Under the Privacy Incident Handling Guidance (PIHG), CBP must take mitigating action depending on the nature of the incident to try to reduce the risk of harm. In an instance of a single disclosure of one employee’s medical information beyond those with a need to know, mitigation could include having extra copies of medical records destroyed and other measures designed to limit further dissemination. Although it does not help to mitigate the disclosure, the review and/or investigation of the circumstances of disclosure may also result in counseling, discipline, or, in the instance of an intentional disclosure, referral of a criminal violation pertaining to the person who caused the disclosure.
What redress do I have if my private medical information is disclosed to other employees who do not have a need to know?
Last Modified: Mar 10, 2016