T R A I N I N G D H C S I N F O R M A T I O N

T R A I N I N G D H C S I N F O R M A T I O N
P R I V A C Y & S E C U R I T Y T R A I N I N G

CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES

PRIVACY OFFICER, Office of Legal Services (OLS) INFORMATION SECURITY OFFICER, Information Security Office (ISO) PRIVACY OFFICE Office of HIPAA Compliance (OHC)

INTRODUCTION Welcome to the DHCS Information Privacy & Security Training. This training is an annual requirement for all DHCS staff, as mandated by state and federal laws.

INTRODUCTION As one of the largest health plans in the country, Medi-Cal is responsible for the health records of over 7 million beneficiaries. This training discusses state and federal laws that regulate the privacy and protection of information, as necessary to carry out the Department’s workforce functions.

TRAINING OUTLINE TRAINING MODULES – There are 15 training modules. You must complete all of the modules before you log off or you will have to restart the training from the beginning. QUIZZES – After each of the training modules, you will be asked to complete quiz questions. You must answer each question correctly before receiving your Training Certificate and Acknowledgement Form. RESOURCES AND WEBSITE LINKS - There is a resource list provided at the end of the training with all the links and other resources used in this training. CERTIFICATE AND ACKNOWLEDGEMENT FORM – Before logging out of the training, print the Training Certificate and the Security and Confidentiality Acknowledgement form. Then sign the acknowledgment form. The originals go to your Manager/Supervisor. Please keep a copy of each for your records.

TRAINING MODULES INTRODUCTION HIPAA OVERVIEW STATE LAW
ADMINISTRATIVE SAFEGUARDS PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS REMOTE ACCESS MINIMUM NECESSARY

TRAINING MODULES (CONTINUED)
USE AND DISCLOSURE ACCESS TO PATIENT RECORDS BREACHES OF CONFIDENTIAL INFORMATION SANCTIONS ROLES AND RESPONSIBILITIES SECURITY INCIDENT MANAGEMENT AND DISASTER DISCOVERY CLOSE

H I P A A O V E R V I E W

H I P A A The Health Insurance Portability and Accountability Act (HIPAA)was enacted by Congress in 1996 to improve the efficiency and effectiveness of our health care system by standardizing the electronic exchange and protection of administrative, financial, and health data.

W H Y H I P A A ? An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem. The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission. Musician Tammy Wynette’s medical records were sold to National Enquirer by a hospital employee for $2,610.

W H Y H I P A A ? Medical Identity Theft is a crime in which the thief uses someone’s identity to get access to medical services or goods. This may include using a name along with other information to get treatment and equipment. In 2010, it was reported that 5.8% of Americans were victims of Medical Identity Theft. Medical Identity Theft has a significantly higher average cost per victim than other types of identity theft. The average victim deals with more than $20,000 in costs associated with the crime and may have to pay out-of-pocket costs to have their health insurance restored.

PRIVACY & SECURITY The HIPAA PRIVACY RULE provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, it permits the disclosure of personal health information needed for patient care and other important purposes. The HIPAA SECURITY RULE specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.

COVERED ENTITIES HIPAA applies to covered entities which include:
HEALTH PLANS HEALTH CARE PROVIDERS HEALTH CARE CLEARINGHOUSES BUSINESS ASSOCIATES (BAs) - any entity that handles protected health information during the normal course of doing business for a covered entity. (DHCS BAs include Kaiser, Anthem Blue Cross, LA Care, etc.)

BUSINESS ASSOCIATES Business Associates are persons or organizations that, on behalf of a covered entity, health plan or provider: Perform any function or activity covered by HIPAA Provide a service on behalf of a covered entity involving the transfer of PHI

PROTECTED HEALTH INFORMATION
Information protected under HIPAA is called P H I or Protected Health Information. Protected Health Information is defined as any information, in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that can be used to identify an individual.

DIRECT IDENTIFIERS HIPAA describes a list of 18 direct identifiers that, along with a name, constitute individually identifiable information. If you have any one of these identifiers in your health information dataset, along with a name, you have PHI and it must be safeguarded appropriately. For example: A name plus information that the person is on Medi-Cal would constitute PHI.

DIRECT IDENTIFIERS (Continued)
Name ddress – Street address, city, county, zip code, or other geographic codes Dates directly related to patient (except year), including DOB, admission or discharge date Telephone and/or FAX Numbers Driver’s License Number Addresses Social Security Number Medical ID Number / CIN Health Plan Beneficiary Number Account Number Certificate/License number Any vehicle or device serial number, including license plates Web Addresses (URLs) Internet Protocol Address Finger or Voice Prints Photographic Images Any other unique identifying number, characteristic, or code Age greater than 89

NOTICE of PRIVACY PRACTICES
HIPAA requires that a covered entity provide a NOTICE of PRIVACY PRACTICES (NPP) to its members. The NPP tells the members what rights they have under HIPAA, including the right to access their records, and how their information may be disclosed.

STATE LAW OVERVIEW

STATE LAW State law (the Information Practices Act) differs from Federal Law (HIPAA) in that it is more expansive. It covers more than Protected Health Information (PHI) and includes all Personal Information (PI).

PERSONAL INFORMATION State law establishes requirements for DHCS on the collection, maintenance, and dissemination of Personal Information. Personal Information (PI) means any information that is not public and maintained by an agency that identifies or describes an individual.

PERSONAL INFORMATION ( continued)
Examples of Personal Information include Names Social Security Number Physical Description Home Address Home Telephone Number Education Financial Matters Medical or Employment History Statements made by or attributed to the Individual

CONFIDENTIAL INFORMATION
Information maintained by the Department that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws is considered Confidential Information. All personal confidential information (PCI) is treated with the same privacy and protection as PHI / PII. Under state and federal Medicaid law, information can only be disclosed for purposes directly related to the administration of the Medi-Cal Program.

SENSITIVE INFORMATION
Sensitive Information is information maintained by the department that requires an assurance of accuracy and completeness, as well as special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. Though this information may not be individually identifiable, it must still be protected. Examples of sensitive information include: Department’s financial transactions, Budget Change Proposals, and regulatory actions.

OTHER STATE & FEDERAL LAWS
There are additional state and federal laws that protect certain categories of information, such as mental health information, HIV/AIDS status, and substance abuse (alcohol and drug) treatment. Before releasing information that falls in these categories to an outside entity, check with the DHCS Privacy Officer to be sure the release is legally permitted.

