page 40-1 - the County of Santa Clara
advertisement
Common-Place Handbook page 40-1 Confidentiality 40. Confidentiality In accordance with Welfare and Institutions Code (W&I) Section 10850 and 45 Code of Federal Regulations (CFR) Section 205.50(a), confidentiality regulations were created to protect applicants and recipients against identification, exploitation or embarrassment that could result from the release of information identifying them as having applied for or having received public assistance. They also outline under what circumstances and to whom such information may be released. These regulations pertain to all records, papers, files and communications pertaining to Social Services Programs. These regulations bind public and private agencies with whom the County contracts to perform any part of the covered public social services programs. 40.1 References The following are references to State policy surrounding confidentiality: • Manual of Policy and Procedures (MMP) 19-002 - 19-007, • CalFresh Manual 63-201.2, and • Title 22 of Administrative Code. 40.2 Confidential Information Names, addresses and all other information concerning the circumstances of any individual for whom or about whom information is obtained is confidential and shall be safeguarded. This is true of all information whether written or oral. No disclosure of any information, obtained by a representative, agent or employee of the Social Services Agency (County Welfare Department), in the course of discharging his or her duties, shall be made, directly or indirectly, other than in the administration of public social service programs. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-2 Confidentiality Disclosure of information which identifies by name or address any applicant or recipient of public social services to federal, state or local legislative bodies and their committees without such applicant or recipient’s consent is prohibited. Such bodies include the United States Congress, the California State Senate and Assembly, City Councils and County Boards of Supervisors. Both the release and possession of confidential information in violation of the rules of this division are misdemeanors. 40.3 Tax Information Tax information is defined as any information supplied by the Internal Revenue Service (IRS), concerning a taxpayer’s identity, the nature, source, or amount of his/her earned income, unearned income (including interest or dividends), payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, deficiencies, over assessments or tax payments. 40.3.1 Safeguards Counties shall establish the following safeguards in order to protect the confidentiality of, and to prevent the unauthorized disclosure of, tax information received from the IRS: • Establish and maintain a secure area or place in which IRS tax information shall be stored; • Restrict access to the tax information only to persons whose duties or responsibilities require access to this information; • Provide other such safeguards or controls as prescribed by IRS guidelines and necessary or appropriate to protect the confidentiality of tax information; • Report annually in a format prescribed by the California Department of Social Services (CDSS) the safeguard procedures utilized by the counties for ensuring that the confidentiality of tax information is being maintained; • The county shall destroy IRS source material upon the independent verifications of IRS tax information or upon completion of appropriate case action, whichever is earlier. Methods of destruction shall be those used for confidential material. Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-3 Confidentiality 40.4 Penalties for Unauthorized Disclosure of Tax Information The following are penalties for the unauthorized disclosure of tax information: 40.4.1 Franchise Tax Board (FTB) It is a misdemeanor for the Franchise Tax Board or any member thereof, or any deputy, agent, clerk, or other officer or employee or other individual, who in the course of his or her employment or duty has or had access to returns, reports, or documents required under this part, to disclose or make known in any manner information as to the amount of income or any particulars set forth or disclosed therein. 40.4.2 Internal Revenue Service (IRS) It shall be unlawful for any person willfully to disclose to any person, except as authorized in this title, any return or, return information. Any violation shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution. 40.4.3 Civil Damage If any person knowingly, or by reason of negligence, discloses any return or return information with respect to a taxpayer in violation of any provision of Section 6103, such taxpayer may bring a civil action for damages against such person in a district court of the United States. 40.5 Non-Confidential Information Statistical information and social data, that is not identified with a particular individual may be released. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-4 Confidentiality Examples of information that may be released would include, but are not limited to such information as statements of the number of recipients, total expenditures per program or administration, average grant figures, or other general information concerning the case load as a whole. 40.6 Release of Confidential Information Confidential information may be released without the consent of the applicant/recipient, only for purposes directly connected with the administration of public social services, except as specified in Section 44.7. Public social services are defined as aid or services administered or supervised by CDSS or the State Department of Health Services. 40.6.1 Contractors Whenever a contract is entered into with a public or private agency which involves the release of confidential information, the contract shall contain a provision ensuring that such information will be used in accordance with the restrictions found in W&IC Section 10850 and this division. 