3 PRIVACY OFFICER, Office of Legal Services (OLS) INFORMATION SECURITY OFFICER, Information Security Office (ISO) PRIVACY OFFICE Office of HIPAA Compliance (OHC)
4 INTRODUCTIONWelcome to the DHCS Information Privacy & Security Training. This training is an annual requirement for all DHCS staff, as mandated by state and federal laws.
5 INTRODUCTIONAs one of the largest health plans in the country, Medi-Cal is responsible for the health records of over 7 million beneficiaries. This training discusses state and federal laws that regulate the privacy and protection of information, as necessary to carry out the Department’s workforce functions.
6 TRAINING OUTLINETRAINING MODULES – There are 15 training modules. You must complete all of the modules before you log off or you will have to restart the training from the beginning.QUIZZES – After each of the training modules, you will be asked to complete quiz questions. You must answer each question correctly before receiving your Training Certificate and Acknowledgement Form.RESOURCES AND WEBSITE LINKS - There is a resource list provided at the end of the training with all the links and other resources used in this training.CERTIFICATE AND ACKNOWLEDGEMENT FORM – Before logging out of the training, print the Training Certificate and the Security and Confidentiality Acknowledgement form. Then sign the acknowledgment form. The originals go to your Manager/Supervisor. Please keep a copy of each for your records.
7 TRAINING MODULES INTRODUCTION HIPAA OVERVIEW STATE LAW ADMINISTRATIVE SAFEGUARDSPHYSICAL SAFEGUARDSTECHNICAL SAFEGUARDSREMOTE ACCESSMINIMUM NECESSARY
8 TRAINING MODULES (CONTINUED) USE AND DISCLOSUREACCESS TO PATIENT RECORDSBREACHES OF CONFIDENTIAL INFORMATIONSANCTIONSROLES AND RESPONSIBILITIESSECURITY INCIDENT MANAGEMENT AND DISASTER DISCOVERYCLOSE
10 H I P A AThe Health Insurance Portability and Accountability Act (HIPAA)was enacted by Congress in 1996 to improve the efficiency and effectiveness of our health care system by standardizing the electronic exchange and protection of administrative, financial, and health data.
11 W H Y H I P A A ?An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem.The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission.Musician Tammy Wynette’s medical records were sold to National Enquirer by a hospital employee for $2,610.
12 W H Y H I P A A ?Medical Identity Theft is a crime in which the thief uses someone’s identity to get access to medical services or goods. This may include using a name along with other information to get treatment and equipment.In 2010, it was reported that 5.8% of Americans were victims of Medical Identity Theft. Medical Identity Theft has a significantly higher average cost per victim than other types of identity theft. The average victim deals with more than $20,000 in costs associated with the crime and may have to pay out-of-pocket costs to have their health insurance restored.
13 PRIVACY & SECURITYThe HIPAA PRIVACY RULE provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, it permits the disclosure of personal health information needed for patient care and other important purposes. The HIPAA SECURITY RULE specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
14 COVERED ENTITIES HIPAA applies to covered entities which include: HEALTH PLANSHEALTH CARE PROVIDERSHEALTH CARE CLEARINGHOUSESBUSINESS ASSOCIATES (BAs) - any entity that handles protected health information during the normal course of doing business for a covered entity. (DHCS BAs include Kaiser, Anthem Blue Cross, LA Care, etc.)
15 BUSINESS ASSOCIATESBusiness Associates are persons or organizations that, on behalf of a covered entity, health plan or provider:Perform any function or activity covered by HIPAAProvide a service on behalf of a covered entity involving the transfer of PHI
16 PROTECTED HEALTH INFORMATION Information protected under HIPAA is called P H I or Protected Health Information.Protected Health Information is defined as any information, in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that can be used to identify an individual.
17 DIRECT IDENTIFIERSHIPAA describes a list of 18 direct identifiers that, along with a name, constitute individually identifiable information. If you have any one of these identifiers in your health information dataset, along with a name, you have PHI and it must be safeguarded appropriately. For example: A name plus information that the person is on Medi-Cal would constitute PHI.
18 DIRECT IDENTIFIERS (Continued) Nameddress – Street address, city, county, zip code, or other geographic codesDates directly related to patient (except year), including DOB, admission or discharge dateTelephone and/or FAX NumbersDriver’s License NumberAddressesSocial Security NumberMedical ID Number / CINHealth Plan Beneficiary NumberAccount NumberCertificate/License numberAny vehicle or device serial number, including license platesWeb Addresses (URLs)Internet Protocol AddressFinger or Voice PrintsPhotographic ImagesAny other unique identifying number, characteristic, or codeAge greater than 89
19 NOTICE of PRIVACY PRACTICES HIPAA requires that a covered entity provide a NOTICE of PRIVACY PRACTICES (NPP) to its members.The NPP tells the members what rights they have under HIPAA, including the right to access their records, and how their information may be disclosed.
21 STATE LAWState law (the Information Practices Act) differs from Federal Law (HIPAA) in that it is more expansive. It covers more than Protected Health Information (PHI) and includes all Personal Information (PI).
22 PERSONAL INFORMATIONState law establishes requirements for DHCS on the collection, maintenance, and dissemination of Personal Information. Personal Information (PI) means any information that is not public and maintained by an agency that identifies or describes an individual.
23 PERSONAL INFORMATION ( continued) Examples of Personal Information include Names Social Security Number Physical Description Home Address Home Telephone Number Education Financial Matters Medical or Employment History Statements made by or attributed to the Individual
24 CONFIDENTIAL INFORMATION Information maintained by the Department that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws is considered Confidential Information. All personal confidential information (PCI) is treated with the same privacy and protection as PHI / PII. Under state and federal Medicaid law, information can only be disclosed for purposes directly related to the administration of the Medi-Cal Program.
25 SENSITIVE INFORMATION Sensitive Information is information maintained by the department that requires an assurance of accuracy and completeness, as well as special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. Though this information may not be individually identifiable, it must still be protected. Examples of sensitive information include: Department’s financial transactions, Budget Change Proposals, and regulatory actions.
26 OTHER STATE & FEDERAL LAWS There are additional state and federal laws that protect certain categories of information, such as mental health information, HIV/AIDS status, and substance abuse (alcohol and drug) treatment. Before releasing information that falls in these categories to an outside entity, check with the DHCS Privacy Officer to be sure the release is legally permitted.
28 S A F E G U A R D SSafeguards are used to protect PHI, PI, Confidential Information, and Sensitive Information. There are three types of safeguards: ADMINISTRATIVE PHYSICAL TECHNICAL
29 A D M I N I S T R A T I V E S A F E G U A R D S
30 ADMINISTRATIVE SAFEGUARDS Administrative Safeguards are documented policies and procedures for day-to-day operations; managing the conduct of employees; accessing the state’s automated information systems and related devices; and managing the selection, development, and use of security controls.
