Presentation on theme: "June 04, 2013 Robin Thomas, NC III, Presenter. PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or."— Presentation transcript:
June 04, 2013 Robin Thomas, NC III, Presenter
PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or State laws. Federal Law is the HIPAA Privacy Rule and State Law is the Information Practices Act of Privacy breaches may be paper or electronic, and may occur when information is transmitted to an unintended or unauthorized recipient. Examples of paper breaches include: Misdirected paper faxes with PHI/PCI outside of the Department Loss or theft of paper documents containing PHI/PCI Mailings with PHI/PCI to incorrect providers or service recipient Examples of electronic breaches include all of the following if they contain PHI/PCI: Stolen unencrypted laptops, hard drives, or PCs Stolen unencrypted thumb drives Stolen unencrypted compact discs (CDs) Misdirected electronic fax to a person outside of authorized State government
INCIDENT REPORTING State policy requires Departments to follow specified notification and reporting processes when information security incidents occur…and this process starts with you! As soon as you are aware that an incident has occurred, report it to your supervisor immediately. In addition, as applicable to the incident, you must report: description of the information disclosed or accessed by an unauthorized person the primary business processes involved
Breach Reporting If a breach of security is suspected, you must immediately report it to the CDPH Information Security Office If you suspect CDPH confidential or sensitive information was viewed by an unauthorized individual, you must also notify the CDPH Privacy Office Make sure to keep your Supervisor informed.
First Contact: Stephen Stuart, Privacy Officer/Sen. Staff Counsel Privacy Office, Office of Legal Services (916) Ivory Mitchell, Privacy Analyst Privacy Office, Office of Legal Services (916)
STEP ONE to Stephen and Ivory: A clear and concise description of the incident No abbreviations or acronyms. The PO or the ISO are not familiar with Newborn Screening’s or other entities abbreviations or acronyms. Forms 1-4 listed on the next page
STEP ONE Complete and submit forms to the Privacy Office 1.CDPH Breach Incident Reporting Form cdph 2375 submit one form per incident 2. HIPAA Breach Notification Checklist complete one for each party involved 3. State Breach Notification Checklist complete one for each party involved 4. Security Incident Determination Checklist submit one form per incident The privacy office will review and determine Whether a breach occurred and next steps.
STEP TWO The Privacy Office will draft letters for mailing. Review the letters for necessary corrections and send approval back to the privacy office. The Privacy Office will update letters. Print letters, obtain Program chief signature, copy for file and mail to affected parties. Update and print Notification Log for file.
STEP THREE Complete and submit forms to the Privacy Office 5.Completed Breach Corrective Action Plan 6.Send copy of Notification Log 30 days after letters mailed. 7.Update Notification Log if any communication received.
Office of Information Security Contacts: Brian Issertell Department of Public Health Information Security Office (916) Greg Meixner (916)