40.6.2 Public Officials Certain public officials, and their duly appointed agents and deputies, are entitled to examine confidential information. The right of public officials, including law enforcement personnel, to examine public assistance records does not exist if the request is for a purpose not connected with the administration of the public social service programs. Examples of situations under which information may not be given out include but are not limited to such things as traffic violations, tax fraud investigations or criminal investigations not related to welfare. Both the release and possession of confidential information in violation of these regulations is a misdemeanor. The officials who are entitled to examine confidential information include, but are not limited to: • District Attorney or County Counsel In the administration of aid, it is necessary to disclose information to these offices when they are conducting investigations, prosecutions, criminal or civil proceedings directly connected to public social services including child support services and the location of families in which the caretaker has abducted or kidnapped the aided child(ren). Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-5 Confidentiality • California Department of Social Services (CDSS), State Department of Health and Children’s Services (DHCS) and Department of Health, Education and Welfare (HEW) and County Welfare Departments Within the State of California These agencies, their representatives and employees shall have access to public social services records as needed in the administration of public social services. • County Auditor In addition to the authority to examine claims and other financial transactions in the routine line of duty, the auditor may examine records as necessary to satisfy him/herself that fiscal accountability is being maintained and the progress relating to payment, claiming and repayment of aid are proper and effective. • Audits Federal, State and County auditors having direct or delegated authority are authorized to examine records as necessary to perform fiscal audits and/or procedure reviews. Legislative bodies and their committees authorized by law to conduct audits or similar activities in connection with the administration of public social services shall be permitted to examine records. • Legislatures and their Committees Refer to Section 44.1 for the prohibition against release of confidential information to legislatures without applicant/recipient consent. Any releases made to legislatures and their committees should be accompanied by the warning that W&I Code Section 10850 makes the use or release of the information for a purpose not directly connected with the administration of public social services a misdemeanor. • Social Security Administration Representatives of the Social Security Administration are authorized to receive client information from Social Services Agency staff, for the sole purpose of performing their duties and determining eligibility without client consent. Likewise, Representatives of the Social Services Agency are authorized to receive client information from the Social Security Administration necessary to perform their duties and determine eligibility without client consent. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-6 Confidentiality 40.6.3 Law Enforcement Officials - Exception to the Rule Pursuant to procedures and restrictions in W&I Sections 10850.3 and 10850.7, law enforcement officials may be given otherwise confidential information when: • The applicant/recipient is deceased. Information that may be released is limited to the name, address, telephone number, birth date, social security number, and physical description of the applicant for, or recipient of, public social services. A county welfare department may release the information specified by this section to any law enforcement agency only upon a written request from the head of the agency specifying that the applicant or recipient is deceased and that the agency is otherwise unable to adequately identify the deceased. The information specified may alternately be released by telephone, whereupon the head of the law enforcement agency shall submit the request in writing within five days of the release. This section shall not be construed to authorize the release of a general list identifying individuals applying for or receiving public social services. • A Felony Arrest Warrant Has Been Issued for the Applicant/Recipient. The Social Services Agency may release the information specified in this section to any law enforcement agency only upon a written request from the agency specifying that a warrant of arrest for the commission of a felony has been issued to the applicant or recipient. This request may be made only by the head of the law enforcement agency, or by an employee of the agency so authorized and identified by name and title by the head of the agency in writing to the Social Services Agency. Information releasable pursuant to a felony arrest shall be limited to name, address, telephone number, birth date, and social security account number (where such items are present) from the record of disbursement. Reminder: No data shall be released from the case record. This section shall not be construed to limit releases pursuant to Penal Code Section 11166. • Release of CalFresh and CalWORKs Case Information to Law Enforcement Officials. In the CalFresh and CalWORKs programs, the address, social security number, and, if available, photograph (with the exception of photo images obtained from the Statewide Fingerprint Imaging System [MPP Sections 40-105.3 and 63.601.12]) of any CalFresh household member and/or CalWORKs applicant/recipient, shall be made available on request to any Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-7 Confidentiality Federal, State or local law enforcement officer if the officer furnishes the Social Services Agency with the name of the applicant/recipient and notifies the county welfare department that: • The individual is fleeing to avoid prosecution, or custody or confinement after conviction, for a crime that, under the law of the place the individual is fleeing, is a felony, or • The individual is violating a condition of probation or parole imposed under Federal or State law; or • The individual has information that is necessary for the officer to conduct an official duty related these programs. • Locating or apprehending the individuals is an official duty of the law enforcement officer, and • The request is being made in the proper exercise of an official duty. 40.6.4 Requests that are not Authorized Law enforcement officials have visited various District Offices requesting specific client information. Unless specified in [“Law Enforcement Officials - Exception to the Rule,” page 40-6], SSA staff shall not disclose any other information. The following situations that are in the form of questions and answers provide guidance that addresses requests that are not authorized: • Can a client’s parole or probation officer request to see or verify that one of their parolees/probation clients is participating/attending at one of our District Offices? No. A probation/parole officer is not considered a law enforcement authority for the purposes of W&I Code 10850.3. As much as we are not allowed to release case information to anyone unless a client provides us a written authorization/consent, we are not allowed to grant a parole/probation officer to see or verify/identify if one of their parolees/probation clients is in our facility. If the probation/parole officer presents a court order for the arrest of our client, the SSA District Office Manager is to contact County Counsel for further directions. • Can a law enforcement officer investigating a crime that is not-related to CWES/Benefits programs request to speak to a client at one of our District Offices? Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-8 Confidentiality No. We may only disclose limited confidential information only upon a written request from the head of the law enforcement agency (identified by name and title) showing that a warrant has been issued for the arrest of the client for the commission of a felony or misdemeanor. Information that may be released must be limited to the client’s name, address, telephone number, date of birth, SSN, and physical description of our client. Under no circumstances would we orchestrate the meeting and arrest of the client in our office. • Can a representative from the District Attorney’s office investigating a case or searching for witness(es) not related to CWES/Benefits programs request to speak to a client at one of our District Offices? No. For the same reason as noted in the two example above. The DA’s office must not be allowed to simply come around the office fishing/searching for witnesses. • Can an attorney who is representing one of our clients that is non-related to CWES/Benefits programs request to speak to a client at one of our District Offices if the client has given permission? Guidance to this scenario is as follows: Example 1: If a client is attending/participating at one of our District Offices and client provides written authorization/consent that he/she would like to talk to his/her own attorney in our office, client may be allowed to do so. Example 2: If our client A authorizes/wants/recommends that his attorney speak to our client B as client A believes client B will be helpful to solve her non-related CWES/WTW case, SSA staff must not allow this to occur. Example 3: Situation is similar to Example 2 but the difference is that client B provides written authorization/consent to speak with client A’s attorney; it is not in violation of confidentiality due to client B’s written permission/consent. 40.6.5 Written Request Procedures Law enforcement personnel must submit a written request to the office SSPM when requesting review of any client related information. The office SSPM may contact County Counsel if there is anything in the request beyond what we can provide. Written requests allow for determining the scope of the information requested and identifying the law enforcement agency’s representative. As a reminder, if the information is related to a warrant, it needs to come from the head of the law enforcement agency or someone authorized to request it (WIC 10850.3 (b); this information is limited. [Refer to “Law Enforcement Officials - Exception to the Rule,” page 40-6]. Revised: 05/20/16 Update # 16-11 Common-Place Handbook 40.6.6 page 40-9 Confidentiality Release of Confidential Information in Conjunction With a Lawsuit If an applicant/recipient or caretaker relative becomes a party or plaintiff in any suit against the State of California, any political subdivision of the state, or any agency administering the laws governing the administration of public social services and such suit challenges the validity of the laws governing the administration of public social services or the manner in which the laws have been applied, the attorney representing the state, political subdivision, or agency shall be given access to all files and records relating to the plaintiff. Such files and records may be disclosed to the court having jurisdiction of the lawsuit insofar as they are relevant to the determination of any factual or legal issue in the case. In such cases, it should be brought to the court’s attention, when presented with the requested information, of the state law and policy against further disclosure of the information. On notice of court action ordering records to be produced, where the action is not connected with the administration of public social services, the county shall notify the appropriate legal officer (county counsel). Such legal officer shall be requested to take immediate action to safeguard the confidential nature of the records. 40.6.7 Release to Schools Confidential case information may be released to county superintendents of school and superintendents of school districts, and their representatives, as necessary for the administration of federally-assisted programs which provide assistance in cash, in-kind, or services directly to individuals on the basis of need. If such confidential information is released, the superintendent shall be informed of the criminal prohibition against the use or disclosure of such information for any purpose other than that for which it was obtained. Information concerning the number of CalWORKs families living within a particular school district requested to support entitlement to funds under the Elementary and Secondary Education Act (ESEA) may be released to authorized representatives of the school district. A signed agreement with the school district stating that the confidential information obtained will only be used for purposes of fund claiming under the ESEA and that the district understands that there is a criminal penalty for release or use by the school district for any other purpose shall be obtained. The prohibition includes the use of confidential records to identify applicants or recipients to school teachers and administrators. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-10 Confidentiality Note: Written consent must be obtained from the client prior to releasing specific client information to any school official, such as but not limited to, verification of the receipt of or the amount of assistance a client is receiving. 40.6.8 Disclosure to Parents Who Wish to be Reunited With Their Family • Where a person claims to be an absent parent, his/her identification should be verified. • No acknowledgement to the requesting parent that the child(ren) or other parent are receiving aid may be made. • If the family is aided, the aided caretaker shall be contacted for permission to release information. If permission is granted, the information shall be released. • If the absent parent alleges that the aided parent has kidnapped, abused or neglected the child(ren), the case must be referred to the child protective services for appropriate action. The name and address of the applicant or recipient may be released to law enforcement officials for the purpose of locating abducting parents and the abducted child(ren). 40.6.9 Release to Research Organizations Information requested by research organizations may be released without authorization of the applicant/recipient, provided that specific case information is not released, only case load statistics as a whole. Research organizations requesting information must guarantee in writing that they will meet the conditions and protections of this division and W & I Codes Section 10850. 40.7 Release to Client or Authorized Representative (AR) For purposes of this section, an authorized representative (AR) is a person or group who has authorization from the applicant/recipient to act on his/her behalf. Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-11 Confidentiality Prior to releasing any case information, the client or AR must be properly identified. Acceptable items to identify the client or AR may include but are not limited to such items as identification card, case number, driver’s license number, social security account numbers or the mother’s maiden name. 40.7.1 Authorized Representative Authorizations Except as otherwise provided, all authorizations to provide information to an authorized representative (AR) are to be provided by the client in writing. Written authorizations shall be dated and shall expire one year from the date on which they are given unless they are expressly limited to a shorter period or revoked. In cases involving pending appeals or state hearings, the time period, unless the authorization is expressly limited or revoked, shall extend to the final disposition of the issue involved in the fair hearing or, where applicable, by the courts. When the AR and the client or responsible relative caring for the CalWORKs child are both present, written authorization is required for that particular occasion. 40.7.2 Information Supplied By the Client Information relating to eligibility that was provided solely by the client contained in applications and other records made or kept by the Social Services Agency in connection with the administration of the public assistance program shall be open to inspection by the client or his/her AR. 40.7.3 Telephone and email Inquiries Information provided by the client may also be released to the client and their AR by telephone and email when they have been properly identified.[See Telephone Authorizations below for acceptable items that may be used to identify a client or AR.] In instances where the client has previously provided us with their email address, this is sufficient verification that the request for information is coming from the client. Reminder: Any email correspondence containing Personal Identifiable Information (PII) must be sent as Secure email. Information that was NOT provided by the client, such as Client Index Number (CIN), absent parent’s whereabouts etc.,shall not be disclosed. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-12 Confidentiality When the AR and the client, or responsible relative caring for the CalWORKs child are both present, no written authorization is required for that particular occasion. 40.7.4 Telephone Authorizations Telephone Authorizations may be accepted in lieu of a written authorization where circumstances ensure that the applicant or recipient has adequately identified him/herself to the county. A telephone authorization is temporary and should be followed up by a written authorization and documented in the Maintain Case Comments subsystem. Acceptable items to identify the applicant or recipient by phone may include but are not limited to such items as case numbers, driver’s license numbers, social security account numbers or the mother’s maiden name. The procedure for telephone authorizations will usually involve the client first calling their EW and notifying them of whom will be calling on his/her behalf. This call will authorize the release of confidential information. Examples of typical circumstances for releasing confidential information by telephone authorization include inquires from medical offices, welfare rights organizations or legislators calling on behalf of the recipients. 40.7.5 Applicant/Recipient Written Requests for Assistance to Legislators Written inquiries to members of legislative bodies signed by applicants or recipients of public social services concerning the receipt of public social services may serve as authorization for release of information sufficient to answer such an inquiry. 40.7.6 Release of Information in Conjunction With a State Hearing The client or his/her attorney or AR may inspect the case records including the entire case narrative relating to the client. Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-13 Confidentiality 40.8 Information Which May NOT Be Released to the Client or Authorized Representative Portions of the client’s record which would qualify as privileged communications as defined by Evidence Code. This would include Sections 954 (lawyer-client) and 1041 (identity of informer). Note: The physician-patient privilege in Evidence Code Section 990 belongs to the patient and may be waived by him/her. The right of the patient to inspect his/her records is confined to record maintained by the CWD and does not extend to the records kept by the physician. [Refer to “Privileged and Confidential Information [EAS 19-006],” page 42-2] 40.9 Eligibility Determinations The following is allowed when making eligibility determinations: 40.9.1 Collateral Contacts Individual consent forms, signed by the applicant or recipient are required for each contact made during the evidence gathering process. An exception to this rule is found in MPP Section 20-007.36 which exempts Special Investigative Units (SIUs) from the requirement of permission to contact collateral sources. 