31 ADMINISTRATIVE SAFEGUARDS Some Administrative Safeguards include: Data Policy Information Privacy & Security Policies [e.g., SAM and HAM] Guidelines for employees who access Internet and/or Information Privacy & Security Awareness Training Banners warning against unauthorized use of information
32 ADMINISTRATIVE SAFEGUARDS HEALTH ADMINISTRATIVE MANUAL Administrative Safeguards are identified in the Health Administrative Manual (HAM), which incorporates the Department’s information privacy and security policies and requirements of the State Administrative Manual (SAM). HAM Sections through cover Information Privacy and Security Policy.
33 ADMINISTRATIVE SAFEGUARDS HEALTH ADMINISTRATIVE MANUAL Data ClassificationEmployee ResponsibilitiesIncident Reporting andNotificationInternet/Electronic Mail PolicyLAN AdministratorsResponsibilitiesManagement ResponsibilitiesMobile Computing &Removable Storage DevicesPolicies found in the HAM include:PasswordsOperational Recovery PlanningRisk ManagementSafeguards and Destruction ofPCI and Sensitive InformationSecurity & ConfidentialityAcknowledgmentTraining RequirementsAnd more. . .
34 ADMINISTRATIVE SAFEGUARDS DATA POLICY State and federal law, as well as Department policy, require that privacy and confidentiality of all personal, confidential and sensitive information, in whatever medium (oral, paper or electronic), be protected. The Department considers all information about individuals private, unless such information is determined to be a public record. It is Department policy to protect privacy and prevent the loss of information through accident, misuse, sabotage, criminal activity, or natural disaster.
35 ADMINISTRATIVE SAFEGUARDS DATA POLICY (continued) The Department’s data release policy requires that a fully approved data release form be completed for all releases of confidential data to any entity outside DHCS. This applies to all documents in any media with PHI and PCI. Every division has a Data Release Coordinator who is responsible for completing the forms and getting the signatures of the Division Chief, Privacy Officer, Information Security Officer and Data Owner. The data policy also requires that when confidential data in physical form is received or sent to a different location, it must be logged on chain of custody logs.
36 ADMINISTRATIVE SAFEGUARDS WARNING BANNER You will see the warning banner each time you power up your PC. All DHCS workforce members are bound by the terms contained in the warning banner at right. No expectation of privacy exists when using a state computer. Computer activity logs are maintained and reviewed on an ongoing basis.WARNING: This is a State of California computer system that is for official use by authorized users and is subject to being monitored and/or restricted at any time. Unauthorized or improper use of this system may result in administrative disciplinary action and/or civil and criminal penalties. By continuing to use this system, you indicate your awareness of, and consent to, these terms and conditions of use. LOG OFF IMMEDIATELY if you are not an authorized user or you do not agree to the conditions stated in this warning
38 PHYSICAL SAFEGUARDSPhysical Safeguards are security measures for protecting the Department’s information systems and confidential information, as well as related buildings and equipment from environmental hazards and unauthorized intrusion
39 PHYSICAL SAFEGUARDS Some Physical Safeguards include: Identification for all employees and visitorsLocked desk drawers, cabinets, rooms, and buildingsShredding of confidential informationUsing caution when printing, faxing, and mailingProtecting mobile computing devices
40 PHYSICAL SAFEGUARDS BUILDING SECURITY Administration Division Policy Memorandum DHCS outlines physical security at the East End Complex (EEC). All persons are required to wear identification at all times. Employees expecting visitors should notify security guards. Contact security guards if you see an individual with no badge (permanent or visitor). Do not hold or prop open secure doors for others. Immediately report lost or stolen employee badges to security staff and your supervisor.
41 PHYSICAL SAFEGUARDS UNATTENDED AREAS Employees should never leave personal, confidential or sensitive information unattended, even for a few minutes, including during working hours. Unattended means that information and/or documents containing personal, confidential, or sensitive information are not locked up, or not within your sight. Another staff member who is authorized to see the information may watch your personal, confidential, or sensitive information if they are in the immediate area.
42 PHYSICAL SAFEGUARDS SECURING INFORMATION HAM Section requires that personal, confidential, and sensitive information must be secured during non-working hours, even if the building is secure. For example: Put documents in a locked drawer or Put documents in a locked drawer or filing cabinet Do not leave personal, confidential or sensitive information unsecured in your office unless your office is lockedDo not leave personal, confidential, or sensitive information visible on top or under your deskDo not leave keys to cabinets, drawers, or office doors in a desk or any obvious place.
43 PHYSICAL SAFEGUARDS CONFIDENTIAL DESTRUCT When personal, confidential or sensitive information is no longer needed or required for business purposes, it must be secured and destroyed, and the destruction may require logging.
44 PHYSICAL SAFEGUARDS CONFIDENTIAL DESTRUCT (continued) Do not keep personal, confidential, or sensitive information (paper or electronic) longer than is necessary or required for business purposes. Do not discard Department information at home, away from the Department, or in recycle bins or waste baskets. Do not store documents awaiting destruction in your cubicle or office unless secured (e.g., locked cabinets or locked office, etc.).
45 PHYSICAL SAFEGUARDS CONFIDENTIAL DESTRUCT (continued) To prevent unauthorized access and misuse of PHI and PCI: Secure documents and electronic media awaiting destruction (e.g., locked cabinets or locked office, etc.). For paper documents use shredders or locked, grey, confidential destruction bins available throughout the Department. For electronic media (e.g., CDs, discs, thumb drives, etc) contact your LAN Administrator. NOTE: “Delete” or “Erase” are not sufficient to remove all remnants of data from electronic media; data must be removed or wiped from the device according to Department policy. Ask your supervisor if the destruction is required to be logged.
46 PHYSICAL SAFEGUARDS LOCKED CABINETS Put documents in a locked drawer or filing cabinet. Do not leave keys to cabinets and drawers in desk or in any obvious place. Do not leave PHI/PCI/Sensitive Information visible on top of or under desks unless your office is locked. HAM states personal, confidential, and sensitive information must be locked during non-working hours even if the building is secure.
47 PHYSICAL SAFEGUARDS P R I N T I N G Do not leave print outs with PHI/PI/Sensitive Information sitting on the printer. Deliver print outs to appropriate persons immediately or secure in your own desk.
