Health Insurance Portability and Accountability Act


HIPAA breach notification procedures

In the event of a potential breach of protected health information or “PHI” (as defined under the Health Information Portability and Accountability Act [HIPAA][1]), Western Michigan University will investigate the incident consistent with these procedures and its HIPAA Privacy and Security Policy.  One or more members of the Breach Notification Team will participate in such investigation and report relevant facts to the Team for purposes of determining whether notification is required.  The Privacy Officer and notification team will evaluate whether any of the actions discussed in these procedures are required.

1.     Reporting Potential Breaches to PRIVACY OFFICER. WMU personnel shall immediately report any suspected breach of PHI or WMU’s privacy policies to their unit’s HIPAA Compliance Officer, who will perform an initial investigation and then will report the suspected breach and investigation results to the University’s Privacy Officer.  Personnel should report potential breaches as well actual breaches.  Failure to timely report potential or suspected breaches may result in sanctions as described below.

2.     Investigating Potential Breaches. The Privacy Officer, or their designee, shall promptly investigate any reported privacy breach or related individual complaint to determine whether there has been a breach of PHI as defined by HIPAA, and if so, how notice should be given.

2.1.  To determine whether a breach has occurred, Privacy Officer shall consider:

2.1.1.     Whether the alleged breach involved PHI, i.e., individually identifiable information concerning an individual’s health, health care, or payment for health care, including financial or account information;

2.1.2.     Whether the alleged breach violates the HIPAA privacy rule. Disclosures that are incidental to an otherwise permissible use or disclosure (e.g., a individual overhears a physician speaking with another individual, or sees information about another individual on a whiteboard or sign-in sheet) do not violate the privacy rule so long as the covered component has implemented reasonable safeguards to avoid improper disclosures;

2.1.3.     The probability that the PHI has been compromised considering at least the following: (1) the nature and extent of the information involved; (2) the identity of the unauthorized person who used or received the information; (3) whether the information was acquired or viewed; and (4) the extent to which the risk to the information of further disclosure has been mitigated; and

2.1.4.     Whether the alleged breach fits within one of the exceptions identified in the University’s HIPAA Privacy Policy.

2.2.  The Privacy Officer shall document the investigation and conclusions, including facts relevant to the risk assessment.

3.    Notice. If the Privacy Officer determines that a breach of unsecured PHI has occurred, the Privacy Officer shall notify the individual, the United States Department of Health and Human Services (HHS), and the media (if required) consistent with the below and applicable legal requirements.  Any notice provided pursuant to this Policy must be approved and directed by the Privacy Officer or their designee. No other WMU personnel are authorized to provide the notice required by this Policy unless expressly directed by the Privacy Officer and/or WMU Administration.

3.1.  Notice to Individuals.  The Privacy Officer shall notify the affected individual(s) without unreasonable delay and in no case later than five University business days after WMU discovers or is informed of the breach.

3.1.1.     The notice shall include, if available: (1) a brief description of the breach incident (e.g., the date(s) of the breach and its discovery); (2) a description of the types of information affected (e.g., whether the breach involved names, social security numbers, birth dates, addresses, diagnoses, etc.); (3) steps that affected individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what WMU is doing to investigate, mitigate, and protect against further harm or breaches; and (5) contact procedures for affected persons to ask questions and receive information, which shall include a toll-free telephone number, e-mail address, website, or postal address at which the person may obtain more information.

3.1.2.     The notice shall be written in plain language.

3.1.3.     The Privacy Officer shall notify the individual by first class mail to the individual’s last known address or, if the individual agrees, electronically.  The notice may be sent by one or more mailings as information is available.

3.2.  Substitute Notice. If WMU lacks sufficient contact information to provide direct, written notice to the individual, the Privacy Officer must use a substitute form of notice reasonably calculated to reach the individual. If Privacy Officer lacks sufficient information to provide any such substitute notice, Privacy Officer shall document same.

3.3.  Fewer than ten affected individuals. If there is insufficient contact information for fewer than ten affected individuals, Privacy Officer shall provide an alternative form of written, telephone, e-mail, or other type of notice.

3.4.  Ten or more affected individuals. If there is insufficient contact information for ten or more affected individuals, Privacy Officer shall do one of the following after consulting with WMU Administration:

3.4.1.     (1) post a conspicuous notice on WMU’s and the Covered Unit’s website home page for 90 days with a hyperlink to the additional information required to be given to individuals as provided above; or (2) publish a conspicuous notice in major print or broadcast media in the area where affected individuals may reside.

3.4.2.     The notice must include a toll-free number that remains active for at least 90 days so individuals may call to learn whether their protected health information was breached.

