The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that covered entities notify individuals whose unsecured protected health information has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the protected health information.

A breach is defined as the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Breach Notification Rule, which compromises the security or privacy of the protected health information.

Breach Discovery and Reporting

1. A breach will be treated as discovered:

   1. From the first day it becomes known to Zaya; or,

   2. By exercising reasonable diligence, would have been known to Zaya or any entity, other than the person committing the breach, who is a workforce member or agent of Zaya

2. Providers who believe that PHI has been used or disclosed in any way that compromises the security or privacy of that information should immediately send the details of the breach to compliance@zayacare.com containing the following information:

To: compliance@zayacare.com

Subject: HIPAA Breach Report [Breach Type]

Message Format:

To whom it may concern:

This is to officially notify the team of a HIPAA breach. Please find the details below:

• Date discovered - when the breach was identified

• Date of breach - When the breach occurred (if known)

• Type of breach - include all that apply

  • Unauthorized Access or Disclosure - Accessing or sharing PHI without proper authorization or legitimate need

  • Lost or Stolen Devices - Unencrypted laptops, phones, or portable media containing PHI are lost or stolen

  • Hacking / IT Incidents - Cyberattacks (e.g., ransomware, phishing) compromise systems containing PHI

  • Improper Disposal - PHI discarded without secure methods (e.g., unshredded paper or unwiped drives)

  • Misdirected Communication - PHI sent to the wrong recipient via email, fax, or mail

  • Insider Threats - Employees snooping on or leaking patient information for non-permitted reasons

  • Third-Party Breach - Business associate mishandles or exposes PHI due to poor controls or error

• Narrative summary - summary of the events related to the breach discovery

• Location of breach - online platform / vendors involved

• PHI Involved - types of data exposed (e.g., names, SSNs)

• Individuals Affected - number of people impacted

I hereby endorse the above-mentioned information for next steps. 

3. Please take note that the email should not contain PHI, but only a generic description of the type of PHI that was involved in the breach. Nonetheless, the internal notification should give Zaya’s Compliance Officer sufficient information on the following:

   1. A brief description of what happened, including the date of the breach and the date of discovery

   2. A description of the type of PHI that was involved (e.g., name, Social Security Number, procedure, diagnosis, treatment, and so forth). 

4. Once the report has been sent, kindly expect Zaya’s Compliance Officer to acknowledge receipt of the report within 3 business days. This will be followed by the commencement of a formal investigation to assess the incident’s impact as well as potential future risks. Risk mitigation procedures will also be implemented accordingly. 

5. Based on the results of the investigation, all affected stakeholders will be notified about the results of the investigation as well as the corresponding next steps as needed.

Non-Retaliation and Confidentiality

In accordance with the Health Insurance Portability and Accountability Act (HIPAA), individuals who, in good faith, report a suspected or actual privacy or security breach are protected from retaliation. As mandated by 45 CFR § 160.316, no individual shall be subject to intimidation, threats, coercion, discrimination, or any form of retaliation for filing a complaint, participating in an investigation, or otherwise opposing any act or practice made unlawful under HIPAA.

Furthermore, all reports of potential HIPAA violations will be treated with the highest level of confidentiality to the extent permissible by law. The identity of the reporting party will be safeguarded in compliance with 45 CFR § 164.530(g), and disclosures will be limited to those necessary to investigate and address the matter appropriately.