Please write on your paper the following: Your Name Your Date
Of Birth Your Height Your Weight One Medical Condition that you
have (Examples: Allergies, migraines, heart palpitations) Before We
Begin
Slide 3
Privacy Breach A Privacy Breach is an unauthorized disclosure
of PHI/PCI that violates either federal or state laws Federal:
HIPAA Privacy Rule State: Information Practices Act of 1977 Privacy
Breaches may be paper or electronic Electronic breaches when name
plus social security number, or DMV, or financial account number
are involved require individual notification by law CDHS is
notifying individuals when name and SSN are on paper documents as
well
Slide 4
PHI is information that identifies or can be used to identify
an individual Information that relates to the: Past, present or
future health condition of that individual Health care provided to
that individual Payment for that health care Information in any
form, including paper, electronic (ePHI), and oral communications
What is PHI?
Slide 5
Name Address Street address, city, county, zip code (more than
3 digits) or other geographic codes Dates directly related to
patient (except year), including DOB, admission or discharge date
Telephone & FAX Numbers Drivers License Number Email Addresses
Social Security Number Medical Record Number Health Plan
Beneficiary Number Account Number Certificate/License number Any
vehicle or device serial number, including license plates Web
Addresses (URLs) Internet Protocol (IP) Address Finger or Voice
Prints Photographic Images Any other unique identifying number,
characteristic, or code Age greater than 89 (as the 90 year old and
over population is relatively small) What Constitutes PHI 18
Identifiers
Slide 6
De-identified data is NOT covered by HIPAA HIPAA does NOT
cover: Employee Records Workers Compensation Records Records about
Providers HOWEVER, CDHS considers all three of these records
personal confidential information (PCI) and therefore must be
safeguarded in the same manner as PHI What is NOT PHI?
Slide 7
Information that is not public which identifies or describes an
individual including: Names Home Addresses Home Telephone Numbers
Social Security Numbers Medical or Employment Histories Personnel
Records Licensing Records Personal Confidential Information
(PCI)
Slide 8
Establishes requirements for all state agencies for the
collection, maintenance & dissemination of personal information
Allowed Disclosures: To a person/agency where transfer is necessary
to perform duties To a law enforcement/regulatory agency when
required for an investigation or for licensing, certification, or
regulatory process To another person/governmental organization for
investigation of failure to comply with a law enforced by the
agency Information Practices Act (California Civil Code section
1798 et seq.)
Slide 9
Examples of Paper Breaches Misdirected paper faxes with PHI/PCI
outside of CDHS Loss or theft of paper documents containing PHI/PCI
Mailings to incorrect providers or beneficiaries
Slide 10
Examples of Electronic Breaches Stolen, unencrypted laptops,
hard drives, PCs with PHI/PCI Stolen, unencrypted thumb drives with
PHI/PCI Stolen briefcases with unencrypted compact discs containing
PHI/PCI Misdirected electronic fax with PHI/PCI to person outside
of state government
Slide 11
California Anti-Identity Theft Law Senate Bill 1386 (Chapter
915, Statutes of 2002) requires that any breach of security of
computerized data that includes personal information must be
disclosed to any resident of California Applies to state agencies,
persons or businesses that conduct business in California personal
information was unencrypted and was or is reasonably believed to
have been acquired by an unauthorized person
Slide 12
Anti-Identity Theft/ Breach Notification Statute Civil Code
sections 1798.29 and 1798.82 Requires notification to California
residents when there is a breach of unencrypted electronic data
containing the following personal information: The individuals
first name or first initial and last name in combination with any
one or more of the following data elements: Social Security Number
Drivers license or California ID number Account number, credit or
debit card number in combination with security code, access code or
password
Slide 13
Slide 14
Identity Thief #1 Specialized in cashing phony checks using her
victims checking accounts. This highly productive identity thief
was arrested with a virtual goody bag of stolen identities
indicating a dozen or more recent victims: 15 fraudulent university
id cards 12 fraudulent driver licenses 14 checks to be drawn on
various accounts Maps with directions to local area banks Sentence:
Over 13 years in prison
Slide 15
When this identity thief was arrested, she had a number of
items indicating her specialty was in committing fraud in large
volumes: Several laptop computers An ID manufacturing machine ID
counterfeiting credit card machine 500 profiles of people (intended
victims) When arrested at the Phoenix airport, she had in her
possession a plane ticket bought with a stolen credit card and
several fake identifications. Sentence: 2.5 years in prison
Identity Thief #2
Slide 16
This identity thief used his job at a local area auto dealer to
obscure his real cash making endeavor as an identity thief who
created fake drivers licenses. Identity thief #3 then would sell
them to other employees for $75 apiece. The fake IDs would then be
used to obtain loans on used vehicles on behalf of illegal
immigrants. Sentence: 2 years in prison Identity Thief #3
Slide 17
Timing California law requires the notice be made in the most
expedient time possible and without unreasonable delay Time may be
allowed for law enforcement, if the notification would impede a
criminal investigation
Slide 18
Reporting Privacy Breaches CDHS employees and business
associates must take immediate action and report all Privacy
Breaches to: Your Supervisor CDHS Privacy Officer Information
Security Officer Privacy Breaches DO NOT include: Misdirected mail
within CDHS Emails transmitted from outside CDHS to wrong email
within CDHS or unencrypted email
Slide 19
Internal Reporting Procedures 1.Inform your manager or
supervisor of an unauthorized disclosure or potential breach.
2.Send an email or call the Privacy Office with the following
information: Brief description of the incident Date, time, and
location of the incident Name of affected parties/witnesses 3.A
written report to the CDHS Privacy Officer is required after the
initial email or call. Use the Privacy Breach Reporting Form to
describe the incident, identify potential harm & determine a
corrective action plan to prevent future occurrences Please see
Privacy Breach Reporting Form
Slide 20
Privacy Office Procedures Program Areas Chief Deputy Director
Deputy Director Assistant Deputy Director OLS Deputy Director
1.Upon receipt of a report of a potential breach, the Privacy
Office staff is responsible for notifying: 2.A complete
investigation is then performed. The investigative team may include
but is not limited to members of CDHS Privacy Office, Audit &
Investigations Division, & program staff. Privacy Officer ISO
Rich Bayquen Person who notified Agency
Slide 21
Privacy Office Procedures cont 3.Privacy Office will work
closely with program staff to perform the following: a.Mitigation
activities, including any legally required notification to
beneficiaries Notification must be given to individuals in the most
expedient time possible and without unreasonable delay b.Formal
Corrective Action Plan c.Remediation Efforts d.Follow up to ensure
all resolution activities are completed e.Formal Agency Breach
Report to close out breach Please see Agency Breach Report
Slide 22
Office of Privacy Protections Notification Recommendations
Notification letter: Advise individuals of steps they can take to
protect themselves against possibility of identity theft Recommend
contacting the three credit reporting agencies: Equifax, Experian,
and Trans Union If find suspicious activity on credit reports, call
your local police or sheriff and file an identity theft report
Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert on
your drivers license California Office of Privacy Protection
Recommendations available at: www.privacy.ca.gov Please see Sample
Notification Letter
