ON THIS PAGE
- Overview
- Step 1: Report incident immediately
- Step 2: Review incident response guidance
- Step 3: Collaborate with Privacy Office
- Step 4: Manage records
Overview
The UW Privacy Office is responsible for overseeing, managing, and directing investigations of incidents and potential or confirmed data breaches involving personal data. The content on this page provides a workflow, guidance on where to report incidents, and additional information in the event the incident is categorized as a data breach.
If an incident involves personal data that are protected health information as defined by the Health Insurance Portability and Accountability Act or human subjects research as defined the Code of Federal Regulations related to human subjects research and does not involve any other personal data or privacy-related laws or regulations, then the Privacy Office defers the incident response and management to the offices mentioned in Step 1. For information about laws related to data breaches, please refer to Data Breach Requirements.
Step 1: Report incident immediately
Immediately report any unforeseen events, incidents, or set of circumstances, including any potential or confirmed data breaches to the offices on this webpage.
If you are unsure of where to report the incident after reviewing the list of offices, complete the UW Privacy Incident Report Form, or contact the UW Privacy Office at 206-616-1238 and provide as much of the information that is known at the time of the report. The Privacy Office will triage the report to the correct office.
Where to report an incident
Personal data other than or in addition to Protected Health Information or Human Subjects data
Complete the UW Privacy Office’s Incident Report Form or contact UW Privacy Office at 206-616-1238 as soon as possible and provide as much information that is known at the time of the report.
Human Subject Information and Reportable New Information for Research
Review the Human Subjects Division Guide to Reporting New Information.
Protected Health Information at Non-UW Medicine Healthcare Components
Contact Compliance and Risk Services at crs-privacy@uw.edu or 206-221-4442.
This includes:
- Autism Center at Center on Human Development and Disability (CHDD).
- Psychology Clinics in the College of Arts & Sciences.
- Rubenstein Pharmacy in the School of Pharmacy (also known as Hall Health Pharmacy).
- School of Dentistry Clinics and Faculty Practice Plan (also known as UW Dentists).
Review the UW Health Insurance Portability and Accountability Act (HIPAA) Designation [pdf] for a description of the Non-UW Medicine and UW Medicine Healthcare Components.
Protected Health Information at UW Medicine
Contact UW Medicine Compliance at comply@uw.edu or 206-543-3098 (local) or 855-211-6193 (toll free).
This includes:
- UW Medicine Center and Clinics.
- Hall Health Center.
- Airlift Northwest.
- Department of Pediatrics Molecular Development Lab.
- Harborview Medical Center and Clinics.
- King County Public Hospital District No. 1 d/b/a Valley Medical Center and Clinics.
- UW Physicians Network d/b/a UW Neighborhood Clinics.
- The Association of University Physicians d/b/a UW Physicians.
- Summit Cardiology.
Review the UW Health Insurance Portability and Accountability Act (HIPAA) Designation [pdf] for a description of the Non-UW Medicine and UW Medicine Healthcare Components.
Information security and/or Export Controls (other than Covered Defense Information)
Contact the Office of the Chief Information Security Officer (CISO) at ciso@uw.edu or 206-685-0116.
National Security Classified Information and/or Covered Defense Information
Contact the University Facility Security Officer at uwfso@uw.edu or 206-543-1315.
Step 2: Follow incident response guidance
Do
- Be clear about the facts versus assumptions or speculations.
- Isolate the affected system to prevent further intrusion, release of data, etc.
- Limit sharing information about the incident to individuals who are responsible for managing and addressing the incident.
- Document only substantiated information.
- Mark documents as “draft” until finalized.
- Preserve all pertinent systems logs and information.
- Respond promptly to requests for additional information and other follow-up inquiries from the appropriate office (review Step 1).
Don’t
- Delete, move, or alter files on the affected system or device.
- Send any notifications or contact affected individuals before consulting with the appropriate office (review Step 1).
- Communicate that there is a potential or confirmed breach to individuals who are not:
- Contributing facts or are decision makers.
- Involved in the incident management process.
- Contact or retaliate against the individual who may have caused the event/incident.
- Conduct your own forensic analysis.
Step 3: Collaborate with the Privacy Office
The Privacy Office will determine whether the incident should be managed by the Privacy Office or referred to another UW office. If the incident is managed by the Privacy Office, your collaboration is essential for the Privacy Office to perform its responsibilities as described in the following steps:
- Facilitate communication and legal analysis with the UW Division of the Attorney General’s Office.
- Coordinate the investigation with the UW Office of the CISO, and other applicable offices at the UW.
- Assess the potential risk of harm to individuals, compliance obligations with applicable laws and regulations, and risks to the UW.
- Determine if the incident is a data breach.
- Determine if communication or notification to individuals is required or desired.
- Report the incident to external stakeholders or regulators.
- Manage the communication plan(s), including communication to the President, the Provost, Board of Regents and University Marketing and Communications.
Step 4: Manage records
Once the incident response and management is complete or resolved, UW units should follow UW Records Management guidance to:
- Dispose of materials that may be disposed of without a specific retention period; and
- Send official copies of the records to the UW office that was responsible for the incident response and management, so they may retain the records according to the records retention schedule for incidents [pdf].