48 PHYSICAL SAFEGUARDS F A X I N G (HAM Section ) Notify the recipient prior to sending a fax. Verify the fax number. Use a cover page with a confidentiality statement. Do not leave a fax with personal, confidential or sensitive information in the fax machine
49 PHYSICAL SAFEGUARDS M A I L I N G (HAM Section ) Verify the address. Personal, confidential or sensitive information should be placed in an envelope so that the information is not visible.
50 PHYSICAL SAFEGUARDS M A I L I N G (continued) RECORD – Keep a record of what you’re sending, such that you could re-create the information and/or send notices if the data is lost or stolen. ENCRYPT - Ensure that personal, confidential or sensitive information on electronic media (e.g., disks, CDs, and other storage media) is encrypted before it is mailed. LOG - When confidential data in physical form (e.g., paper, CDs, etc.,) is received from or sent to a different location, it must be logged according to the Division’s procedures. TRACK – Use a delivery service with status tracking and delivery confirmation. For mailings with PHI or PCI of more than 500 individuals in a single package, use a delivery service.
51 PHYSICAL SAFEGUARDS O R A L COMMUNICATIONS Take reasonable steps to protect the privacy of all verbal discussions or interpreted exchanges (e.g., sign language) involving Department-owned confidential, personal and sensitive information.
52 PHYSICAL SAFEGUARDS O R A L COMMUNICATIONS Do not discuss Department-owned personal, confidential or sensitive information with those who do not need to know even if they work with you (e.g., co-workers, family, friends, etc.). Always verify the identity and authority of persons before you discuss or exchange information. When it is necessary to discuss personal, confidential or sensitive information, use enclosed offices, meeting rooms, or another location where unauthorized staff cannot overhear you.
53 PHYSICAL SAFEGUARDS REMOVING PHI / PCI from the DEPARTMENT When authorized purposes, such as business travel, teleworking, offsite meetings, etc., require that you remove Department-owned data in any form: Only remove the minimum information necessary to get the job done. Use only Department-issued IT devices (e.g., laptops, CD’s, thumbdrives, etc) when taking this information off-site. All electronic data (e.g., laptops, CD’s, thumbdrives, etc.) must be encrypted. Keep a record of what you remove from the Department, such that you could re-create the information or send breach notices if the data is lost or stolen.
54 PHYSICAL SAFEGUARDS REMOVING PHI/PCI from the DEPARTMENT ( C o n t i n u e d ) Do not check documents or electronic devices in baggage on commercial airplanes. If documents need to be transported to remote locations, use a secure delivery method with a tracking system. NOTE: Whenever possible, use encrypted electronic devices rather than paper. While enroute and when unattended at hotels and/or other travel destinations, physically secure paper document and electronic devices where not visible, to prevent theft and unauthorized access, viewing, and/or use. Fully shut down (power off) laptops when unattended even in locked hotel rooms, meeting rooms, vehicle trunks, etc. Documents should be shredded as soon as possible when no longer needed. Do not store or discard DHCS information offsite.
55 PHYSICAL SAFEGUARDS MOBILE COMPUTING DEVICES Examples of mobile devices:Laptops,Tablet PC,PC Notebooks,USB storage devicePDAs, Palm, Blackberries,Trios, Camera phonesThumbdrivesMemory sticks/cards
56 PHYSICAL SAFEGUARDS SECURITY of MOBILE COMPUTING DEVICES All mobile devices must be encrypted and when taken off the worksite premises, must not be separated from employees at airports, automobiles, hotel rooms, etc. Do not leave mobile devices unsecured. When not being used, all mobile devices should be locked up. Cable lock laptop to an immovable surface.
58 TECHNICAL SAFEGUARDS USING UNIQUE PASSWORDS ENCRYPTION Technical Safeguards are security measures that specify how to use technology to protect the information gathered, stored and transmitted from the Department’s electronic information systems, particularly by controlling access to it. Technical safeguards are accomplished, in part, by:USING UNIQUE PASSWORDSENCRYPTIONINTERNET CONTENT FILTERINGLOCKING COMPUTER SCREENSLOGGING USER ACTIVITIES
59 TECHNICAL SAFEGUARDS DEPARTMENTAL LEVEL SAFEGUARDS To protect and improve the networking environment, the Department implements many safeguards. Here are a few examples: Encryption – DHCS uses encryption standards that adhere to FIPS standards, such as AES 256bit. Internet Content Filtering - protects the network and its users from malicious Internet Web sites by blocking access, enforces the “appropriate use” guidelines of the Policy, reduces the Department’s liability for misconduct, and improves productivity. Anti-Virus Software – DHCS uses anti-virus software to detect and prevent malicious software. All users receive a message on their computer screen when their computer is being checked. If you think your computer has a virus, contact your LAN Administrator or call the IT Service Desk at (916) or (800) to receive guidance. Security Patches – installs critical software security patches. Computer Usage Audit Logging – all network activity is logged and monitored.
60 TECHNICAL SAFEGUARDS P A S S W O R D S Best practice for creating a “strong” password:Avoid common references, e.g., your significant other’s name, pet’s name, birthday, favorite color, sequential (abc, 123, 5555), easy to guess, etc.Use a password that is at least eight (8) digits longInclude at least three of the following:Upper Case Letters (A–Z)Lower Case Letters (a–z)Arabic Numerals (0-9)Non-alphanumeric characters (e.g.,Do not use a word in the dictionaryHave a unique password for each logon, and don’t use the same password for multiple systems
61 TECHNICAL SAFEGUARDS P A S S W O R D S Employees are responsible for the confidentiality and security of their passwords (See HAM ).When using any Department or state system that requires you to log inand use a password, adhere to the following:Do not share your password with anyone (family, friends, manager, helpdesk, etc)Do not write your password down.Do not include your password in a data file, log-on script, or macro.Change your password at least every 60 days, or sooner if you suspect it has been compromised.Report any suspected unauthorized use of a password to your supervisor and the Information Security Office (ISO) immediately.
62 TECHNICAL SAFEGUARDS ENCRYPTION Proper encryption protects electronic confidential information such that if it is obtained by an unauthorized person, it cannot be read and its loss will not be considered a data breach. Encryption is applicable to data at rest, and data in transit. DHCS uses encryption standards that adhere to FIPS standards, such as AES 256bit. DHCS requires that all IT equipment and any accompanying data storage media that are used to access, store, or transmit personal, sensitive, or confidential information must consistently employ full disk encryption or file encryption. IT equipment and accompanying data storage media includes, but is not limited to workstations, laptops, removable media and mobile/portable devices (such as, USB drives, floppies, CD/DVD, Blackberry, backup tapes, etc). Generally, all devices that can store data.
