.

Anonymous Reporting: If you do not feel comfortable reporting an incident via CompliancePro Solutions, you may also report any HIPAA privacy concerns via EthicsPoint: Click Here

Ask a Privacy Question: Our office is also available to speak with you regarding any privacy or HIPAA related concerns you may have.  You may reach out to our helpline via telephone or email:

Helpline Phone Number: (813) 974-2222 

Helpline Email: privacy@usf.edu 

Staff Directory: Click Here