A privacy incident is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for another than authorized purpose have access or potential access to Protected Health Information (PHI), Personal Identifiable Information (PII), Sensitive Information (SI), whether physical or electronic.
A breach means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted which compromises the security or privacy of the protected health information (PHI).
All incidents are investigated and analyzed through the HIPAA Compliance and Privacy Office, and the severity level is determined. As a result, deemed medium to high breaches must be reported to any affected individuals, senior leadership, and regulatory agencies when applicable.
The Compliance and Privacy Office is responsible for determining when an incident is a breach.
Incident Examples
Email Misuse
- Emailing information to a non-secure address (Yahoo, Gmail, Hotmail, etc.)
- Sending unauthorized or inappropriate content to an unintended recipient
Loss or Stolen Assets
- Laptop
- Mobile Phone
- Tablet
Unauthorized Disclosure
- Any documents that contain more than 3 personal identifiers: (Name, Address, Date of Birth, Social Security Number, Medical information, Financial information, etc.)
- Leaving a classified document on a photocopier
- Insecure disposal of paper items (items not put in a locked shred bin)
Malicious Software
- Unusual or unexplained activity
Unauthorized Access to Systems or Data
- Access rights incorrectly granted or never terminated
ID Cards / Access Badges / Keys
- Includes lost, missing, or stolen items
Procedural
- Failure to comply with policy and procedure through lack of awareness
- Deliberate attempts to circumvent security measures
Devices – Stolen / Loss of Laptop and Mobile Devices
- Contact the Travis County Helpdesk immediately: 512-854-9175
- Knowing your device asset tag number is very helpful
- Helpdesk will shut off access to the device
- You will be required to change your password
- Make an official police report. This is REQUIRED for all Travis County devices.
- You will need to obtain a copy of the official report and provide the official case number once it’s available.
- Contact your immediate supervisor
- Contact the HIPAA Compliance and Privacy Office: 512- 854-6278
privacy@traviscountytx.gov- Provide a written statement explaining the discovery of the incident.
Other Incidents / Unauthorized Disclosure of Information
(Email misuse, loss of paper files, faxes, verbal communications, access controls - badge or keys, password, etc.)
- Contact your immediate supervisor
- Contact the HIPAA Compliance and Privacy Office: 512- 854-6278
privacy@traviscountytx.gov- Provide a written statement explaining the discovery of the incident.
- The Compliance Officer will contact you within 3 business hours to discuss the details and next steps.
- If you have not been contacted within 4 days after reporting the incident, please contact Travis County – HIPAA Compliance and Privacy Officer:
contact the Travis County Compliance and Privacy Officer.
- Subject Line: POSSIBLE BREACH INCIDENT
If you would like general information about HIPAA, click to view the HIPAA page. Or, if you would like information regarding Travis County’s HIPAA Policies, or to report a suspected privacy concern, contact the Travis County Compliance and Privacy Officer.