63 TECHNICAL SAFEGUARDS ENCRYPTION (CONTINUED) DATA at REST– Protect confidential information on computer hard drives, laptops, mobile devices, and removable media.Use only Department issued devices to access, store, or transmit Department information. Validate the device has Department standard encryption in place before storing confidential data on it.Use of non-Department devices or non-standard encryption methods requires prior approval from your Branch Chief and the ISOAlways “power-off” devices containing DHCS information, when they are unattended (e.g., vehicle trunks while traveling, hotel room, home office, etc.,). This way, even if the device is stolen the information cannot be read without the encryption password
64 TECHNICAL SAFEGUARDS [SECURE] E-MAIL ENCRYPTION TECHNOLOGY DATA in TRANSIT - Encrypt messages while they travel from your computer to a computer outside the Department’s network. Insert “[secure]” in square brackets anywhere on the subject line. As soon as you click “Send” the is sent to a secure website and immediately encrypted. Even if it is intercepted by a third-party, they will not be able to read it because you must have access to a key (password) that enables you to decrypt it. If the recipient of your replies using the secure website reply button, their reply will automatically be encrypted Other approved methods of securing data in transit include HTTPS, and Secure FTP. Contact ISO if you need assistance.
65 TECHNICAL SAFEGUARDS SENDING PHI via E-MAIL Always ensure delivery to intended recipient by checking address. Only send the minimum necessary PHI/PCI/Sensitive Information. Never send messages containing PHI/PCI/Sensitive Information outside of the Department unless you encrypt. Insert a confidentiality statement at the end of your
66 TECHNICAL SAFEGUARDS CONFIDENTIALITY STATEMENT Below are examples of confidentiality statements that can be used with s, faxes and other documents:CONFIDENTIALITY NOTICE: The information contained in this document is confidential and is intended only to be viewed by the recipient(s) listed above. If you are not the intended recipient(s), you are hereby notified that any distribution or copying of this document is strictly prohibited. If you have received this document in error, please contact the sender listed above and destroy the document(s).CONFIDENTIALITY NOTICE: This facsimile transmission is intended only for the addressee shown above. It may contain information that is privileged, confidential, or otherwise protected from disclosure. Any review dissemination, or use of this transmission or any of its contents by persons other than the addressee is strictly prohibited. If you received this fax in error, please call the sender collect immediately and destroy the document(s). Thank you for your cooperation.
67 TECHNICAL SAFEGUARDS AUDIT LOGGING All employee computer activity is logged and has an audit trail. This is in compliance with state and federal laws and policies, and as a matter of best practice for accountability. “Employees are granted access to the Department’s information to perform their job functions on a need to know basis. Employees shall have no expectation of privacy from Department monitoring and inspection in the use of Department resources…”
68 TECHNICAL SAFEGUARDS C O M P U T I N G E Q U I P M E N T Use Ctrl-Alt-Delete to lock your computer before you leave it unattended.Store files on server/shared drives that are backed up; do not store on desktops.Do not use computer equipment for any unauthorized purposes.
69 TECHNICAL SAFEGUARDS L A P T O P S Do not leave laptops unattended unless secure. When not in use, place laptop in lockable storage. Do not store PHI/PCI/Sensitive Information on a laptop unless it is encrypted. When taken off the worksite premises, cable lock laptop to an immovable surface or place in a secure location.
70 TECHNICAL SAFEGUARDS INTERNET / EMAIL RESOURCES Department employees are granted access to Internet and resources to provide education, research, marketing, procurement, and service opportunities in the performance of their duties. Conduct all Internet and/or activities in a professional, lawful, and ethical manner. This includes the development of content for the Internet. Support the use of existing infrastructure, technologies, procedures and standards in using, developing, or making information available on the Internet. Employees shall be restricted from participating in mailing lists, discussion groups, newsgroups, list servers, or other interactive communications if such participation is excessive or is inhibiting overall network performance. Accessing a personal or private Internet Service Provider for personal use while using any state equipment, or using non-state equipment for conducting state business, does not release an employee from the responsibility of complying with this policy.
71 TECHNICAL SAFEGUARDS INTERNET / EMAIL RESOURCES (CONTINUED) Examples of inappropriate use include, but are not limited to viewing, sending and/or downloading information that: Contains defamatory, false, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, or otherwise biased, discriminatory, illegal material. Violates agency or departmental regulations prohibiting sexual harassment, and/or discrimination. Restricts or inhibits other users from using the system or the efficiency of the computer systems. Uses departmental records for private gain, or divulges confidential departmental information or records unless officially authorized to do so. Only click on links in if the is work related, you are certain it came from a reliable source, or if you’re expecting the information.
72 TECHNICAL SAFEGUARDS MOBILE COMPUTING DEVICES When authorized to use mobile devices, such as laptops, Tablet PC, PC Notebooks, USB storage devices, Blackberries, Flash Memory (memory sticks & cards), camera phones, etc.: Only download or store the minimum amount of PHI/PCI/sensitive information necessary to get the job done. NOTE: Do not download or store social security numbers (SSN) unless absolutely necessary and only if the mobile device is encrypted. Use only Department issued IT equipment. All non-state mobile computing devices require approval by your Branch Chief and the ISO before being connected to the network. Encrypt all mobile devices or data. Laptops must be connected to the network once every 30 days, in order to download latest security updates.
73 TECHNICAL SAFEGUARDS REMEMBER Tips to Remember when accessing DHCS information resources: Always lock up paper documents and encrypt electronic media containing personal, confidential, and sensitive information. Follow paper and electronic media destruction procedures. Don’t use unsecured wireless networks. Don’t download personal files and don’t check home accounts. If your job requires use of a social network website, don’t post any PHI/PCI or sensitive Department information on it. Use only authorized software. Using non-standard software requires prior approval to ensure software is secure and to prevent violations of licensing and copyright infringement laws.
75 REMOTE ACCESSRemote Access involves using an externally located computer (e.g. home, hotel) to access DHCS , documents, and applications. Remote access is most commonly used after hours, when travelling, or when teleworking (i.e., working from home). Remote access is provided by one of the following DHCS systems: Outlook Web Access (OWA): Access to , no licensing cost Citrix: Access to , folders and applications, licensing cost involved
76 RISKS of OWAYou should be aware of the information security risks associated with the two DHCS remote access methods:Remote AccessMethodLicensingCostsFeaturesDataSecurityLevelTwo FactorAvailableOutlook Web Access (OWA)NoLimited, Browser based , Calendar, & ContactsVery WeakCitrixYesFull Featured Outlook, Folders, SharePoint & moreVery HighWhile free, OWA has a much higher risk of your password being stolen by hidden malware called a keylogger. If you have confidential data in your , it’s recommended that you not use OWA unless from a DHCS issued laptop.Note: While not considered “remote access”, a DHCS managed Blackberry is a highly secure alternative to these methods, if your only needs are , calendar, and contacts.
