Presented by: Roberta Ward CDHS Privacy Officer Phone: (916)
Please write on your paper the following: –Your Name –Your Date Of Birth –Your Height –Your Weight –One Medical Condition that you have (Examples: Allergies, migraines, heart palpitations) Before We Begin…
Privacy Breach A Privacy Breach is an unauthorized disclosure of PHI/PCI that violates either federal or state laws –Federal: HIPAA Privacy Rule –State: Information Practices Act of 1977 Privacy Breaches may be paper or electronic –Electronic breaches when name plus social security number, or DMV, or financial account number are involved require individual notification by law –CDHS is notifying individuals when name and SSN are on paper documents as well
PHI is information that identifies or can be used to identify an individual Information that relates to the: –Past, present or future health condition of that individual –Health care provided to that individual –Payment for that health care Information in any form, including paper, electronic (ePHI), and oral communications What is PHI?
Name Address – Street address, city, county, zip code (more than 3 digits) or other geographic codes Dates directly related to patient (except year), including DOB, admission or discharge date Telephone & FAX Numbers Driver’s License Number Addresses Social Security Number Medical Record Number Health Plan Beneficiary Number Account Number Certificate/License number Any vehicle or device serial number, including license plates Web Addresses (URLs) Internet Protocol (IP) Address Finger or Voice Prints Photographic Images Any other unique identifying number, characteristic, or code Age greater than 89 (as the 90 year old and over population is relatively small) What Constitutes PHI – 18 Identifiers
De-identified data is NOT covered by HIPAA HIPAA does NOT cover: –Employee Records –Workers’ Compensation Records –Records about Providers HOWEVER, CDHS considers all three of these records “personal confidential information” (PCI) and therefore must be safeguarded in the same manner as PHI What is NOT PHI?
Information that is not public which identifies or describes an individual including: –Names –Home Addresses –Home Telephone Numbers –Social Security Numbers –Medical or Employment Histories –Personnel Records –Licensing Records “Personal Confidential Information” (PCI)
Establishes requirements for all state agencies for the collection, maintenance & dissemination of personal information Allowed Disclosures: –To a person/agency where transfer is necessary to perform duties –To a law enforcement/regulatory agency when required for an investigation or for licensing, certification, or regulatory process –To another person/governmental organization for investigation of failure to comply with a law enforced by the agency Information Practices Act (California Civil Code section 1798 et seq.)
Examples of Paper Breaches Misdirected paper faxes with PHI/PCI outside of CDHS Loss or theft of paper documents containing PHI/PCI Mailings to incorrect providers or beneficiaries
Examples of Electronic Breaches Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI Stolen, unencrypted thumb drives with PHI/PCI Stolen briefcases with unencrypted compact discs containing PHI/PCI Misdirected electronic fax with PHI/PCI to person outside of state government
California Anti-Identity Theft Law Senate Bill 1386 (Chapter 915, Statutes of 2002) requires that any breach of security of computerized data that includes personal information must be disclosed to any resident of California –Applies to state agencies, persons or businesses that conduct business in California –personal information was unencrypted and was or is reasonably believed to have been acquired by an unauthorized person
Anti-Identity Theft/ Breach Notification Statute Civil Code sections and Requires notification to California residents when there is a breach of unencrypted electronic data containing the following personal information: The individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security Number Driver’s license or California ID number Account number, credit or debit card number in combination with security code, access code or password
Identity Thief #1 Specialized in cashing phony checks using her victims checking accounts. This highly productive identity thief was arrested with a virtual goody bag of stolen identities indicating a dozen or more recent victims: –15 fraudulent university id cards –12 fraudulent driver licenses –14 checks to be drawn on various accounts –Maps with directions to local area banks Sentence: Over 13 years in prison
When this identity thief was arrested, she had a number of items indicating her specialty was in committing fraud in large volumes: –Several laptop computers –An ID manufacturing machine –ID counterfeiting credit card machine –500 profiles of people (intended victims) When arrested at the Phoenix airport, she had in her possession a plane ticket bought with a stolen credit card and several fake identifications. Sentence: 2.5 years in prison Identity Thief #2
This identity thief used his job at a local area auto dealer to obscure his real cash making endeavor as an identity thief who created fake drivers licenses. Identity thief #3 then would sell them to other employees for $75 apiece. The fake ID’s would then be used to obtain loans on used vehicles on behalf of illegal immigrants. Sentence: 2 years in prison Identity Thief #3
Timing California law requires the notice be made “in the most expedient time possible and without unreasonable delay” Time may be allowed for law enforcement, if the notification would impede a criminal investigation
Reporting Privacy Breaches CDHS employees and business associates must take immediate action and report all Privacy Breaches to: –Your Supervisor –CDHS Privacy Officer –Information Security Officer Privacy Breaches DO NOT include: –Misdirected mail within CDHS – s transmitted from outside CDHS to wrong within CDHS or unencrypted
Internal Reporting Procedures 1.Inform your manager or supervisor of an unauthorized disclosure or potential breach. 2.Send an or call the Privacy Office with the following information: –Brief description of the incident –Date, time, and location of the incident –Name of affected parties/witnesses 3.A written report to the CDHS Privacy Officer is required after the initial or call. –Use the Privacy Breach Reporting Form to describe the incident, identify potential harm & determine a corrective action plan to prevent future occurrences Please see Privacy Breach Reporting Form
Privacy Office Procedures Program Area’s Chief Deputy Director Deputy Director Assistant Deputy Director OLS Deputy Director 1.Upon receipt of a report of a potential breach, the Privacy Office staff is responsible for notifying: 2.A complete investigation is then performed. The investigative team may include but is not limited to members of CDHS Privacy Office, Audit & Investigations Division, & program staff. Privacy Officer ISO Rich Bayquen Person who notified Agency
Privacy Office Procedures cont… 3.Privacy Office will work closely with program staff to perform the following: a.Mitigation activities, including any legally required notification to beneficiaries Notification must be given to individuals in the most expedient time possible and without unreasonable delay b.Formal Corrective Action Plan c.Remediation Efforts d.Follow up to ensure all resolution activities are completed e.Formal Agency Breach Report to close out breach Please see Agency Breach Report
Office of Privacy Protections Notification Recommendations Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report –Contact DMV (Fraud Hotline: ) to place fraud alert on your driver’s license California Office of Privacy Protection Recommendations available at: Please see Sample Notification Letter
Breach Contacts Privacy Officer Phone: (916) FAX: (916) Information Security Officer Phone: (916) or (800)