3.5.  Immediate Notice. If the Privacy Officer believes that protected health information is subject to imminent misuse, the Privacy Officer may provide immediate notice to the individual by telephone or other means. Such notice shall be in addition to the written notice described above.

3.6.  Deceased Individual; Notice to Next of Kin. If the individual is deceased and WMU knows the address for the individual’s next of kin or personal representative, the Privacy Officer shall mail the written notice described above to the next of kin or personal representative. If WMU does not know the address for the next of kin or personal representative, WMU is not required to provide any notice to the next of kin or personal representative. The Privacy Officer shall document the lack of sufficient contact information.

3.7.  Notice to HHS. If the Privacy Officer determines that there was a breach of PHI, the Privacy Officer shall also notify HHS as described below.

3.7.1.     Fewer than 500 Affected Individuals. If the breach involves PHI of fewer than 500 persons, the Privacy Officer may either (1) report the breach immediately to HHS, or (2) maintain a log of such breaches and submit the log to HHS annually within 60 days of the end of the calendar year as set forth on HHS’s website.

3.7.2.     500 or More Affected Individuals. If the breach involves 500 or more persons, the Privacy Officer shall notify HHS of the breach at the same time Privacy Officer notifies the individual or next of kin. The Privacy Officer shall maintain and submit to HHS a log of breaches as set forth on HHS’ website.

3.8.  Notice to Media. If a breach of protected health information involves more than 500 residents in a state, WMU will also notify prominent media outlets in such state. The notice shall be provided without unreasonable delay but no later than 60 days after discovery of the breach. The notice shall contain the same elements of information as required for the notice to the individual described above. The Privacy Officer shall work with WMU Administration to develop an appropriate press release concerning the breach.

3.9.  Notice from Business Associate. If WMU’s business associate discovers a breach of PHI, the business associate shall immediately notify the Privacy Officer. The business associate shall, to the extent possible, identify each person whose information was breached and provide such other information as needed by WMU to comply with this Policy.  Unless the Privacy Officer directs otherwise, the Privacy Officer shall notify the individual, HHS, and, in appropriate cases, the media as described above. (45 CFR § 164.410)

3.10.  Delay of Notice Per Law Enforcement’s Request. The Privacy Officer shall delay notice to the individual, HHS, and the media if a law enforcement official states that the notice would impede a criminal investigation or threaten national security. If the official’s statement is in writing and specifies the time for which the delay is required, the Privacy Officer shall delay the notice for the required time. If the official’s statement is verbal, the Privacy Officer shall document the statement and the identity of the official, and shall delay the notice for no more than 30 days from the date of the statement unless the official provides a written statement confirming the need and time for delay.

4.     Training Employees. Each WMU Health Care Component shall train its workforce members concerning the University’s HIPAA Policy and these procedures, including members’ obligation to immediately report suspected privacy violations. The HIPAA Compliance Officers of each Health Care Component shall ensure that the University’s HIPAA Policy and these procedures are included in training given to new workforce members, and thereafter in periodic training as relevant to the work force members’ job duties.

5.     Sanctions. WMU personnel may be sanctioned for violating these procedures.  Failure to follow this Policy and any associated procedures may subject WMU employees to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable procedures and Collective Bargaining Agreements. 

6.     Documentation. The Privacy Officer shall prepare and maintain documentation required by this Policy for six years, including but not limited to reports or complaints of privacy violations; results of investigations, including facts and conclusions relating to the risk assessment; required notices; logs of privacy breaches to submit to HHS; sanctions imposed; etc.

7.     WMU’s Breach Notification Team consists of the following members:

·         Director of the covered component where the violation may have occurred;

·         HIPAA Privacy Officer and member(s) of the Information Technology Services Security Incident Response Advisory Team, if applicable;

·         Representative of the Office of the Vice President for Business and Finance;

·         Representative from the General Counsel’s office (generally the HIPAA Privacy Officer); and

·         Representative from the vice-presidential area (or equivalent) where the potential violation occurred (if not already represented).

8.     Mitigating Potential Breaches. If WMU personnel improperly access, acquire, use or disclose PHI and immediate action may cure or mitigate the effects of such use or disclosure, WMU personnel should take such action. For example, if WMU personnel improperly access or acquire PHI, they should immediately stop, close, and/or return the information.


42 C.F.R. Part 160


[1] Unless otherwise indicated, words used in these procedures have the same definition as set forth in the HIPAA Policy.


WMU HIPAA privacy and contact officer

Jessica M. Swartz
HIPAA Privacy and Contact Officer
1903 W Michigan Ave
Kalamazoo MI 49008-5423
Phone: (269) 387-1900
Fax: (269) 387-1904

U.S. Dept. of Health and Human Services Health Information Privacy