S A F E G U A R D S

S A F E G U A R D S Safeguards are used to protect PHI, PI, Confidential Information, and Sensitive Information. There are three types of safeguards: ADMINISTRATIVE PHYSICAL TECHNICAL

A D M I N I S T R A T I V E S A F E G U A R D S

ADMINISTRATIVE SAFEGUARDS
Administrative Safeguards are documented policies and procedures for day-to-day operations; managing the conduct of employees; accessing the state’s automated information systems and related devices; and managing the selection, development, and use of security controls.

ADMINISTRATIVE SAFEGUARDS
Some Administrative Safeguards include: Data Policy Information Privacy & Security Policies [e.g., SAM and HAM] Guidelines for employees who access Internet and/or Information Privacy & Security Awareness Training Banners warning against unauthorized use of information

ADMINISTRATIVE SAFEGUARDS HEALTH ADMINISTRATIVE MANUAL
Administrative Safeguards are identified in the Health Administrative Manual (HAM), which incorporates the Department’s information privacy and security policies and requirements of the State Administrative Manual (SAM). HAM Sections through cover Information Privacy and Security Policy.

ADMINISTRATIVE SAFEGUARDS HEALTH ADMINISTRATIVE MANUAL
Data Classification Employee Responsibilities Incident Reporting and Notification Internet/Electronic Mail Policy LAN Administrators Responsibilities Management Responsibilities Mobile Computing & Removable Storage Devices Policies found in the HAM include: Passwords Operational Recovery Planning Risk Management Safeguards and Destruction of PCI and Sensitive Information Security & Confidentiality Acknowledgment Training Requirements And more. . .

ADMINISTRATIVE SAFEGUARDS DATA POLICY
State and federal law, as well as Department policy, require that privacy and confidentiality of all personal, confidential and sensitive information, in whatever medium (oral, paper or electronic), be protected. The Department considers all information about individuals private, unless such information is determined to be a public record. It is Department policy to protect privacy and prevent the loss of information through accident, misuse, sabotage, criminal activity, or natural disaster.

ADMINISTRATIVE SAFEGUARDS DATA POLICY (continued)
The Department’s data release policy requires that a fully approved data release form be completed for all releases of confidential data to any entity outside DHCS. This applies to all documents in any media with PHI and PCI. Every division has a Data Release Coordinator who is responsible for completing the forms and getting the signatures of the Division Chief, Privacy Officer, Information Security Officer and Data Owner. The data policy also requires that when confidential data in physical form is received or sent to a different location, it must be logged on chain of custody logs.

ADMINISTRATIVE SAFEGUARDS WARNING BANNER
You will see the warning banner each time you power up your PC. All DHCS workforce members are bound by the terms contained in the warning banner at right. No expectation of privacy exists when using a state computer. Computer activity logs are maintained and reviewed on an ongoing basis. WARNING: This is a State of California computer system that is for official use by authorized users and is subject to being monitored and/or restricted at any time. Unauthorized or improper use of this system may result in administrative disciplinary action and/or civil and criminal penalties. By continuing to use this system, you indicate your awareness of, and consent to, these terms and conditions of use. LOG OFF IMMEDIATELY if you are not an authorized user or you do not agree to the conditions stated in this warning

P H Y S I C A L S A F E G U A R D S

PHYSICAL SAFEGUARDS Physical Safeguards are security measures for protecting the Department’s information systems and confidential information, as well as related buildings and equipment from environmental hazards and unauthorized intrusion

PHYSICAL SAFEGUARDS Some Physical Safeguards include:
Identification for all employees and visitors Locked desk drawers, cabinets, rooms, and buildings Shredding of confidential information Using caution when printing, faxing, and mailing Protecting mobile computing devices

PHYSICAL SAFEGUARDS BUILDING SECURITY
Administration Division Policy Memorandum DHCS outlines physical security at the East End Complex (EEC). All persons are required to wear identification at all times. Employees expecting visitors should notify security guards. Contact security guards if you see an individual with no badge (permanent or visitor). Do not hold or prop open secure doors for others. Immediately report lost or stolen employee badges to security staff and your supervisor.

PHYSICAL SAFEGUARDS UNATTENDED AREAS
Employees should never leave personal, confidential or sensitive information unattended, even for a few minutes, including during working hours. Unattended means that information and/or documents containing personal, confidential, or sensitive information are not locked up, or not within your sight. Another staff member who is authorized to see the information may watch your personal, confidential, or sensitive information if they are in the immediate area.

PHYSICAL SAFEGUARDS SECURING INFORMATION
HAM Section requires that personal, confidential, and sensitive information must be secured during non-working hours, even if the building is secure. For example: Put documents in a locked drawer or Put documents in a locked drawer or filing cabinet Do not leave personal, confidential or sensitive information unsecured in your office unless your office is locked Do not leave personal, confidential, or sensitive information visible on top or under your desk Do not leave keys to cabinets, drawers, or office doors in a desk or any obvious place.

PHYSICAL SAFEGUARDS CONFIDENTIAL DESTRUCT
When personal, confidential or sensitive information is no longer needed or required for business purposes, it must be secured and destroyed, and the destruction may require logging.

PHYSICAL SAFEGUARDS CONFIDENTIAL DESTRUCT (continued)
Do not keep personal, confidential, or sensitive information (paper or electronic) longer than is necessary or required for business purposes. Do not discard Department information at home, away from the Department, or in recycle bins or waste baskets. Do not store documents awaiting destruction in your cubicle or office unless secured (e.g., locked cabinets or locked office, etc.).

PHYSICAL SAFEGUARDS CONFIDENTIAL DESTRUCT (continued)
To prevent unauthorized access and misuse of PHI and PCI: Secure documents and electronic media awaiting destruction (e.g., locked cabinets or locked office, etc.). For paper documents use shredders or locked, grey, confidential destruction bins available throughout the Department. For electronic media (e.g., CDs, discs, thumb drives, etc) contact your LAN Administrator. NOTE: “Delete” or “Erase” are not sufficient to remove all remnants of data from electronic media; data must be removed or wiped from the device according to Department policy. Ask your supervisor if the destruction is required to be logged.

PHYSICAL SAFEGUARDS LOCKED CABINETS
Put documents in a locked drawer or filing cabinet. Do not leave keys to cabinets and drawers in desk or in any obvious place. Do not leave PHI/PCI/Sensitive Information visible on top of or under desks unless your office is locked. HAM states personal, confidential, and sensitive information must be locked during non-working hours even if the building is secure.

PHYSICAL SAFEGUARDS P R I N T I N G
Do not leave print outs with PHI/PI/Sensitive Information sitting on the printer. Deliver print outs to appropriate persons immediately or secure in your own desk.