40.9.2 Permission If the client does not wish the county to contact a private or public source in order to determine eligibility, the client shall have the opportunity to obtain the desired information or verification for him/herself. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-14 Confidentiality 40.9.3 Acceptability and Discontinuances If the information or verification is unacceptable to the county and the applicant refuses to grant the county permission to collect the information, the applicant will be given the opportunity to withdraw his/her application or the application shall be denied for noncooperation. Recipients who refuse to give consent for a collateral contact for which no acceptable evidence or verification has been obtained by the recipient, shall be given the opportunity to withdraw from the program or shall be terminated. 40.9.4 Outside Contacts by Agencies Other than the CWD When the assigned Eligibility Worker determines eligibility, he/she shall inform the client that, if it is necessary to contact outside sources (including employers) and the client wishes to keep the service confidential, he/she is entitled to request that such contacts be made by our Agency. The Social Services Agency, upon notification of the individual’s request, shall make the outside contacts for the client. While the client may not object to such contacts, he/she may object to a contact’s learning of the particular kind of service sought. To the maximum extent possible, such inquiries should not reveal the specific nature of the service sought by the client. 40.10Documentation in Case Record The purpose of public assistance and social service records is to evidence eligibility and the delivery of public social services. The applicant/recipient’s record should only contain facts relevant to his/her case. 40.11Medi-Cal Personal Identifiable Information (PII) Federal law requires that a Medi-Cal client’s Personally Identifiable Information (PII) be protected and secured. As such, the California Department of Health Services (DHCS) and the County of Santa Clara have entered into a “Medi-Cal Data Privacy and Security Agreement.” Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-15 Confidentiality All information, whether written or oral, of any individual for whom or about whom information is obtained is confidential and must be safeguarded. 40.11.1 Privacy and Confidentiality Client’s information, such as: name, social security number, date of birth, driver’s license or identification number and address are confidential and shall be safeguarded. County workers must only use or disclose client’s information to perform their official job related functions. Unauthorized disclosure is a violation of Welfare & Institutions Code, Section 14100.2 and County Policy and is subject to disciplinary action, as well as civil and criminal sanctions. 40.11.2 MEDS Privacy and Confidentiality Staff is not to share their Medi-Cal Eligibility Data System (MEDS) password or User Name with anyone. Passwords must be changed immediately if revealed. Any suspected unauthorized use of an ID or password is to be reported to the Supervisor/Manager immediately. Any unauthorized release of confidential information will be subject to civil and criminal sanctions. 40.11.3 CalWIN Privacy and Confidentiality All CalWIN information is confidential and must not be disclosed. Unauthorized disclosure is a violation of County Policy and a violation of law. Information may not be accessed unless there is a legitimate business need to do so. Information may not be disclosed to anyone who does not have a legitimate business need to receive it. 40.11.4 Computer Security Safeguards The “Send Secure” e-mail option must always be used in Outlook when sending messages containing information to recipients outside of our Agency. Staff must ensure that data is encrypted when using Removable Media (Jump Drives/CD/USB) to transport client information. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-16 Confidentiality Staff must always log off/lock computer (using CNTRL+Alt+Delete) when away from the work station, to avoid unauthorized access. 40.11.5 Physical Security All client’s information must be stored in an area that is physically safe from access by unauthorized persons during working and non-working hours. County workers must wear their identification badges at all times. 40.11.6 Paper Control Documents All paperwork containing client’s information must be discarded in burn bags. Burn bags must be emptied daily, following the Agency’s Burn Bag Policy. [Refer to “Burn Bag Policy,” page 40-26] Staff is not to take any paperwork and/or file containing client’s information outside the Agency except for identified routine/approved business purposes (i.e., home visit). Faxes and copies containing client information must be promptly picked up from fax machines, as well as printers and copiers. Client information must NEVER be left unattended at any time. 40.11.7 Miscellaneous Client’s names or personal information is NEVER to be discussed with co-workers not associated with the case, friends or family members. Staff is to avoid discussions involving personally identifiable information in hallways or public places. Note: Persons receiving faxes containing client information in error must be notified to destroy them immediately. Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-17 Confidentiality 40.12Federal Tax Information (FTI) Both the Internal Revenue Services (IRS) and the Social Security Administration (SSA) require agencies that receive, store process or transmit FTI to develop, document, and disseminate policy and procedures covering incident response for FTI. Additionally, the SSA requires agencies that receive PII to establish a similar incident response process. FTI is data originally sourced from a federal tax return that the IRS then provides to social services agencies. When the same information is provided by the taxpayer to the county, it is NOT FTI. Example: If Jane Doe provides the county with her federal tax return, this data is not considered FTI. When the IRS provides data from Jane Doe’s federal tax return directly to the county, this data is considered FTI. 40.13Breach of Confidentiality Policy [ACL 15-56, IRS Code Sect 6103, SSA Public Law 98-369 Sect 1137] It is the responsibility of every county employee to protect the security and confidentiality of client’s: • Medi-Cal Personal Identifiable Information (PII) • Federal Personally Identifying Information (PII) • Federal Tax Information. This section outlines the steps to be taken in the event of a real, perceived or potential Medi-Cal or Federal PII or FTI security incident. To minimize county-wide impact, it is imperative that a formal reporting and response policy be followed when reporting Medi-Cal or Federal PII or FTI security incidents. This policy applies to all users and staff with direct or indirect access to Medi-Cal client information whether or not on County premises. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-18 Confidentiality 40.13.1 Responsibility Designated personnel have the responsibility to take the action indicated in this section in a timely manner as dictated by the nature and severity of the incident. Those incidents having agency-wide implications should be given the most immediate attention, including escalation during any time period, 24 hours a day/7 days a week: User Reports any perceived Medi-Cal or Federal PII or FTI security incidents to his/her Supervisor or Manager. Supervisor/Manager • Evaluates the reported security incident. • Keeps a record of actions taken. • Completes the “Medi-Cal Personally Identifiable (PII) Incident Report” (SCD 2284), if the Medi-Cal or Federal PII or FTI could have been accessed or viewed by anyone other than those with direct business needs. • Submits the SCD 2284 within the date of discovery to the Medi-Cal/Federal PII and FTI Security Coordinator at 333 W. Julian Av. • Takes prompt corrective action to reduce the risk of similar incidents. Medi-Cal/Federal PII and FTI Security Coordinator Receives the SCD 2284 and notifies the appropriate agencies if the information breach involved any Information Systems Asset. 40.13.2 Frequently Asked Questions The following are frequently asked questions concerning a breach of confidentiality: • What is a privacy or security breach? A privacy or security breach is an intended or unintended unauthorized disclosure of client Medi-Cal data or personally identifiable information (PII). Privacy or security breaches may be paper or electronic. If the breach involves Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-19 Confidentiality computerized information that is unencrypted; including name, social security number (SSN), Department of Motor Vehicles (DMV) financial account information, then the breach triggers state breach notification law. • What are some examples of privacy or security breaches that involve paper? • Misdirected paper faxes with PII outside of Santa Clara County’s Social Service Agency. • Loss or theft of paper documents or listings containing PII. • Mailings to incorrect providers or beneficiaries. • What are some examples of electronic privacy or security breaches? • Stolen, unencrypted laptops, hard drives, PCs with PII. • Stolen, unencrypted thumb drives with PII. • Stolen briefcases with unencrypted compact discs containing PII. • Misdirected electronic fax with PII to persons outside of Santa Clara County’s Social Services Agency. • If some of the information is stolen or otherwise involved in a privacy or security breach, does this mean that the client is a victim of identity theft? No, this does not mean that the client is a victim of identity theft. The fact that some of the information may have been involved in a privacy breach does not mean that a person attempted to or did access the information or that the information has been used inappropriately. Clients may be advised to place a fraud alert on their credit files and review their credit reports. • How will clients know if any of their personal information was used by someone else? The best way to find out is for them to order their credit reports from the three credit bureaus: Equifax, Experian and Trans Union. If they notice accounts on their credit report that they did not open or applications for credit (“inquiries”) that they did not make, these could be indications that someone else is using their personal information, without permission. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-20 Confidentiality • Do clients have to pay for a credit report? As a possible fraud victim, they are entitled to a free copy of their credit report. They can call any one of the three credit bureaus at the numbers provided and follow the “fraud victim” instructions. They will automatically place a fraud alert on their credit file with all three of the bureaus. They will soon receive a letter from each bureau confirming the fraud alert and telling them how to order a free copy of their credit report. Clients should follow the instructions in the letters to receive their free reports. NOTE: This free credit report that they are entitled to as a potential fraud victim is in addition to the free annual report that everyone is now entitled to. Clients should be referred to www.privacy.ca.gov for more information on the free annual report. • Trans Union - 1-800-680-7289 • Experian - 1-888-397-3742 • Equifax - 1-800-525-6285 • Are credit bureaus going to ask for the client’s SSN? Is it okay to provide it? The credit bureaus ask for an SSN and other information in order to identify the client and avoid sending their credit report to the wrong person. It is okay for the client to give this information to the credit bureau that they call. • Does the client have to call all three credit bureaus? No. If they call just one of the bureaus, that bureau will notify the other two. A fraud alert will be placed on their file with all three and the client will receive a confirming letter from all three. • Why can’t the client talk to someone at the credit bureaus? They must first order their credit reports. When they receive their reports, each one will have a phone number they can call to speak with a live person in the bureau’s fraud unit. If they see anything on any of their reports that looks unusual or that they don’t