77 POTENTIAL RISKSRemote access, while useful, also carries potential risks to both DHCS information assets, and the information assets of other business associates whose data is in DHCS custody.Inappropriate exposure of confidential information to others may trigger federal and state breach notification laws. If triggered, DHCS is required to notify the appropriate authorities along with a press release. Violation of policies may also lead to employee disciplinary action.Areas of concern include the following:Inadvertent exposure of information to visitors, family, friends, etc.Lost or stolen media, devices, or paperImproper disposal of media and paper documentsMalicious software on non-DHCS computer that steals data
78 DOWNLOAD DANGERSIn this training, “data” refers to confidential/sensitive information, in both electronic and paper form.Minimize downloading or taking any DHCS data outside the workplace.Do not download DHCS data onto non-DHCS owned computers or mobile devices. This includes transferring data via thumbdrives, CD’s, etc.Do not DHCS data to personal or other personally owned systems.If uncertain what is permissible, consult with your supervisor or the Information Security Office (ISO)
79 DATA SECURITYData in your possession (e.g., electronic, paper documents, or data visible on your computer screen, etc.,) must be secured from unauthorized access, including family members and friends. When left unattended, secure data in locked cabinets, locked drawers, locked rooms. Do not leave in unattended vehicles or other locations where it may be easily stolen. When using a mobile computer, use of a computer cable lock is recommended.
80 PAPER PRECAUTIONSPaper documents are high risk because they cannot be encrypted. Avoid printing documents or taking paperwork offsite unless absolutely necessary. Documents should be shredded as soon as possible when no longer needed. Work related documents should be kept in a separate location from any personal documents.
81 COMPUTER SECURITY Up to date Antivirus signatures Non-DHCS computers (personally-owned, libraries, hotels, etc) are at an increased risk of having hidden, malicious software or “malware”, which is capable of stealing passwords and data and secretly logging all keystrokes (“keylogger”). If using a home computer for remote access, ensure it has the followingUp to date Antivirus signaturesMonthly installed SecurityInstalled software or hardware firewall
82 TECHINICAL REQUIREMENTS Ensure you have an active firewall to protect the computer from Internet based attacks. Software firewalls are included with Windows. Hardware firewalls (typically built into a “router”) are supplied by your internet provider or purchased. For personally owned computers, setup automatic installation or notification of security patches, and ensure you update software such as Adobe Acrobat and Firefox on a monthly basis. DHCS issued laptops must be reconnected to the DHCS network on a monthly basis to receive updates. Do not use unsecured, open wireless networks.
83 SECURING THE COMPUTER SCREEN It’s important to secure your remote access session from unauthorized access. Password protect your computer screen when away from the computer by logging off, or using a screen lock password known only to you. Do not depend on the automatic timeout lock (Windows logo key + “L”, locks immediately). If it’s suspected that someone viewed your password or watched you type it in, immediately change your password. Choose difficult to guess passwords that are 8 characters or more, not in the dictionary of any language, and not similar to previous passwords.
84 SOCIAL ENGINEERING PRECAUTIONS A common technique by hackers is to attempt to trick you by posing as an administrator or other person of authority. Do not trust any individual who claims authority to access your data or password. Passwords should never be shared. Do not click on links or attachments in unless you are expecting the or can validate it’s authentic. Do not click on links unless its work related and necessary to do so, the website may be fake. If you have any doubt, contact the Information Security Office before complying with their request
85 R E M E M B E RRemote Access security controls and policies protect DHCS data, and avoid state and federal law violations.Ignoring, disabling, or working around DHCS security controls or policies can be grounds for disciplinary action. Remember that system logs retain a record of your activities.If you are unable to perform your job duties within the existing DHCS security controls, contact your supervisor or the DHCS Information Security Office for guidance.
86 REMOTE CONTROL FEATURE Most computers have a feature that allows technical support organizations to take remote control of your PC. This should not be allowed at the same time you are in a remote access session with DHCS because the technical support professional can see everything on your screen.
87 SECURITY INCIDENTSIf a breach of security is suspected, you must immediately report it to the DHCS Information Security Office If you suspect DHCS confidential or sensitive data was viewed or received by an unauthorized individual, you must also notify the DHCS Privacy Office Make sure to keep your Manager or Supervisor informed.
89 MINIMUM NECESSARYMinimum necessary is a concept in HIPAA that ensures that the disclosure of PHI is limited to the minimum amount necessary in order to minimize risk to the security of data.When disclosing PHI or PII:Use the minimum amount of information necessaryRequest the minimum amount of information necessaryDisclose the minimum amount of information necessaryDepartment staff access should be specific based upon the operational needs of each unit.
90 MINIMIZING USEStaff should only request to inspect PHI necessary for job function, not the entire record, unless needed. Copy only relevant parts of PHI. Redact (blackout) PHI not relevant to the requested information. Example: SSNs on applications that are copied and placed in files where the SSN is not needed should be blacked out.
91 MINIMIZING REQUEST & DISCLOSURE When Minimum Necessary does NOT apply: Health care provider for treatment -Doctors can share entire medical charts to care for a patient Individual who is the subject. -Patients have the right to access all of their medical record. Pursuant to an individual’s authorization. -A patient can authorize any part or all of their medical record to be given to another party. Disclosures to the Secretary of Health & Human Services. When a disclosure is required by law, such as in response to a court order or subpoena.
92 U S E and D I S C L O S U R E of P H I and P C I HIPAAMEDICAID & STATE LAW
93 U S E and D I S C L O S U R E of P H I under: H I P A A
94 USE & DISCLOSUREU S E is the sharing, application, utilization, examination, or analysis of protected health information within a covered health plan or provider which maintains the information. D I S C L O S U R E is the release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information
95 DISCLOSURES OF DATAManagers must ensure that PHI/PCI/Sensitive Information is not released to external entities in violation of federal or state laws or regulations or Department policies. All external data releases require approvals from a Data Release Coordinator, the Data Owner, Privacy Officer, and Information Security Officer. See HAM Section
96 TYPES OF USE & DISCLOSURE Permitted uses & disclosures are allowed by HIPAA without the patient’s consent or authorization, and include:TREATMENTPAYMENTHEALTH CARE OPERATIONSHEALTH OVERSIGHTPUBLIC HEALTHRequired disclosures are mandated by HIPAA.NOTE: If stricter state or federal laws for a specific program regarding use and disclosure exists, the more stringent law must be followed.
97 You May Use or Disclose PHI for TREATMENT Treatment is providing health care to an individual by a health care provider. Treatment only applies to health care providers. Minimum Necessary does NOT apply.