PHYSICAL SAFEGUARDS F A X I N G
(HAM Section ) Notify the recipient prior to sending a fax. Verify the fax number. Use a cover page with a confidentiality statement. Do not leave a fax with personal, confidential or sensitive information in the fax machine

PHYSICAL SAFEGUARDS M A I L I N G
(HAM Section ) Verify the address. Personal, confidential or sensitive information should be placed in an envelope so that the information is not visible.

PHYSICAL SAFEGUARDS M A I L I N G (continued)
RECORD – Keep a record of what you’re sending, such that you could re-create the information and/or send notices if the data is lost or stolen. ENCRYPT - Ensure that personal, confidential or sensitive information on electronic media (e.g., disks, CDs, and other storage media) is encrypted before it is mailed. LOG - When confidential data in physical form (e.g., paper, CDs, etc.,) is received from or sent to a different location, it must be logged according to the Division’s procedures. TRACK – Use a delivery service with status tracking and delivery confirmation. For mailings with PHI or PCI of more than 500 individuals in a single package, use a delivery service.

PHYSICAL SAFEGUARDS O R A L COMMUNICATIONS
Take reasonable steps to protect the privacy of all verbal discussions or interpreted exchanges (e.g., sign language) involving Department-owned confidential, personal and sensitive information.

PHYSICAL SAFEGUARDS O R A L COMMUNICATIONS
Do not discuss Department-owned personal, confidential or sensitive information with those who do not need to know even if they work with you (e.g., co-workers, family, friends, etc.). Always verify the identity and authority of persons before you discuss or exchange information. When it is necessary to discuss personal, confidential or sensitive information, use enclosed offices, meeting rooms, or another location where unauthorized staff cannot overhear you.

PHYSICAL SAFEGUARDS REMOVING PHI / PCI from the DEPARTMENT
When authorized purposes, such as business travel, teleworking, offsite meetings, etc., require that you remove Department-owned data in any form: Only remove the minimum information necessary to get the job done. Use only Department-issued IT devices (e.g., laptops, CD’s, thumbdrives, etc) when taking this information off-site. All electronic data (e.g., laptops, CD’s, thumbdrives, etc.) must be encrypted. Keep a record of what you remove from the Department, such that you could re-create the information or send breach notices if the data is lost or stolen.

PHYSICAL SAFEGUARDS REMOVING PHI/PCI from the DEPARTMENT ( C o n t i n u e d )
Do not check documents or electronic devices in baggage on commercial airplanes. If documents need to be transported to remote locations, use a secure delivery method with a tracking system. NOTE: Whenever possible, use encrypted electronic devices rather than paper. While enroute and when unattended at hotels and/or other travel destinations, physically secure paper document and electronic devices where not visible, to prevent theft and unauthorized access, viewing, and/or use. Fully shut down (power off) laptops when unattended even in locked hotel rooms, meeting rooms, vehicle trunks, etc. Documents should be shredded as soon as possible when no longer needed. Do not store or discard DHCS information offsite.

PHYSICAL SAFEGUARDS MOBILE COMPUTING DEVICES
Examples of mobile devices: Laptops,Tablet PC, PC Notebooks, USB storage device PDAs, Palm, Blackberries, Trios, Camera phones Thumbdrives Memory sticks/cards

PHYSICAL SAFEGUARDS SECURITY of MOBILE COMPUTING DEVICES
All mobile devices must be encrypted and when taken off the worksite premises, must not be separated from employees at airports, automobiles, hotel rooms, etc. Do not leave mobile devices unsecured. When not being used, all mobile devices should be locked up. Cable lock laptop to an immovable surface.

T E C H N I C A L S A F E G U A R D S

TECHNICAL SAFEGUARDS USING UNIQUE PASSWORDS ENCRYPTION
Technical Safeguards are security measures that specify how to use technology to protect the information gathered, stored and transmitted from the Department’s electronic information systems, particularly by controlling access to it. Technical safeguards are accomplished, in part, by: USING UNIQUE PASSWORDS ENCRYPTION INTERNET CONTENT FILTERING LOCKING COMPUTER SCREENS LOGGING USER ACTIVITIES

TECHNICAL SAFEGUARDS DEPARTMENTAL LEVEL SAFEGUARDS
To protect and improve the networking environment, the Department implements many safeguards. Here are a few examples: Encryption – DHCS uses encryption standards that adhere to FIPS standards, such as AES 256bit. Internet Content Filtering - protects the network and its users from malicious Internet Web sites by blocking access, enforces the “appropriate use” guidelines of the Policy, reduces the Department’s liability for misconduct, and improves productivity. Anti-Virus Software – DHCS uses anti-virus software to detect and prevent malicious software. All users receive a message on their computer screen when their computer is being checked. If you think your computer has a virus, contact your LAN Administrator or call the IT Service Desk at (916) or (800) to receive guidance. Security Patches – installs critical software security patches. Computer Usage Audit Logging – all network activity is logged and monitored.

TECHNICAL SAFEGUARDS P A S S W O R D S
Best practice for creating a “strong” password: Avoid common references, e.g., your significant other’s name, pet’s name, birthday, favorite color, sequential (abc, 123, 5555), easy to guess, etc. Use a password that is at least eight (8) digits long Include at least three of the following: Upper Case Letters (A–Z) Lower Case Letters (a–z) Arabic Numerals (0-9) Non-alphanumeric characters (e.g., Do not use a word in the dictionary Have a unique password for each logon, and don’t use the same password for multiple systems

TECHNICAL SAFEGUARDS P A S S W O R D S
Employees are responsible for the confidentiality and security of their passwords (See HAM ). When using any Department or state system that requires you to log in and use a password, adhere to the following: Do not share your password with anyone (family, friends, manager, helpdesk, etc) Do not write your password down. Do not include your password in a data file, log-on script, or macro. Change your password at least every 60 days, or sooner if you suspect it has been compromised. Report any suspected unauthorized use of a password to your supervisor and the Information Security Office (ISO) immediately.

TECHNICAL SAFEGUARDS ENCRYPTION
Proper encryption protects electronic confidential information such that if it is obtained by an unauthorized person, it cannot be read and its loss will not be considered a data breach. Encryption is applicable to data at rest, and data in transit. DHCS uses encryption standards that adhere to FIPS standards, such as AES 256bit. DHCS requires that all IT equipment and any accompanying data storage media that are used to access, store, or transmit personal, sensitive, or confidential information must consistently employ full disk encryption or file encryption. IT equipment and accompanying data storage media includes, but is not limited to workstations, laptops, removable media and mobile/portable devices (such as, USB drives, floppies, CD/DVD, Blackberry, backup tapes, etc). Generally, all devices that can store data.

