US flag Official website of the Department of Homeland Security

What if medical information is disclosed?

What if medical information is disclosed?

There are procedures in place for dealing with unauthorized disclosures of information protected by the Privacy Act, including an employee’s medical information.  Any loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or similar occurrence with respect to protected information, including medical information, is termed a “Privacy Incident,” and is governed by the Department of Homeland Security (DHS) Privacy Incident Handling Guidance (PIHG), revised January 26, 2012.  These procedures detail how DHS responds to a privacy incident, whether it occurs electronically or in paper, and informs of the obligation to protect Personally Identifiable Information (PII).  

The PIHG requires DHS personnel to inform their Program Manager (i.e., a second level supervisor or higher) immediately upon discovery or detection of a Privacy Incident, regardless of the manner in which it occurred.  Appendix D, DHS Privacy Playbook: Handling Process Overview, provides an overview and checklist for the incident reporting process.  These procedures apply to both suspected and confirmed incidents involving PII.  How CBP is required to respond to a Privacy Incident depends upon the seriousness of the incident.

When properly adhered to, CBP's privacy protocols for proper maintenance and sharing of PII represent the best practices for safeguarding PII and also help to protect CBP employees from criminal liability stemming from violations of the Privacy Act.