understand, they may call the number on the report. • What is a fraud alert? A fraud alert is a message that credit issuers receive when someone applies for new credit in their name. The message tells creditors that there is a possible Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-21 Confidentiality fraud associated with the account and gives them a phone number to call (the client’s) before issuing new credit. When the client calls the credit bureau fraud line, he/she will be asked for identifying information and will be given the opportunity to enter a phone number for creditors to call. The client may want to make this his/her cell phone number. • Will a fraud alert stop the client from using his/her credit cards? No. A fraud alert will not stop the client from using your existing credit cards for other accounts. It may slow down his/her ability to get new credit. Its purpose is to help protect the client against identity thieves trying to open credit accounts in their name. Credit issuers get a special message alerting them to the possibility of fraud. Creditors know that they should take “reasonable steps” to re-verify the identity of the person applying for credit. • How long does a fraud alert last? An initial fraud alert lasts 90 days. An alert can be removed by calling the credit bureaus at the phone number given on a credit report. If the client wants to reinstate the alert, he/she can also do so. • What if the client has a fraud alert on, but wants to apply for credit? The client should still be able to get credit. While a fraud alert may slow down the application process, the client can prove his/her identity to a prospective creditor by providing identifying information. • How long does it take to receive a credit report? It could take about 20 days from the day the client calls the credit bureaus. It takes about 5 to 10 days from the time the client calls the credit bureaus to get his/her fraud alert confirmation letter with instructions on ordering his/her credit report. The client should receive his/her reports in another 5 to 10 days from the time they are ordered. • Should the client contact the Social Security Administration and change his/her SSN? The Social Security Administration rarely changes a person’s SSN. The mere possibility of fraudulent use of your SSN would probably not be viewed as a justification. There are drawbacks to doing so. The absence of any history under the new SSN would make it difficult to get credit, continue college, rent an apartment, open a bank account, get health insurance, etc. In most cases, getting a new SSN would not be a good idea. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-22 Confidentiality • Should the client close his/her bank account? No, not unless the client’s bank account number was among the items of personal information compromised in the breach. As a general privacy protection measure, the client should limit the use of your SSN where it's not required. For example, if his/her bank account number or PIN is the client’s SSN, he/she should ask the bank to give him/her a different number. Clients should NOT use the last four digits of their SSN, their mother’s maiden name or their birth date as a password for financial information. • Should the client close his/her credit card or other accounts? No, not unless his/her account number was among the items of personal information compromised in the breach. As a general privacy protection measure, the client should always look over his/her credit card bills carefully to see if there are any purchases he/she didn’t make. If so, the card company should be contacted immediately. • What should a client look for on his/her credit report? The client should look for any accounts that he/she doesn’t recognize, especially accounts opened recently. Clients should look at the inquires or requests section for names of creditors from whom they haven’t requested credit. It should be noted that some kinds of inquiries, labeled something like “promotional inquiries,” are for unsolicited offers of credit, mostly from companies with whom they do business. Clients should not be concerned about those inquiries as a sign of fraud. (Persons are automatically removed from lists to receive unsolicited pre-approved credit offers when a fraud alert is placed on an account. Offers can also be stopped by calling 888-5OPTOUT). Clients should look into the personal information section for addresses where they’ve never lived. Any of these things might be indications of fraud. Also they should be on the alert for other possible signs of identity theft, such as calls from creditors or debt collectors about bills that they don’t recognize, or unusual charges on their credit card bills. • What happens if the client finds out that they have been a victim of identity theft? The client should immediately notify his/her local law enforcement agency, contact any creditors involved and notify the credit bureaus. For more Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-23 Confidentiality information on what to do, they should view the Identity Theft Victim Checklist on the Identity Theft page of the California Office of Privacy Protection’s Website at www.privacy.ca.gov. • How often should a client order new credit reports and how long should he/she go on ordering them? It might be a good idea for clients to order copies of credit reports every three months for a while. How long they continue to order them is up to them. Identity thieves usually, but not always, act soon after stealing personal information. We recommend checking credit reports at least twice a year as a general privacy protection measure. • I heard that the client could “freeze” his/her credit files. How does that work? A security freeze is a stronger measure than a fraud alert. A freeze prevents others from seeing the client’s credit history without his/her permission. Unlike the fraud alert that lasts 90 days, a credit freeze remains in effect until such time as the consumer elects to terminate the freeze. It costs $10 to place a freeze with each of the three credit bureaus, for a total cost of $30. The client can also temporarily lift the freeze for $10, if he/she wants to apply for new credit. For more information on the freeze, the client should view the Identity Theft page of the Office of Privacy Protection’s Website: http://www.privacy.ca.gov/cover/identitytheft.htm. If