TECHNICAL SAFEGUARDS ENCRYPTION (CONTINUED)
DATA at REST– Protect confidential information on computer hard drives, laptops, mobile devices, and removable media. Use only Department issued devices to access, store, or transmit Department information. Validate the device has Department standard encryption in place before storing confidential data on it. Use of non-Department devices or non-standard encryption methods requires prior approval from your Branch Chief and the ISO Always “power-off” devices containing DHCS information, when they are unattended (e.g., vehicle trunks while traveling, hotel room, home office, etc.,). This way, even if the device is stolen the information cannot be read without the encryption password

TECHNICAL SAFEGUARDS [SECURE] E-MAIL ENCRYPTION TECHNOLOGY
DATA in TRANSIT - Encrypt messages while they travel from your computer to a computer outside the Department’s network. Insert “[secure]” in square brackets anywhere on the subject line. As soon as you click “Send” the is sent to a secure website and immediately encrypted. Even if it is intercepted by a third-party, they will not be able to read it because you must have access to a key (password) that enables you to decrypt it. If the recipient of your replies using the secure website reply button, their reply will automatically be encrypted Other approved methods of securing data in transit include HTTPS, and Secure FTP. Contact ISO if you need assistance.

TECHNICAL SAFEGUARDS SENDING PHI via E-MAIL
Always ensure delivery to intended recipient by checking address. Only send the minimum necessary PHI/PCI/Sensitive Information. Never send messages containing PHI/PCI/Sensitive Information outside of the Department unless you encrypt. Insert a confidentiality statement at the end of your

TECHNICAL SAFEGUARDS CONFIDENTIALITY STATEMENT
Below are examples of confidentiality statements that can be used with s, faxes and other documents: CONFIDENTIALITY NOTICE: The information contained in this document is confidential and is intended only to be viewed by the recipient(s) listed above. If you are not the intended recipient(s), you are hereby notified that any distribution or copying of this document is strictly prohibited. If you have received this document in error, please contact the sender listed above and destroy the document(s). CONFIDENTIALITY NOTICE: This facsimile transmission is intended only for the addressee shown above. It may contain information that is privileged, confidential, or otherwise protected from disclosure. Any review dissemination, or use of this transmission or any of its contents by persons other than the addressee is strictly prohibited. If you received this fax in error, please call the sender collect immediately and destroy the document(s). Thank you for your cooperation.

TECHNICAL SAFEGUARDS AUDIT LOGGING
All employee computer activity is logged and has an audit trail. This is in compliance with state and federal laws and policies, and as a matter of best practice for accountability. “Employees are granted access to the Department’s information to perform their job functions on a need to know basis. Employees shall have no expectation of privacy from Department monitoring and inspection in the use of Department resources…”

TECHNICAL SAFEGUARDS C O M P U T I N G E Q U I P M E N T
Use Ctrl-Alt-Delete to lock your computer before you leave it unattended. Store files on server/shared drives that are backed up; do not store on desktops. Do not use computer equipment for any unauthorized purposes.

TECHNICAL SAFEGUARDS L A P T O P S
Do not leave laptops unattended unless secure. When not in use, place laptop in lockable storage. Do not store PHI/PCI/Sensitive Information on a laptop unless it is encrypted. When taken off the worksite premises, cable lock laptop to an immovable surface or place in a secure location.

TECHNICAL SAFEGUARDS INTERNET / EMAIL RESOURCES
Department employees are granted access to Internet and resources to provide education, research, marketing, procurement, and service opportunities in the performance of their duties. Conduct all Internet and/or activities in a professional, lawful, and ethical manner. This includes the development of content for the Internet. Support the use of existing infrastructure, technologies, procedures and standards in using, developing, or making information available on the Internet. Employees shall be restricted from participating in mailing lists, discussion groups, newsgroups, list servers, or other interactive communications if such participation is excessive or is inhibiting overall network performance. Accessing a personal or private Internet Service Provider for personal use while using any state equipment, or using non-state equipment for conducting state business, does not release an employee from the responsibility of complying with this policy.

TECHNICAL SAFEGUARDS INTERNET / EMAIL RESOURCES (CONTINUED)
Examples of inappropriate use include, but are not limited to viewing, sending and/or downloading information that: Contains defamatory, false, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, or otherwise biased, discriminatory, illegal material. Violates agency or departmental regulations prohibiting sexual harassment, and/or discrimination. Restricts or inhibits other users from using the system or the efficiency of the computer systems. Uses departmental records for private gain, or divulges confidential departmental information or records unless officially authorized to do so. Only click on links in if the is work related, you are certain it came from a reliable source, or if you’re expecting the information.

TECHNICAL SAFEGUARDS MOBILE COMPUTING DEVICES
When authorized to use mobile devices, such as laptops, Tablet PC, PC Notebooks, USB storage devices, Blackberries, Flash Memory (memory sticks & cards), camera phones, etc.: Only download or store the minimum amount of PHI/PCI/sensitive information necessary to get the job done. NOTE: Do not download or store social security numbers (SSN) unless absolutely necessary and only if the mobile device is encrypted. Use only Department issued IT equipment. All non-state mobile computing devices require approval by your Branch Chief and the ISO before being connected to the network. Encrypt all mobile devices or data. Laptops must be connected to the network once every 30 days, in order to download latest security updates.

TECHNICAL SAFEGUARDS REMEMBER
Tips to Remember when accessing DHCS information resources: Always lock up paper documents and encrypt electronic media containing personal, confidential, and sensitive information. Follow paper and electronic media destruction procedures. Don’t use unsecured wireless networks. Don’t download personal files and don’t check home accounts. If your job requires use of a social network website, don’t post any PHI/PCI or sensitive Department information on it. Use only authorized software. Using non-standard software requires prior approval to ensure software is secure and to prevent violations of licensing and copyright infringement laws.

R E M O T E A C C E S S

REMOTE ACCESS Remote Access involves using an externally located computer (e.g. home, hotel) to access DHCS , documents, and applications. Remote access is most commonly used after hours, when travelling, or when teleworking (i.e., working from home). Remote access is provided by one of the following DHCS systems: Outlook Web Access (OWA): Access to , no licensing cost Citrix: Access to , folders and applications, licensing cost involved

RISKS of OWA You should be aware of the information security risks associated with the two DHCS remote access methods: Remote Access Method Licensing Costs Features Data Security Level Two Factor Available Outlook Web Access (OWA) No Limited, Browser based , Calendar, & Contacts Very Weak Citrix Yes Full Featured Outlook, Folders, SharePoint & more Very High While free, OWA has a much higher risk of your password being stolen by hidden malware called a keylogger. If you have confidential data in your , it’s recommended that you not use OWA unless from a DHCS issued laptop. Note: While not considered “remote access”, a DHCS managed Blackberry is a highly secure alternative to these methods, if your only needs are , calendar, and contacts.

