page 40-1 - the County of Santa Clara

advertisement
Common-Place Handbook
page 40-1
Confidentiality
40. Confidentiality
In accordance with Welfare and Institutions Code (W&I) Section 10850 and 45
Code of Federal Regulations (CFR) Section 205.50(a), confidentiality regulations
were created to protect applicants and recipients against identification, exploitation
or embarrassment that could result from the release of information identifying them
as having applied for or having received public assistance. They also outline under
what circumstances and to whom such information may be released.
These regulations pertain to all records, papers, files and communications
pertaining to Social Services Programs. These regulations bind public and private
agencies with whom the County contracts to perform any part of the covered public
social services programs.
40.1 References
The following are references to State policy surrounding confidentiality:
• Manual of Policy and Procedures (MMP) 19-002 - 19-007,
• CalFresh Manual 63-201.2, and
• Title 22 of Administrative Code.
40.2 Confidential Information
Names, addresses and all other information concerning the circumstances of any
individual for whom or about whom information is obtained is confidential and shall
be safeguarded. This is true of all information whether written or oral.
No disclosure of any information, obtained by a representative, agent or employee
of the Social Services Agency (County Welfare Department), in the course of
discharging his or her duties, shall be made, directly or indirectly, other than in the
administration of public social service programs.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-2
Confidentiality
Disclosure of information which identifies by name or address any applicant or
recipient of public social services to federal, state or local legislative bodies and
their committees without such applicant or recipient’s consent is prohibited. Such
bodies include the United States Congress, the California State Senate and
Assembly, City Councils and County Boards of Supervisors.
Both the release and possession of confidential information in violation of the rules
of this division are misdemeanors.
40.3 Tax Information
Tax information is defined as any information supplied by the Internal Revenue
Service (IRS), concerning a taxpayer’s identity, the nature, source, or amount of
his/her earned income, unearned income (including interest or dividends),
payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth,
tax liability, tax withheld, deficiencies, over assessments or tax payments.
40.3.1
Safeguards
Counties shall establish the following safeguards in order to protect the
confidentiality of, and to prevent the unauthorized disclosure of, tax information
received from the IRS:
• Establish and maintain a secure area or place in which IRS tax information shall
be stored;
• Restrict access to the tax information only to persons whose duties or
responsibilities require access to this information;
• Provide other such safeguards or controls as prescribed by IRS guidelines and
necessary or appropriate to protect the confidentiality of tax information;
• Report annually in a format prescribed by the California Department of Social
Services (CDSS) the safeguard procedures utilized by the counties for ensuring
that the confidentiality of tax information is being maintained;
• The county shall destroy IRS source material upon the independent verifications
of IRS tax information or upon completion of appropriate case action, whichever
is earlier. Methods of destruction shall be those used for confidential material.
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-3
Confidentiality
40.4 Penalties for Unauthorized Disclosure of Tax
Information
The following are penalties for the unauthorized disclosure of tax information:
40.4.1
Franchise Tax Board (FTB)
It is a misdemeanor for the Franchise Tax Board or any member thereof, or any
deputy, agent, clerk, or other officer or employee or other individual, who in the
course of his or her employment or duty has or had access to returns, reports, or
documents required under this part, to disclose or make known in any manner
information as to the amount of income or any particulars set forth or disclosed
therein.
40.4.2
Internal Revenue Service (IRS)
It shall be unlawful for any person willfully to disclose to any person, except as
authorized in this title, any return or, return information. Any violation shall be a
felony punishable by a fine in any amount not exceeding $5,000, or imprisonment
of not more than 5 years, or both, together with the costs of prosecution.
40.4.3
Civil Damage
If any person knowingly, or by reason of negligence, discloses any return or return
information with respect to a taxpayer in violation of any provision of Section 6103,
such taxpayer may bring a civil action for damages against such person in a district
court of the United States.
40.5 Non-Confidential Information
Statistical information and social data, that is not identified with a particular
individual may be released.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-4
Confidentiality
Examples of information that may be released would include, but are not limited to
such information as statements of the number of recipients, total expenditures per
program or administration, average grant figures, or other general information
concerning the case load as a whole.
40.6 Release of Confidential Information
Confidential information may be released without the consent of the
applicant/recipient, only for purposes directly connected with the administration of
public social services, except as specified in Section 44.7. Public social services
are defined as aid or services administered or supervised by CDSS or the State
Department of Health Services.
40.6.1
Contractors
Whenever a contract is entered into with a public or private agency which involves
the release of confidential information, the contract shall contain a provision
ensuring that such information will be used in accordance with the restrictions
found in W&IC Section 10850 and this division.
40.6.2
Public Officials
Certain public officials, and their duly appointed agents and deputies, are entitled to
examine confidential information. The right of public officials, including law
enforcement personnel, to examine public assistance records does not exist if the
request is for a purpose not connected with the administration of the public social
service programs. Examples of situations under which information may not be
given out include but are not limited to such things as traffic violations, tax fraud
investigations or criminal investigations not related to welfare. Both the release and
possession of confidential information in violation of these regulations is a
misdemeanor. The officials who are entitled to examine confidential information
include, but are not limited to:
• District Attorney or County Counsel
In the administration of aid, it is necessary to disclose information to these
offices when they are conducting investigations, prosecutions, criminal or civil
proceedings directly connected to public social services including child support
services and the location of families in which the caretaker has abducted or
kidnapped the aided child(ren).
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-5
Confidentiality
• California Department of Social Services (CDSS), State Department of
Health and Children’s Services (DHCS) and Department of Health,
Education and Welfare (HEW) and County Welfare Departments Within the
State of California
These agencies, their representatives and employees shall have access to
public social services records as needed in the administration of public social
services.
• County Auditor
In addition to the authority to examine claims and other financial transactions in
the routine line of duty, the auditor may examine records as necessary to satisfy
him/herself that fiscal accountability is being maintained and the progress
relating to payment, claiming and repayment of aid are proper and effective.
• Audits
Federal, State and County auditors having direct or delegated authority are
authorized to examine records as necessary to perform fiscal audits and/or
procedure reviews. Legislative bodies and their committees authorized by law to
conduct audits or similar activities in connection with the administration of public
social services shall be permitted to examine records.
• Legislatures and their Committees
Refer to Section 44.1 for the prohibition against release of confidential
information to legislatures without applicant/recipient consent. Any releases
made to legislatures and their committees should be accompanied by the
warning that W&I Code Section 10850 makes the use or release of the
information for a purpose not directly connected with the administration of public
social services a misdemeanor.
• Social Security Administration
Representatives of the Social Security Administration are authorized to receive
client information from Social Services Agency staff, for the sole purpose of
performing their duties and determining eligibility without client consent.
Likewise, Representatives of the Social Services Agency are authorized to
receive client information from the Social Security Administration necessary to
perform their duties and determine eligibility without client consent.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-6
Confidentiality
40.6.3
Law Enforcement Officials - Exception to the Rule
Pursuant to procedures and restrictions in W&I Sections 10850.3 and 10850.7, law
enforcement officials may be given otherwise confidential information when:
• The applicant/recipient is deceased. Information that may be released is limited
to the name, address, telephone number, birth date, social security number, and
physical description of the applicant for, or recipient of, public social services. A
county welfare department may release the information specified by this section
to any law enforcement agency only upon a written request from the head of the
agency specifying that the applicant or recipient is deceased and that the agency
is otherwise unable to adequately identify the deceased. The information
specified may alternately be released by telephone, whereupon the head of the
law enforcement agency shall submit the request in writing within five days of the
release.
This section shall not be construed to authorize the release of a general list
identifying individuals applying for or receiving public social services.
• A Felony Arrest Warrant Has Been Issued for the Applicant/Recipient. The
Social Services Agency may release the information specified in this section to
any law enforcement agency only upon a written request from the agency
specifying that a warrant of arrest for the commission of a felony has been
issued to the applicant or recipient. This request may be made only by the head
of the law enforcement agency, or by an employee of the agency so authorized
and identified by name and title by the head of the agency in writing to the Social
Services Agency.
Information releasable pursuant to a felony arrest shall be limited to name,
address, telephone number, birth date, and social security account number
(where such items are present) from the record of disbursement.
Reminder:
No data shall be released from the case record. This section shall not be
construed to limit releases pursuant to Penal Code Section 11166.
• Release of CalFresh and CalWORKs Case Information to Law Enforcement
Officials. In the CalFresh and CalWORKs programs, the address, social security
number, and, if available, photograph (with the exception of photo images
obtained from the Statewide Fingerprint Imaging System [MPP Sections
40-105.3 and 63.601.12]) of any CalFresh household member and/or
CalWORKs applicant/recipient, shall be made available on request to any
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-7
Confidentiality
Federal, State or local law enforcement officer if the officer furnishes the Social
Services Agency with the name of the applicant/recipient and notifies the county
welfare department that:
• The individual is fleeing to avoid prosecution, or custody or confinement after
conviction, for a crime that, under the law of the place the individual is fleeing,
is a felony, or
• The individual is violating a condition of probation or parole imposed under
Federal or State law; or
• The individual has information that is necessary for the officer to conduct an
official duty related these programs.