the client has no internet access, they may call the California Office of Privacy Protection at 1-866-785-9663. • If the notice is addressed to a child who is a minor, what should the client do? The client should call each of the credit bureaus at the numbers in the notice letter. The fraud cues on the automated system should be followed and the child’s information entered. If he/she gets a message of “report not found” or something of that nature, that’s good. That means the child doesn’t have a credit history. A creditor doing a credit check would get the same message, pretty much eliminating the risk of new credit being established in the child’s name. The client may want to go through this process every few months for six months to a year. If the fraud alert process goes through, then the client will receive a confirming letter in the mail from each of the credit bureaus with instructions for ordering his/her child’s credit report. The client should check the report(s) and call the credit bureaus about any information that looks suspicious or inaccurate. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-24 Confidentiality • If the notice is addressed to the client’s spouse, who is deceased, what should the client do? The client should call each of the credit bureaus at the numbers in the notice letter. The fraud cues should be followed and the deceased person’s information entered. If the message received says “reported deceased” or “no report on file” or something of that nature, that’s good. That means the credit bureaus have been notified by the Social Security Administration that the holder of the SSN is deceased. A creditor doing a credit check would get the same message, pretty much eliminating the risk of new credit being established in the deceased person’s name/number. NOTE: Counties notify SSA when a death certificate is filed. If the fraud alert process on the automated phone system goes through, that may mean that the credit bureaus haven’t been notified of the death. In that case the spouse (or the executor of the state) would notify the credit bureaus in writing that the person is deceased and that the person’s information may be at risk of identity theft. The credit bureaus will flag the file as deceased. The spouse (or executor) must include the following information in the letters to the credit bureaus: • Deceased’s full name, date of birth, most recent address and SSN. • Copy of the death certificate. • The spouse may request and receive a copy of the deceased’s credit report at the spouse’s home address. • An executor wishing to receive a copy of the deceased’s credit report should enclose a copy of the executorship papers. Mail to the credit bureau addresses below: Experian Trans Union Equifax Phone 888-397-3742 800-680-7289 800-525-6285 TDD 800-972-0322 877-553-7803 1-800-255-0056 and ask for Auto Disclosure Line, 1-800-685-1111 Address P.O. Box 9532 Allen, TX 75013 P.O. Box 6790 Fullerton, CA 92834 P.O. Box 740241 Atlanta, GA 30374-0241 Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-25 Confidentiality 40.14Numbering System in District Offices To preserve client confidentiality, it is necessary for district offices to utilize a numbering system when calling clients from the lobby. Workers must extend their voice mail greeting to include: “Due to client confidentiality, if you are in the lobby, please take a number and state it on the voice mail message along with your name and case number.” 40.14.1 Clerical Staff Clerical staff will no longer call client’s by their name. Instead, clerical staff will call the client to the appropriate window using the numbering system. District Office procedures must be followed in order to process the particular request. 40.14.2 Eligibility Staff Eligibility Workers (EWs) and Department of Employment and Benefit Services (DEBS) staff must page clients to the designated area using either: • The number the client has selected, or • The client’s first name or last name, not both, or • The process established in the respective district office. Note: There may be a variance to the numbering system in each district office, as policy is established using Social Services Program Manager (SSPM) discretion. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-26 Confidentiality 40.15Confidentiality in Office Lobbies As part of DEBS Program Improvement Plan to ensure the safeguard of confidential information, the “Personal Information Registration” form (SCD 2377) is to be used in office lobbies. This form replaces the interactive verbal request of personal information needed to identify the case in reception areas. The process associated with the form is as follows: • Client approaches reception area based on order, such as through kiosk-assigned number. • Instead of front desk staff verbally requesting client Personal Information (PI), the SCD 2377 is given to the client to complete. • Front Desk Staff utilizes the PI on the form to assist client as per current procedures (i.e. researches CalWIN or other systems, etc). • Upon completion of current procedures, the SCD 2377 is placed in burn bag. 40.16Burn Bag Policy Documents containing client information are strictly confidential and must be treated as such. Under no circumstances are documents containing any source of client information to be disposed of in regular trash receptacles. The Social Services Agency provides “burn bags” to all employees to discard such information (in the absence of a paper shredder). Placing documents in a burn bag does not in itself comply with confidentiality requirements. To protect client information, burn bags cannot be left out in the open. On a daily basis, upon ending their shift, staff is to do the following with burn bags containing confidential information: • Place the burn bag in a drawer that has lock capabilities, or • Shred the documents that were placed in the burn bag, or • Empty the contents of the burn bag in one of the locked bins provided in each district office. Revised: 05/20/16 Update # 16-11 Common-Place Handbook page 40-27 Confidentiality There are no exceptions to this rule. Under no circumstances is staff allowed to leave at the end of their shift without having taken one of the above actions with their burn bags. Update # 16-11 Revised: 05/20/16 Common-Place Handbook page 40-28 Confidentiality Revised: 05/20/16 Update # 16-11