POTENTIAL RISKS Remote access, while useful, also carries potential risks to both DHCS information assets, and the information assets of other business associates whose data is in DHCS custody. Inappropriate exposure of confidential information to others may trigger federal and state breach notification laws. If triggered, DHCS is required to notify the appropriate authorities along with a press release. Violation of policies may also lead to employee disciplinary action. Areas of concern include the following: Inadvertent exposure of information to visitors, family, friends, etc. Lost or stolen media, devices, or paper Improper disposal of media and paper documents Malicious software on non-DHCS computer that steals data

DOWNLOAD DANGERS In this training, “data” refers to confidential/sensitive information, in both electronic and paper form. Minimize downloading or taking any DHCS data outside the workplace. Do not download DHCS data onto non-DHCS owned computers or mobile devices. This includes transferring data via thumbdrives, CD’s, etc. Do not DHCS data to personal or other personally owned systems. If uncertain what is permissible, consult with your supervisor or the Information Security Office (ISO)

DATA SECURITY Data in your possession (e.g., electronic, paper documents, or data visible on your computer screen, etc.,) must be secured from unauthorized access, including family members and friends. When left unattended, secure data in locked cabinets, locked drawers, locked rooms. Do not leave in unattended vehicles or other locations where it may be easily stolen. When using a mobile computer, use of a computer cable lock is recommended.

PAPER PRECAUTIONS Paper documents are high risk because they cannot be encrypted. Avoid printing documents or taking paperwork offsite unless absolutely necessary. Documents should be shredded as soon as possible when no longer needed. Work related documents should be kept in a separate location from any personal documents.

COMPUTER SECURITY Up to date Antivirus signatures
Non-DHCS computers (personally-owned, libraries, hotels, etc) are at an increased risk of having hidden, malicious software or “malware”, which is capable of stealing passwords and data and secretly logging all keystrokes (“keylogger”). If using a home computer for remote access, ensure it has the following Up to date Antivirus signatures Monthly installed Security Installed software or hardware firewall

TECHINICAL REQUIREMENTS
Ensure you have an active firewall to protect the computer from Internet based attacks. Software firewalls are included with Windows. Hardware firewalls (typically built into a “router”) are supplied by your internet provider or purchased. For personally owned computers, setup automatic installation or notification of security patches, and ensure you update software such as Adobe Acrobat and Firefox on a monthly basis. DHCS issued laptops must be reconnected to the DHCS network on a monthly basis to receive updates. Do not use unsecured, open wireless networks.

SECURING THE COMPUTER SCREEN
It’s important to secure your remote access session from unauthorized access. Password protect your computer screen when away from the computer by logging off, or using a screen lock password known only to you. Do not depend on the automatic timeout lock (Windows logo key + “L”, locks immediately). If it’s suspected that someone viewed your password or watched you type it in, immediately change your password. Choose difficult to guess passwords that are 8 characters or more, not in the dictionary of any language, and not similar to previous passwords.

SOCIAL ENGINEERING PRECAUTIONS
A common technique by hackers is to attempt to trick you by posing as an administrator or other person of authority. Do not trust any individual who claims authority to access your data or password. Passwords should never be shared. Do not click on links or attachments in unless you are expecting the or can validate it’s authentic. Do not click on links unless its work related and necessary to do so, the website may be fake. If you have any doubt, contact the Information Security Office before complying with their request

R E M E M B E R Remote Access security controls and policies protect DHCS data, and avoid state and federal law violations. Ignoring, disabling, or working around DHCS security controls or policies can be grounds for disciplinary action. Remember that system logs retain a record of your activities. If you are unable to perform your job duties within the existing DHCS security controls, contact your supervisor or the DHCS Information Security Office for guidance.

REMOTE CONTROL FEATURE
Most computers have a feature that allows technical support organizations to take remote control of your PC. This should not be allowed at the same time you are in a remote access session with DHCS because the technical support professional can see everything on your screen.

SECURITY INCIDENTS If a breach of security is suspected, you must immediately report it to the DHCS Information Security Office If you suspect DHCS confidential or sensitive data was viewed or received by an unauthorized individual, you must also notify the DHCS Privacy Office Make sure to keep your Manager or Supervisor informed.

M I N I M U M N E C E S S A R Y

MINIMUM NECESSARY Minimum necessary is a concept in HIPAA that ensures that the disclosure of PHI is limited to the minimum amount necessary in order to minimize risk to the security of data. When disclosing PHI or PII: Use the minimum amount of information necessary Request the minimum amount of information necessary Disclose the minimum amount of information necessary Department staff access should be specific based upon the operational needs of each unit.

MINIMIZING USE Staff should only request to inspect PHI necessary for job function, not the entire record, unless needed. Copy only relevant parts of PHI. Redact (blackout) PHI not relevant to the requested information. Example: SSNs on applications that are copied and placed in files where the SSN is not needed should be blacked out.

MINIMIZING REQUEST & DISCLOSURE
When Minimum Necessary does NOT apply: Health care provider for treatment -Doctors can share entire medical charts to care for a patient Individual who is the subject. -Patients have the right to access all of their medical record. Pursuant to an individual’s authorization. -A patient can authorize any part or all of their medical record to be given to another party. Disclosures to the Secretary of Health & Human Services. When a disclosure is required by law, such as in response to a court order or subpoena.

U S E and D I S C L O S U R E of P H I and P C I
HIPAA MEDICAID & STATE LAW

U S E and D I S C L O S U R E of P H I under:
H I P A A

USE & DISCLOSURE U S E is the sharing, application, utilization, examination, or analysis of protected health information within a covered health plan or provider which maintains the information. D I S C L O S U R E is the release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information

DISCLOSURES OF DATA Managers must ensure that PHI/PCI/Sensitive Information is not released to external entities in violation of federal or state laws or regulations or Department policies. All external data releases require approvals from a Data Release Coordinator, the Data Owner, Privacy Officer, and Information Security Officer. See HAM Section

TYPES OF USE & DISCLOSURE
Permitted uses & disclosures are allowed by HIPAA without the patient’s consent or authorization, and include: TREATMENT PAYMENT HEALTH CARE OPERATIONS HEALTH OVERSIGHT PUBLIC HEALTH Required disclosures are mandated by HIPAA. NOTE: If stricter state or federal laws for a specific program regarding use and disclosure exists, the more stringent law must be followed.

You May Use or Disclose PHI for TREATMENT
Treatment is providing health care to an individual by a health care provider. Treatment only applies to health care providers. Minimum Necessary does NOT apply.

