Articles in this section

HIPAA Privacy Escalation Workflow

Avatar
Axel Mora
Follow

This workflow defines the mandatory immediate actions for any Agent who identifies a potential HIPAA privacy incident. A "privacy incident" occurs whenever Protected Health Information (PHI) is exposed to an unauthorized party—whether through human error, system failure, or external access.

Because privacy breaches carry significant legal and trust implications for Vida, you must follow this escalation path exactly. Do not attempt to resolve the issue yourself. Your role is to flag the incident, secure the ticket, and await legal guidance.

 

 Purpose

This protocol defines the mandatory steps an Agent must take immediately upon identifying a potential HIPAA privacy incident. Speed and strict adherence to this flow are critical to protect Member data and ensure regulatory compliance.

 

1. Identifying a Privacy Incident

A "Privacy Incident" is defined as any situation where Protected Health Information (PHI) may have been compromised. Triggers for this workflow include, but are not limited to:

  • PHI Disclosed to Unauthorized Person: Sensitive data was shared with the wrong individual.

  • PHI Sent to Incorrect Email: An email containing PHI was sent to a typo-ed or incorrect address.

  • Unauthorized Access: Evidence that a bad actor or unverified person accessed Member records.

  • System Error: A technical glitch that exposes PHI (e.g., wrong data appearing in a dashboard).

2. Agent Escalation Flow

Immediate Action Required: If you identify any of the triggers above, follow these steps exactly. Do not deviate.

Step 1: Send Notification Macro

  • Apply and send the HIPAA Breach Notification Macro to the Member.

  • Note: This macro serves a dual purpose: it communicates with the member (if applicable per the specific macro text) and automatically flags the incident for internal review.

Step 2: Slack Alert (Automated)

  • The macro automatically triggers an alert in the Member Services Lead Slack Channel.

Step 3: Update Ticket Status

  • Change the ticket status to On-Hold.

  • Reason: This prevents the ticket from timing out or being worked on by another agent while the investigation is pending.

Step 4: Create JIRA Ticket

  • Create a new JIRA ticket using the ESCA (Escalation) issue type.

  • Assign the JIRA ticket to Quality Leadership.

  • Ensure you link the Zendesk ticket to this JIRA issue for tracking.

Step 5: STOP and Wait

  • Crucial Step: Await additional direction from Management.

  • DO NOT send further communication to the Member until instructed.

  • DO NOT try to "fix" the issue yourself (e.g., asking the recipient to delete the email) without guidance.

3. Resolution & Closure (Leadership Steps)

Once you have completed the steps above, the incident moves to the Leadership and Legal teams.

  • Step 6: Review: Leadership documents the incident and reviews it with the Legal and Incident Response Teams.

  • Step 7: Direction Provided: Leadership will provide you with specific language or instructions on how to respond to the customer to close the loop.

  • Step 8: Ticket Solved: Once the directed response is sent, mark the ticket as Solved.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk