How to Report a Privacy or Security Violation
Incident Reports, Complaints, and the HOT-LINE
How to File a Privacy Incident Report
Workforce members should complete a Privacy Incident Report Form if an unauthorized disclosure or acquisition of private data occurs, or is suspected to have occurred. But first, take steps to correct the situation, if possible. For example: rescue the document left in a public place; shut down the affected computer, network, or server; or lock up an area with access to private data.
If the breach involves a computer system containing private data:
- Take immediate steps to secure the affected system and restore data, as appropriate. Follow your department's information security procedures.
- Report the breach, along with your contact information, immediately to your supervisor, your Unit Information Security Manager, and the UF Privacy Officer (Gainesville) or HIPAA Compliance Manager (Jacksonville only).
- If a computer or other data management device has been lost or stolen, also notify the University Police Department, the Jacksonville Sheriff's Office, or your local law enforcement agency, as appropriate.
Complete a Privacy Incident Report immediately, if possible, but no later than the end of your shift, workday, or class-day. Two forms are available: one for Protected Health Information and one for Private Data (other than health information).
Include the following information:
- Date, time and location of the incident: time may be estimated; location should be the College, Department, Division, Clinic or other Unit affected, or the location of found documents.
- The nature of the violation: A clear description of what happened and how, if known.
- Type of private data involved: Paper records, electronic records, or other type of data.
- Other persons involved: Names, titles, contact information, and how they were involved.
- Any immediate harm known or observed: Was data disclosed, altered, damaged, or destroyed? Was the patient/client aware?
- Immediate corrective actions already taken: for example, documents or computer equipment were secured, accidental recipient of PHI was asked to return or destroy the data, e-mail was retracted, etc.
Send the Privacy Incident Report to the Privacy Office immediately.
- For UF-Gainesville, all FGP / UFP Clinics, and all remote clinical practice sites: send to UF-Gainesville Privacy Office
- For UF-Jacksonville and all UFJPI/ UFJHI Clinics: send to UF-Jacksonville Office of the General Counsel and HIPAA Compliance.
After investigation, if notification of affected persons or mitigation is required, departments and/or individuals involved in the privacy breach may be asked to assist with the notification process and/or in mitigating the harmful effects.
How to File a Privacy Complaint
Any individual or their legal representative may file a formal complaint with the University of Florida if they believe their privacy rights have been violated.
- The University of Florida will not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any person filing, or inquiring about how to file a privacy complaint.
- The University of Florida may not require individuals to waive their rights to file a complaint as a condition for providing services, arranging for payment, enrollment or employment, or eligibility for benefits.
Complete a Privacy Complaint form and include, at a minimum:
- The name and contact information for the complainant;
- The date and time of the complaint;
- The nature of the complaint
- Any other persons involved in the privacy violation
Complaints should be directed to the UF Gainesville Privacy Office or the UF Jacksonville Compliance Office:
|
University of Florida Privacy Office Susan Blair, Privacy Officer PO Box M100014 Gainesville, FL 32610 Toll-Free Phone: 866-876-4472 (HIPA) Email: sblair@vpha.health.ufl.edu |
University of Florida-Jacksonville David Behinfar, HIPAA Compliance Manager 653-1 West 8th Street Jacksonville, FL 32209-6511 |
The Privacy Officer or designated representative will make every effort to contact the individual or representative within 3 (three) business days of receiving notice of a formal complaint.
Following investigation of the complaint, the complainant or representative will be contacted with the results of the investigation and the corrective actions, if any, to be taken.
The Privacy Hot-Line
Toll-Free: 1-866-876-4472
Calls may be placed to the Privacy Office hot-line at any time. The calls will be answered by office personnel during normal business hours (Monday - Friday, 8:00AM to 5:00PM).
Callers should leave a message at other times, and they will be contacted on the next business day.