You May Use or Disclose PHI for PAYMENT
Payment is the compensation for services and include activities to obtain: Premiums if you are a health plan Money for services if you are a provider Minimum necessary applies

You May Use or Disclose PHI for HEALTH CARE OPERATIONS
Health Care Operations (HCO) are those activities that support treatment and payment. For example: Prior Authorizations Internal Auditing Management Reviews Administrative Appeals Minimum Necessary applies

OTHER HIPAA PERMITTED DISCLOSURES
To Health Oversight Agencies - That are authorized by law to conduct certain oversight activities. - Examples: Department of Justice, Federal Bureau of Investigation, Office Inspector General, Medical Board, Dental Board To Public Health Authorities - That are authorized by law for the purpose of preventing or controlling disease, injury or disability

REQUIRED DISCLOSURES Disclosures must be made to:
Individuals requesting a copy of their own PHI Secretary of the U.S. Department of Health and Human Services

JUDICIAL & ADMINISTRATIVE PROCEEDINGS (45 CFR 164.512 (e))
When the Department is a plaintiff or defendant in a lawsuit, PHI may be disclosed as part of program operations. Program rules for disclosures apply, such as Minimum Necessary

JUDICIAL & ADMINISTRATIVE PROCEEDINGS (45 CFR 164.512 (e))
Permissible Disclosures of PHI, where it may be disclosed: In response to an order of a court or administrative tribunal when DHCS is not a party. In response to a subpoena, discovery request, or other lawful process if reasonable efforts have been made to ensure that the individual has been given notice of the request or reasonable efforts have been made to secure a qualified protective order.

U S E and D I S C L O S U R E of P H I under: MEDICAID & STATE LAW

PREEMPTION (45 CFR Subpart B)
HIPAA Privacy Rule is a national floor of privacy protection; it does not preempt the field in medical privacy. If there is a state statute or regulation which: 1) Affords greater protection to an individuals’ privacy, or 2) Provides a greater right to the individual to access their own records. THEN that law prevails over HIPAA.

Medicaid Law (Welf. + Inst. Code 14100.2) USES & DISCLOSURES
Medi-Cal uses and disclosures are limited to: - The individual regarding his/her own PHI - Purposes directly connected to the administration of the Medi-Cal Program Purposes directly connected to Medi-Cal administration include: -Determining eligibility and reimbursement -Providing services to recipients -Conducting or assisting investigations, prosecutions or proceedings related to Medi-Cal -Third Party Liability activities -Audits and legislative investigations

MEDI-CAL SUBPOENAS The Medi-Cal Program does not usually respond to subpoenas for PHI: Unless it directly relates to the administration of Medi-Cal, or: Unless it is required by a court order Suggest the individual beneficiary / personal representative requests the PHI through the individual Access Policy (See the Notice of Privacy Practices)

RELEASES TO RESEARCHERS
RESEARCH means a systematic investigation designed to develop or contribute to generalizable knowledge. If contacted by a researcher, you must immediately refer them to the Data and Research Committee. Program evaluation may become research when the contractor intends to publish the results. Research proposals involving Department data and/or beneficiaries need to be approved by the Committee for Protection of Human Subjects (CPHS) in the Health & Human Services Agency.

CALIFORNIA CIVIL CODE (1798.24)
A State Agency may release PCI: To the individual to whom record pertains With prior written voluntary consent To the guardian or conservator or authorized representative, if documented To a governmental entity when required by law Pursuant to the Public Records Act For compelling health or safety reasons Subpoena or court order if agency attempts to notify individual beforehand To law enforcement or regulatory agency Research

DISCLOSURES of CONFIDENTIAL DATA
Managers must ensure that PHI/PCI/Sensitive Information is not released to external entities in violation of Federal or State laws/regulations, or Department policies. All external data releases require completion of a Data Release Coordinator, the Data Owner, Privacy Officer, and Information Security Officer. Some programs have additional requirements for use and disclosures. Check with your manager/supervisor and Privacy Office if you have additional questions.

A C C E S S T O B E N E F I C I A R Y R E C O R D S

RIGHT TO ACCESS Individuals have a right to access information about themselves that is maintained by any health plan, provider or the Department. The Department must provide access or make copies of the records it creates or maintains, and mail to the individual upon request.

EXAMPLES OF DEPARTMENTAL MEDICAL RECORDS
Claim Detail Report (CDR) Surveillance Utilization Review Subsystem (SURS) Treatment Authorization Request (TAR) Managed Care Records (premium payments, enrollment records) Medical Case Management Records Enrollment/Disenrollment forms Application Forms Eligibility Records

ACCESS ASSIGNMENTS For Medi-Cal, access is granted as follows:
Electronic Data Systems (EDS) Claim Detail Reports (CDR)/SURS Medi-Cal Operations TARS, Medical Case Management, etc. Managed Care Managed Care Records Medi-Cal Dental Services Branch Medi-Cal Dental Records Third Party Liability (TPL) CDR information dated back 10 years in microfiche and/or cold storage Eligibility Division Eligibility Records

WHO MAY ACCESS MEDICAL RECORDS?
INDIVIDUALS (beneficiaries, patients, clients) participating in a health plan or program in the Department will receive a Notice of Privacy Practices (NPP) telling them how to access their records An Authorized Requestor may also access a beneficiary’s records with proper legal authority NOTE: State laws should be examined with regard to minors. See Access Policy and Family Code for discussion

REQUEST FOR ACCESS TO PHI
The Department requires that requests for access be in writing using an Access form found on the Privacy Office website: Requests for Access by an Individual require a 6236 Access Form Requests for Access by a parent, guardian, executor of will, conservator or person with medical power of attorney require a 6237 Access Form Authorizations for personal representatives (including legislator, requests from the governor’s office) require a 6247 Authorization Form

AUTHORIZATIONS FOR PHI ACCESS
6247 AUTHORIZATIONS are required for disclosures of PHI to personal representatives or entities for purposes outside of permitted and required uses and disclosures The individual has a right to revoke a previous authorization No one can make an individual sign an authorization as a condition for treatment A personal representative may sign for a minor child, incompetent adult, or deceased beneficiary

HIPAA VALID AUTHORIZATIONS
The 6247 authorization form must include: Patient/Beneficiary information Description of PHI Who the PHI is to go to The purpose for the requested PHI Expiration date of the authorization The signature of the individual whose PHI is being requested Copy of beneficiary identification or notarized patient/beneficiary signature

REQUEST FOR PHI ACCESS The Department:
Will respond to individual requests within 30 days after receiving the request Will require proof of identity and address of requestor May charge fee for copying Authorized Requestor shall be treated like the individual with regard to access to the relevant information but must have proper authorization, regardless of their title of designation. Before fulfilling a request for beneficiary information, each of the sections on the form must be filled out and proper identification must be shown.