98 You May Use or Disclose PHI for PAYMENT Payment is the compensation for services and include activities to obtain: Premiums if you are a health plan Money for services if you are a provider Minimum necessary applies
99 You May Use or Disclose PHI for HEALTH CARE OPERATIONS Health Care Operations (HCO) are those activities that support treatment and payment. For example:Prior AuthorizationsInternal AuditingManagement ReviewsAdministrative AppealsMinimum Necessary applies
100 OTHER HIPAA PERMITTED DISCLOSURES To Health Oversight Agencies - That are authorized by law to conduct certain oversight activities. - Examples: Department of Justice, Federal Bureau of Investigation, Office Inspector General, Medical Board, Dental Board To Public Health Authorities - That are authorized by law for the purpose of preventing or controlling disease, injury or disability
101 REQUIRED DISCLOSURES Disclosures must be made to: Individuals requesting a copy of their own PHISecretary of the U.S. Department of Health and Human Services
102 JUDICIAL & ADMINISTRATIVE PROCEEDINGS (45 CFR 164.512 (e)) When the Department is a plaintiff or defendant in a lawsuit, PHI may be disclosed as part of program operations. Program rules for disclosures apply, such as Minimum Necessary
103 JUDICIAL & ADMINISTRATIVE PROCEEDINGS (45 CFR 164.512 (e)) Permissible Disclosures of PHI, where it may be disclosed: In response to an order of a court or administrative tribunal when DHCS is not a party. In response to a subpoena, discovery request, or other lawful process if reasonable efforts have been made to ensure that the individual has been given notice of the request or reasonable efforts have been made to secure a qualified protective order.
104 U S E and D I S C L O S U R E of P H I under: MEDICAID & STATE LAW
105 PREEMPTION (45 CFR Subpart B) HIPAA Privacy Rule is a national floor of privacy protection; it does not preempt the field in medical privacy.If there is a state statute or regulation which:1) Affords greater protection to an individuals’ privacy, or2) Provides a greater right to the individual to access their own records.THEN that law prevails over HIPAA.
106 Medicaid Law (Welf. + Inst. Code 14100.2) USES & DISCLOSURES Medi-Cal uses and disclosures are limited to: - The individual regarding his/her own PHI - Purposes directly connected to the administration of the Medi-Cal Program Purposes directly connected to Medi-Cal administration include: -Determining eligibility and reimbursement -Providing services to recipients -Conducting or assisting investigations, prosecutions or proceedings related to Medi-Cal -Third Party Liability activities -Audits and legislative investigations
107 MEDI-CAL SUBPOENASThe Medi-Cal Program does not usually respond to subpoenas for PHI: Unless it directly relates to the administration of Medi-Cal, or: Unless it is required by a court order Suggest the individual beneficiary / personal representative requests the PHI through the individual Access Policy (See the Notice of Privacy Practices)
108 RELEASES TO RESEARCHERS RESEARCH means a systematic investigation designed to develop or contribute to generalizable knowledge. If contacted by a researcher, you must immediately refer them to the Data and Research Committee. Program evaluation may become research when the contractor intends to publish the results. Research proposals involving Department data and/or beneficiaries need to be approved by the Committee for Protection of Human Subjects (CPHS) in the Health & Human Services Agency.
109 CALIFORNIA CIVIL CODE (1798.24) A State Agency may release PCI:To the individual to whom record pertainsWith prior written voluntary consentTo the guardian or conservator or authorized representative, if documentedTo a governmental entity when required by lawPursuant to the Public Records ActFor compelling health or safety reasonsSubpoena or court order if agency attempts to notify individual beforehandTo law enforcement or regulatory agencyResearch
110 DISCLOSURES of CONFIDENTIAL DATA Managers must ensure that PHI/PCI/Sensitive Information is not released to external entities in violation of Federal or State laws/regulations, or Department policies. All external data releases require completion of a Data Release Coordinator, the Data Owner, Privacy Officer, and Information Security Officer. Some programs have additional requirements for use and disclosures. Check with your manager/supervisor and Privacy Office if you have additional questions.
111 A C C E S S T O B E N E F I C I A R Y R E C O R D S
112 RIGHT TO ACCESSIndividuals have a right to access information about themselves that is maintained by any health plan, provider or the Department. The Department must provide access or make copies of the records it creates or maintains, and mail to the individual upon request.
113 EXAMPLES OF DEPARTMENTAL MEDICAL RECORDS Claim Detail Report (CDR)Surveillance Utilization Review Subsystem (SURS)Treatment Authorization Request (TAR)Managed Care Records (premium payments, enrollment records)Medical Case Management RecordsEnrollment/Disenrollment formsApplication FormsEligibility Records
114 ACCESS ASSIGNMENTS For Medi-Cal, access is granted as follows: Electronic Data Systems (EDS)Claim Detail Reports (CDR)/SURSMedi-Cal OperationsTARS, Medical Case Management, etc.Managed CareManaged Care RecordsMedi-Cal Dental Services BranchMedi-Cal Dental RecordsThird Party Liability (TPL)CDR information dated back 10 years in microfiche and/or cold storageEligibility DivisionEligibility Records
115 WHO MAY ACCESS MEDICAL RECORDS? INDIVIDUALS (beneficiaries, patients, clients) participating in a health plan or program in the Department will receive a Notice of Privacy Practices (NPP) telling them how to access their recordsAn Authorized Requestor may also access a beneficiary’s records with proper legal authorityNOTE: State laws should be examined with regard to minors. See Access Policy and Family Code for discussion
116 REQUEST FOR ACCESS TO PHI The Department requires that requests for access be in writing using an Access form found on the Privacy Office website:Requests for Access by an Individual require a 6236 Access FormRequests for Access by a parent, guardian, executor of will, conservator or person with medical power of attorney require a 6237 Access FormAuthorizations for personal representatives (including legislator, requests from the governor’s office) require a 6247 Authorization Form
117 AUTHORIZATIONS FOR PHI ACCESS 6247 AUTHORIZATIONS are required for disclosures of PHI to personal representatives or entities for purposes outside of permitted and required uses and disclosuresThe individual has a right to revoke a previous authorizationNo one can make an individual sign an authorization as a condition for treatmentA personal representative may sign for a minor child, incompetent adult, or deceased beneficiary
118 HIPAA VALID AUTHORIZATIONS The 6247 authorization form must include:Patient/Beneficiary informationDescription of PHIWho the PHI is to go toThe purpose for the requested PHIExpiration date of the authorizationThe signature of the individual whose PHI is being requestedCopy of beneficiary identification or notarized patient/beneficiary signature
119 REQUEST FOR PHI ACCESS The Department: Will respond to individual requests within 30 days after receiving the requestWill require proof of identity and address of requestorMay charge fee for copyingAuthorized Requestor shall be treated like the individual with regard to access to the relevant information but must have proper authorization, regardless of their title of designation.Before fulfilling a request for beneficiary information, each of the sections on the form must be filled out and proper identification must be shown.
