DOS Privacy Issue Reporting Procedure

What to report: All potential unauthorized access and disclosure of Medicaid Confidential Data.

When to report: As soon as possible.

How to report: Complete pages two and three of this issue notification form and send it to the DOS Security and Privacy Bureau's mailbox: doh.sm.Medicaid.Data.Exchange@health.ny.gov

Security and Privacy Issue Notification Form

Instructions: Complete the Downloadable PDF form above and send to the DOS Incident Response's mailbox at: doh.sm.Medicaid.Data.Exchange@health.ny.gov

Please do not put Protected Health Information (PHI) into this form. For questions on how to fill out the form below contact doh.sm.Medicaid.Data.Exchange@health.ny.gov
1. Contact Information for this Incident
Name: Title: Program Office:
Email address: Work Phone: Mobile Phone:
2. Incident Description
Provide a brief description of the issue:
3. Incident Details
Date and time the issue was discovered:
Describe the type and quantity of data impacted:
Approximate number of devices/systems affected by the issue:
Approximate number of users affected by the issue:
Approximate number of individual member records affected by the issue:
Have any corrective actions been taken? (Please describe):
Has the issue been resolved? (Please describe):
4. Risk Assessment: The HIPAA Breach Notification Rule presumes the event to be a breach unless the organization demonstrates that there is low probability the PHI has been viewed by unauthorized personnel.

To determine the probability that the PHI has been viewed by unauthorized personnel, please answer the following questions:
a. What type of data (name, birthday, CIN, social security number, etc.) was involved?


b. Did an unauthorized disclosure occur? If yes, please list the sender of the data, and who received the data.


c. Did any unauthorized person(s) obtain the PHI?


d. Did any unauthorized person(s) view the PHI?


e. Has the risk to the PHI been mitigated?