REQUEST FOR PHI ACCESS After releasing beneficiary information to any person or entity external to DHCS, DHCS programs should document the release including the date of release; beneficiary’s name, address, and phone number; and the MEDS ID, CIN, or SSN type of information that was released. Releases to other divisions with DHCS do not require documentation (though it is always a good business practice). Sample Access Request Log (Also available on DHCS Privacy Office Website ‘Employee’s Use section’): Date of Valid Request Requestor Requestor’s Address Requestor’s Phone # Beneficiary/Patient Name CIN# Type of Information Date of Release 1/1/2011 John Smith 1 Main St. Joe Smith TAR 1/15/2011

VERIFICATION OF IDENTITY FOR TELEPHONE REQUESTS
Requests for information via the phone may be accepted. However, all individuals requesting information must be verified for the right to obtain that information. If an individual beneficiary is calling: Ask for information you have available on file such as the Medi-Cal ID card, SSN, date of birth, phone number and address. Use professional judgment when disclosing PH over the phone. If a provider is calling: Verify that belongs to the provider that is calling.

IN CASE OF EMERGENCY If a program beneficiary is incapacitated and unable to consent, If there is an emergency requiring immediate care, and If in supervisor’s professional judgment, disclosure is in the best interest of the beneficiary THEN, the program may disclose PHI to any of the following over the telephone without the beneficiary’s consent: A family member, other relative, close friend of the beneficiary Other person where PHI is directly related to their involvement in care or payment for the beneficiary

BREACHES OF CONFIDENTIAL INFORMATION

RESPONSIBILITY & PREVENTION
With the growing rate of identity theft, laws continue to emerge to protect individuals’ information. It is everyone’s responsibility in the Department to protect the confidential information we collect and maintain in order to avoid breaches of information.

P R I V A C Y B R E A C H A privacy breach is an unauthorized disclosure of PHI/PCI that violates either federal or state laws. Federal: HIPAA Privacy Rule State: California Civil Code 1798 Privacy Breaches may be paper or electronic and may occur when information is transmitted to an unintended or unauthorized recipient

EXAMPLES OF PAPER BREACHES
Misdirected paper faxes with PHI/PCI outside of the Department Loss or theft of paper documents containing PHI/PCI Mailings with PHI/PCI to incorrect providers or beneficiaries

EXAMPLES OF ELECTRONIC BREACHES
Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI. Stolen, unencrypted thumb drives with PHI/PCI. Misdirected electronic fax with PHI/PCI to person outside of authorized state government.

IMMEDIATE ACTION REQUIRED
Federal and State law require that if there is a breach of PHI/PCI, notice must be given to the affected individuals “in the most expedient time possible and without unreasonable delay” is there is a “significant / substantial risk of harm”. Managers/Supervisors/Staff must take action to report suspected breaches IMMEDIATELY.

REPORTING PRIVACY BREACHES
DHCS employees must take immediate action and report (by phone or ) all privacy breaches to: Your Supervisor DHCS Privacy Office Phone: (916) Fax: (916) DHCS Information Security Office Phone: (916) (IT Service Desk)

PRIVACY COMPLAINTS Individuals have the right to complain about a violation of Privacy or Security policy, whether they are a patient, member of the workforce, or other business associate. The DHCS Privacy Office handles all complaints from Medi-Cal beneficiaries and employees and treats all allegations of privacy violations seriously. They investigate a variety of complaints regarding suspected misuse, disclosure or disposal of PHI/PCI/Sensitive information. DHCS Privacy Office Phone: (916) Complaints should be filed on the DHCS Complaint Form The information will remain confidential to the extent possible.

S A N C T I O N S

S A N C T I O N S HIPAA requires the Department to develop sanctions for employee violations of privacy and security policies and procedures. Sanctions associated with violations of Department privacy and security policies will be pursued within the state disciplinary process. There are civil and criminal penalties for violating provisions of the HIPAA Privacy and Security Rules as well as State Law.

STATE DISCIPLINARY PROCESS
In order to hold an employee accountable for violation of any policy or procedure, employees must receive adequate training on the policies and procedures. State Disciplinary System calls for three phases of discipline: 1) Prevention 2) Corrective Action 3) Disciplinary or Adverse Actions

CIVIL & CRIMINAL PENALTIES
HIPAA civil money penalties apply to covered entities and its employees. $100 - $50,000 or more for single violation, up to $1,500,000 for multiple violations in 1 year. Criminal Penalties for knowingly obtaining, using or disclosing PHI in violation of HIPAA. Fine up to $50,000, imprisonment up to 1 year or both. Under false pretenses, fine up to $100,000, imprisonment up to 5 years or both. Intent to sell, transfer or use PHI for commercial advantage, personal gain, or malicious harm, fine up to $250,000, imprisonment up to 10 years, or both.

EXAMPLES OF EMPLOYEE VIOLATIONS
Employee discusses the name of a beneficiary with friends Employee uses PHI to Send a Birthday Card Employee sells names and addresses from MEDS or any system containing confidential information to a Marketing Firm Employee gets confidential medical information from MEDS about an ex-spouse and uses or discloses it for personal reasons Employee takes or sends protected information in an unencrypted format or without approval, regardless of the reason

R O L E S a n d R E S P O N S I B I L I T I E S

ROLES & RESPONSIBILITIES
EVERYONE in the Department has a role and responsibility to protect the personal, confidential and sensitive information collected and stored by the Department.

The Director has ultimate responsibility for information technology (IT) security, risk management, and privacy within the Department. The Director is responsible for the implementation of, and compliance with, the state security policy and is accountable for the computerized information resources held by the Department. The Director is also responsible for the integrity of computerized information resources and the authorization of access to those resources. However, all Department employees share in this responsibility.

The Department’s Chief Information Officer (CIO), Information Technology Division, is responsible for technical management of all aspects of the Department’s information resources and IT systems. This includes: Implementing the necessary technical safeguards to preserve the security, privacy, and integrity of the Department’s information assets and manage the risks associated with those assets Acting as a custodian of information

The Privacy Officer (PO) is responsible for the privacy of all data maintained by the Department and for compliance with state and federal privacy laws, including the HIPAA, the Medicaid Act, and the IPA. The PO is responsible for creation and maintenance of privacy policies related Department confidential data. The PO approves corrective action plans when privacy incidents and breaches occur involving confidential Department data.