120 REQUEST FOR PHI ACCESSAfter releasing beneficiary information to any person or entity external to DHCS, DHCS programs should document the release including the date of release; beneficiary’s name, address, and phone number; and the MEDS ID, CIN, or SSN type of information that was released.Releases to other divisions with DHCS do not require documentation (though it is always a good business practice).Sample Access Request Log (Also available on DHCS Privacy Office Website ‘Employee’s Use section’):Date of Valid RequestRequestorRequestor’s AddressRequestor’s Phone #Beneficiary/Patient NameCIN#Type of InformationDate of Release1/1/2011John Smith1 Main St.Joe SmithTAR1/15/2011
121 VERIFICATION OF IDENTITY FOR TELEPHONE REQUESTS Requests for information via the phone may be accepted. However, all individuals requesting information must be verified for the right to obtain that information.If an individual beneficiary is calling:Ask for information you have available on file such as the Medi-Cal ID card, SSN, date of birth, phone number and address.Use professional judgment when disclosing PH over the phone.If a provider is calling:Verify that belongs to the provider that is calling.
122 IN CASE OF EMERGENCYIf a program beneficiary is incapacitated and unable to consent,If there is an emergency requiring immediate care, andIf in supervisor’s professional judgment, disclosure is in the best interest of the beneficiaryTHEN, the program may disclose PHI to any of the following over thetelephone without the beneficiary’s consent:A family member, other relative, close friend of the beneficiaryOther person where PHI is directly related to their involvement in care or payment for the beneficiary
124 RESPONSIBILITY & PREVENTION With the growing rate of identity theft, laws continue to emerge to protect individuals’ information.It is everyone’s responsibility in the Department to protect the confidential information we collect and maintain in order to avoid breaches of information.
125 P R I V A C Y B R E A C HA privacy breach is an unauthorized disclosure of PHI/PCI that violates either federal or state laws.Federal: HIPAA Privacy RuleState: California Civil Code 1798Privacy Breaches may be paper or electronic and may occur when information is transmitted to an unintended or unauthorized recipient
126 EXAMPLES OF PAPER BREACHES Misdirected paper faxes with PHI/PCI outside of the Department Loss or theft of paper documents containing PHI/PCI Mailings with PHI/PCI to incorrect providers or beneficiaries
127 EXAMPLES OF ELECTRONIC BREACHES Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI. Stolen, unencrypted thumb drives with PHI/PCI. Misdirected electronic fax with PHI/PCI to person outside of authorized state government.
128 IMMEDIATE ACTION REQUIRED Federal and State law require that if there is a breach of PHI/PCI, notice must be given to the affected individuals “in the most expedient time possible and without unreasonable delay” is there is a “significant / substantial risk of harm”. Managers/Supervisors/Staff must take action to report suspected breaches IMMEDIATELY.
129 REPORTING PRIVACY BREACHES DHCS employees must take immediate action and report (by phone or ) all privacy breaches to: Your Supervisor DHCS Privacy Office Phone: (916) Fax: (916) DHCS Information Security Office Phone: (916) (IT Service Desk)
130 PRIVACY COMPLAINTSIndividuals have the right to complain about a violation of Privacy or Security policy, whether they are a patient, member of the workforce, or other business associate. The DHCS Privacy Office handles all complaints from Medi-Cal beneficiaries and employees and treats all allegations of privacy violations seriously. They investigate a variety of complaints regarding suspected misuse, disclosure or disposal of PHI/PCI/Sensitive information. DHCS Privacy Office Phone: (916) Complaints should be filed on the DHCS Complaint Form The information will remain confidential to the extent possible.
132 S A N C T I O N SHIPAA requires the Department to develop sanctions for employee violations of privacy and security policies and procedures. Sanctions associated with violations of Department privacy and security policies will be pursued within the state disciplinary process. There are civil and criminal penalties for violating provisions of the HIPAA Privacy and Security Rules as well as State Law.
133 STATE DISCIPLINARY PROCESS In order to hold an employee accountable for violation of any policy or procedure, employees must receive adequate training on the policies and procedures. State Disciplinary System calls for three phases of discipline: 1) Prevention 2) Corrective Action 3) Disciplinary or Adverse Actions
134 CIVIL & CRIMINAL PENALTIES HIPAA civil money penalties apply to covered entities and its employees. $100 - $50,000 or more for single violation, up to $1,500,000 for multiple violations in 1 year. Criminal Penalties for knowingly obtaining, using or disclosing PHI in violation of HIPAA. Fine up to $50,000, imprisonment up to 1 year or both. Under false pretenses, fine up to $100,000, imprisonment up to 5 years or both. Intent to sell, transfer or use PHI for commercial advantage, personal gain, or malicious harm, fine up to $250,000, imprisonment up to 10 years, or both.
135 EXAMPLES OF EMPLOYEE VIOLATIONS Employee discusses the name of a beneficiary with friends Employee uses PHI to Send a Birthday Card Employee sells names and addresses from MEDS or any system containing confidential information to a Marketing Firm Employee gets confidential medical information from MEDS about an ex-spouse and uses or discloses it for personal reasons Employee takes or sends protected information in an unencrypted format or without approval, regardless of the reason
137 ROLES & RESPONSIBILITIES EVERYONE in the Department has a role and responsibility to protect the personal, confidential and sensitive information collected and stored by the Department.
138 ROLES & RESPONSIBILITIES The Director has ultimate responsibility for information technology (IT) security, risk management, and privacy within the Department. The Director is responsible for the implementation of, and compliance with, the state security policy and is accountable for the computerized information resources held by the Department. The Director is also responsible for the integrity of computerized information resources and the authorization of access to those resources. However, all Department employees share in this responsibility.
139 ROLES & RESPONSIBILITIES The Department’s Chief Information Officer (CIO), Information Technology Division, is responsible for technical management of all aspects of the Department’s information resources and IT systems. This includes: Implementing the necessary technical safeguards to preserve the security, privacy, and integrity of the Department’s information assets and manage the risks associated with those assets Acting as a custodian of information
140 ROLES & RESPONSIBILITIES The Privacy Officer (PO) is responsible for the privacy of all data maintained by the Department and for compliance with state and federal privacy laws, including the HIPAA, the Medicaid Act, and the IPA. The PO is responsible for creation and maintenance of privacy policies related Department confidential data. The PO approves corrective action plans when privacy incidents and breaches occur involving confidential Department data.
141 ROLES & RESPONSIBILITIES The Chief of the Privacy Office (Chief) manages the Privacy Office and its staff. The Chief is responsible for all operational aspects of the Privacy Office. The Privacy Office responds to addressed to The Privacy Office investigates breaches involving unauthorized disclosure of confidential information and is responsible for training all Department staff on privacy and security standards. The Privacy Office processes privacy complaints related to the Medi-Cal Program and performs internal and external privacy audits.
142 ROLES & RESPONSIBILITIES The Information Security Officer (ISO) has oversight responsibility at the Department level for ensuring the integrity and security of automated and paper files, databases, and computer systems. The ISO is required to oversee Department compliance with policies and procedures regarding the security of information assets. The ISO is also responsible for the training of employees to comply with the state, federal and Department Policy Information Security requirements.
143 ROLES & RESPONSIBILITIES Managers/Supervisors are responsible for:Authorizing access to PHI/PCI/Sensitive InformationAuthorizing access to various IT systemsProviding and routinely discussing policies with staffEnforcing compliance with policyTaking appropriate action for non-complianceEnsuring staff complete Information Privacy and SecurityTraining and maintaining copies of:‘Training Certificates of Completion’‘Security & Confidentiality Acknowledgment’(signed annually by each employee)
144 ROLES & RESPONSIBILITIES All Employees are responsible for the security of their assigned Department rsources (i.e. desktop, laptop, mobile devices, etc.) and the information in their control. This includes:Using due care to preserve data integrity and confidentiality when accessing Department information.Taking appropriate precautions to prevent unauthorized access or destruction of theDepartment’s information.Using Department assets and resources for business purposes.Completing the annual Information Privacy and Security Training and signing the Certificate of Completion.Annually reading and signing the Security & Confidentiality Acknowledgmentform and giving it to your supervisor.
145 ROLES & RESPONSIBILITIES All employees are required to read the Information Privacy & Security Policy found at HAM et seq., and employees must annually sign the Security and Confidentiality Acknowledgment form (See HAM ). Managers/Supervisors are required to maintain the original signed Security and Confidentiality Acknowledgement forms in their unit files for all their employees using or otherwise having access to the Department’s information.
147 SECURITY INCIDENTS & BREACHES A security incident is an actual or suspected occurrence of:Damage, destruction, unauthorized access or disclosure of Departmentequipment or informationTheft, or even attempted theft, or loss of Department equipment or informationFraud, embezzlement, misuse or inappropriate use of state propertyApparent detection of a computer virus on a state computerFor example, theft of a computer or other IT equipment or device is a security incident and must be reported to the Information Security Office (ISO) immediately.It must be determined if the computer contained PHI/PCI/sensitive information, and whether it was encrypted. If PHI/PCI/sensitive information was present, the incident may also be a breach of confidential information and must be reported to the Department’s Privacy Office. The Privacy Office is responsible for directing notification to the individuals whose information was breached.
148 SECURITY INCIDENTS & BREACHES (CONTINUED) Suspected or actual incidents involving PHI/PCI/Sensitive information include, but are not limited to, the following:Faxes or s to incorrect providers, organizations, beneficiaries, or individuals.Mis-sent or lost documents or any form of protected informationUnauthorized viewing, access, or disclosureMailings to incorrect providers, organizations, beneficiaries, or individuals.Unencrypted sDisclosures greater than minimum necessaryPassword sharingReport all suspected or actual incidents involving PHI/PCI/Sensitive information to the Information Security Office and Privacy Office immediately.
149 REPORTINGFederal and State regulations require the Department to follow specified notification and reporting processes when security incidents and / or privacy breaches occur. “…It is Department policy to maintain a record of security incidents and breaches and employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of confidential, personal, or sensitive information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.”
150 REPORTING DIRECTIONSNotify your manager/supervisor immediately. The manager/supervisor shall notify the Division Chief via the chain of command.Report it to the ISO immediately, using one of the following:orCall the IT Service Desk (M-F 8am-5pm)(916) or (800)Report it to the Privacy Office immediately, using:Report the following information:Name and title, Division/ProgramContact phone number and addressThe primary business processes involvedHow the incident was carried out, if knownThe steps that have been taken to mitigate or remediate the incidentWhat evidence is available to assist in the investigation.Remain available at your contact phone number for consultation.
151 DISASTER PREPAREDNESS Another kind of incident is a large-scale disaster (such as flood, fire, earthquake, etc.). In the event of a disaster, the Department will implement its Disaster Recovery Plan to provide for continuity of critical business functions. Employee safety and security is a top priority in implementing a successful plan. For instructions during such an emergency, employees should call:Emergency Information HotlineDHCS (8 6 6) –In addition, make sure you are personallyand professionally prepared for an emergency.Imagine being unable to get into yourbuilding/office for 30 days.Items to consider…Staff and co-worker’s personal contact informationCustomer contact informationIf authorized, know how to get to State resources suchas Outlook Web Access for and Citrix for application access
152 DISASTER PREPAREDNESS AT HOME On a personal level, consider:Meeting with your family to discuss how to prepare and respond to a disasterPlanning how your family will stay in contact if separatedCompleting these steps:Post emergency numbers on each phoneShow responsible family members where to shut off utilitiesInstall (and test) smoke detectors on each level of your homeContact your local fire department and learn about in-home fire hazardsLearn first aid and CPRMeeting with your neighbors and plan how the neighborhood could work together after a disasterKnowing your neighbor’s skills (medical, technical)Special needs such as elderly, disabled, or child care
154 R E V I E WRead Chapter 6 in the HAM. Read and understand your division’s operational policies and procedures. Your supervisor can provide these for you. Familiarize yourself with the content of each website reference.
155 Q U E S T I O N SRead the Notice of Privacy Practices for your program. Discuss the situation with your manager or supervisor. Contact the DHCS Privacy Office Phone: (916)
156 WEBSITE REFERENCESPlease print the next three screens as a resource to find manuals, documentation, and forms that have been referenced in this presentation. Privacy Office website: Information Security Office website: Notice of Privacy Practices:
157 WEBSITE REFERENCESThe DHCS Privacy Incident Report formis available on the Privacy Office website. On the Privacy Office website, you can also find forms for: Access (6236), Amendment (6238), Complaint (6242), and Authorization (6247) Department of Health & Human Services FAQ: East End Security: 28.pdf Federal Office for Civil Rights HIPAA Homepage (Enforcement, Privacy & Security Rules):
158 WEBSITE REFERENCESCalifornia Office of Privacy Protection: Secure Encryption Centers for Medicare and Medicaid Services Homepage: Emergency Information Hotline DHCS: 1 – – –
159 INFORMATION PRIVACY & SECURITY T R A I N I N G