The Chief of the Privacy Office (Chief) manages the Privacy Office and its staff. The Chief is responsible for all operational aspects of the Privacy Office. The Privacy Office responds to addressed to The Privacy Office investigates breaches involving unauthorized disclosure of confidential information and is responsible for training all Department staff on privacy and security standards. The Privacy Office processes privacy complaints related to the Medi-Cal Program and performs internal and external privacy audits.

The Information Security Officer (ISO) has oversight responsibility at the Department level for ensuring the integrity and security of automated and paper files, databases, and computer systems. The ISO is required to oversee Department compliance with policies and procedures regarding the security of information assets. The ISO is also responsible for the training of employees to comply with the state, federal and Department Policy Information Security requirements.

Managers/Supervisors are responsible for: Authorizing access to PHI/PCI/Sensitive Information Authorizing access to various IT systems Providing and routinely discussing policies with staff Enforcing compliance with policy Taking appropriate action for non-compliance Ensuring staff complete Information Privacy and Security Training and maintaining copies of: ‘Training Certificates of Completion’ ‘Security & Confidentiality Acknowledgment’ (signed annually by each employee)

All Employees are responsible for the security of their assigned Department rsources (i.e. desktop, laptop, mobile devices, etc.) and the information in their control. This includes: Using due care to preserve data integrity and confidentiality when accessing Department information. Taking appropriate precautions to prevent unauthorized access or destruction of the Department’s information. Using Department assets and resources for business purposes. Completing the annual Information Privacy and Security Training and signing the Certificate of Completion. Annually reading and signing the Security & Confidentiality Acknowledgment form and giving it to your supervisor.

All employees are required to read the Information Privacy & Security Policy found at HAM et seq., and employees must annually sign the Security and Confidentiality Acknowledgment form (See HAM ). Managers/Supervisors are required to maintain the original signed Security and Confidentiality Acknowledgement forms in their unit files for all their employees using or otherwise having access to the Department’s information.

SECURITY INCIDENT MANAGEMENT & DISASTER RECOVERY

SECURITY INCIDENTS & BREACHES
A security incident is an actual or suspected occurrence of: Damage, destruction, unauthorized access or disclosure of Department equipment or information Theft, or even attempted theft, or loss of Department equipment or information Fraud, embezzlement, misuse or inappropriate use of state property Apparent detection of a computer virus on a state computer For example, theft of a computer or other IT equipment or device is a security incident and must be reported to the Information Security Office (ISO) immediately. It must be determined if the computer contained PHI/PCI/sensitive information, and whether it was encrypted. If PHI/PCI/sensitive information was present, the incident may also be a breach of confidential information and must be reported to the Department’s Privacy Office. The Privacy Office is responsible for directing notification to the individuals whose information was breached.

SECURITY INCIDENTS & BREACHES (CONTINUED)
Suspected or actual incidents involving PHI/PCI/Sensitive information include, but are not limited to, the following: Faxes or s to incorrect providers, organizations, beneficiaries, or individuals. Mis-sent or lost documents or any form of protected information Unauthorized viewing, access, or disclosure Mailings to incorrect providers, organizations, beneficiaries, or individuals. Unencrypted s Disclosures greater than minimum necessary Password sharing Report all suspected or actual incidents involving PHI/PCI/Sensitive information to the Information Security Office and Privacy Office immediately.

REPORTING Federal and State regulations require the Department to follow specified notification and reporting processes when security incidents and / or privacy breaches occur. “…It is Department policy to maintain a record of security incidents and breaches and employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of confidential, personal, or sensitive information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.”

REPORTING DIRECTIONS Notify your manager/supervisor immediately. The manager/supervisor shall notify the Division Chief via the chain of command. Report it to the ISO immediately, using one of the following: or Call the IT Service Desk (M-F 8am-5pm) (916) or (800) Report it to the Privacy Office immediately, using: Report the following information: Name and title, Division/Program Contact phone number and address The primary business processes involved How the incident was carried out, if known The steps that have been taken to mitigate or remediate the incident What evidence is available to assist in the investigation. Remain available at your contact phone number for consultation.

DISASTER PREPAREDNESS
Another kind of incident is a large-scale disaster (such as flood, fire, earthquake, etc.). In the event of a disaster, the Department will implement its Disaster Recovery Plan to provide for continuity of critical business functions. Employee safety and security is a top priority in implementing a successful plan. For instructions during such an emergency, employees should call: Emergency Information Hotline DHCS (8 6 6) – In addition, make sure you are personally and professionally prepared for an emergency. Imagine being unable to get into your building/office for 30 days. Items to consider… Staff and co-worker’s personal contact information Customer contact information If authorized, know how to get to State resources such as Outlook Web Access for and Citrix for application access

DISASTER PREPAREDNESS AT HOME
On a personal level, consider: Meeting with your family to discuss how to prepare and respond to a disaster Planning how your family will stay in contact if separated Completing these steps: Post emergency numbers on each phone Show responsible family members where to shut off utilities Install (and test) smoke detectors on each level of your home Contact your local fire department and learn about in-home fire hazards Learn first aid and CPR Meeting with your neighbors and plan how the neighborhood could work together after a disaster Knowing your neighbor’s skills (medical, technical) Special needs such as elderly, disabled, or child care

C L O S E

R E V I E W Read Chapter 6 in the HAM. Read and understand your division’s operational policies and procedures. Your supervisor can provide these for you. Familiarize yourself with the content of each website reference.

Q U E S T I O N S Read the Notice of Privacy Practices for your program. Discuss the situation with your manager or supervisor. Contact the DHCS Privacy Office Phone: (916)

WEBSITE REFERENCES Please print the next three screens as a resource to find manuals, documentation, and forms that have been referenced in this presentation. Privacy Office website: Information Security Office website: Notice of Privacy Practices:

WEBSITE REFERENCES The DHCS Privacy Incident Report formis available on the Privacy Office website. On the Privacy Office website, you can also find forms for: Access (6236), Amendment (6238), Complaint (6242), and Authorization (6247) Department of Health & Human Services FAQ: East End Security: 28.pdf Federal Office for Civil Rights HIPAA Homepage (Enforcement, Privacy & Security Rules):

WEBSITE REFERENCES California Office of Privacy Protection: Secure Encryption Centers for Medicare and Medicaid Services Homepage: Emergency Information Hotline DHCS: 1 – – –

INFORMATION PRIVACY & SECURITY
T R A I N I N G

CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES

T h e E N D

T R A I N I N G D H C S I N F O R M A T I O N

Similar presentations

Presentation on theme: "T R A I N I N G D H C S I N F O R M A T I O N"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

T R A I N I N G D H C S I N F O R M A T I O N

Similar presentations

Presentation on theme: "T R A I N I N G D H C S I N F O R M A T I O N"— Presentation transcript:

Similar presentations

About project

Feedback