• Locating or apprehending the individuals is an official duty of the law
enforcement officer, and
• The request is being made in the proper exercise of an official duty.
40.6.4
Requests that are not Authorized
Law enforcement officials have visited various District Offices requesting specific
client information. Unless specified in [“Law Enforcement Officials - Exception to
the Rule,” page 40-6], SSA staff shall not disclose any other information. The
following situations that are in the form of questions and answers provide guidance
that addresses requests that are not authorized:
• Can a client’s parole or probation officer request to see or verify that one
of their parolees/probation clients is participating/attending at one of our
District Offices?
No. A probation/parole officer is not considered a law enforcement authority for the
purposes of W&I Code 10850.3. As much as we are not allowed to release case
information to anyone unless a client provides us a written authorization/consent,
we are not allowed to grant a parole/probation officer to see or verify/identify if one
of their parolees/probation clients is in our facility. If the probation/parole officer
presents a court order for the arrest of our client, the SSA District Office Manager is
to contact County Counsel for further directions.
• Can a law enforcement officer investigating a crime that is not-related to
CWES/Benefits programs request to speak to a client at one of our District
Offices?
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-8
Confidentiality
No. We may only disclose limited confidential information only upon a written
request from the head of the law enforcement agency (identified by name and title)
showing that a warrant has been issued for the arrest of the client for the
commission of a felony or misdemeanor. Information that may be released must be
limited to the client’s name, address, telephone number, date of birth, SSN, and
physical description of our client. Under no circumstances would we orchestrate the
meeting and arrest of the client in our office.
• Can a representative from the District Attorney’s office investigating a
case or searching for witness(es) not related to CWES/Benefits programs
request to speak to a client at one of our District Offices?
No. For the same reason as noted in the two example above. The DA’s office must
not be allowed to simply come around the office fishing/searching for witnesses.
• Can an attorney who is representing one of our clients that is non-related
to CWES/Benefits programs request to speak to a client at one of our
District Offices if the client has given permission?
Guidance to this scenario is as follows:
Example 1: If a client is attending/participating at one of our District Offices and
client provides written authorization/consent that he/she would like to talk to his/her
own attorney in our office, client may be allowed to do so.
Example 2: If our client A authorizes/wants/recommends that his attorney speak to
our client B as client A believes client B will be helpful to solve her non-related
CWES/WTW case, SSA staff must not allow this to occur.
Example 3: Situation is similar to Example 2 but the difference is that client B
provides written authorization/consent to speak with client A’s attorney; it is not in
violation of confidentiality due to client B’s written permission/consent.
40.6.5
Written Request Procedures
Law enforcement personnel must submit a written request to the office SSPM when
requesting review of any client related information. The office SSPM may contact
County Counsel if there is anything in the request beyond what we can provide.
Written requests allow for determining the scope of the information requested and
identifying the law enforcement agency’s representative. As a reminder, if the
information is related to a warrant, it needs to come from the head of the law
enforcement agency or someone authorized to request it (WIC 10850.3 (b); this
information is limited. [Refer to “Law Enforcement Officials - Exception to the Rule,”
page 40-6].
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
40.6.6
page 40-9
Confidentiality
Release of Confidential Information in Conjunction With
a Lawsuit
If an applicant/recipient or caretaker relative becomes a party or plaintiff in any suit
against the State of California, any political subdivision of the state, or any agency
administering the laws governing the administration of public social services and
such suit challenges the validity of the laws governing the administration of public
social services or the manner in which the laws have been applied, the attorney
representing the state, political subdivision, or agency shall be given access to all
files and records relating to the plaintiff. Such files and records may be disclosed to
the court having jurisdiction of the lawsuit insofar as they are relevant to the
determination of any factual or legal issue in the case. In such cases, it should be
brought to the court’s attention, when presented with the requested information, of
the state law and policy against further disclosure of the information.
On notice of court action ordering records to be produced, where the action is not
connected with the administration of public social services, the county shall notify
the appropriate legal officer (county counsel). Such legal officer shall be requested
to take immediate action to safeguard the confidential nature of the records.
40.6.7
Release to Schools
Confidential case information may be released to county superintendents of school
and superintendents of school districts, and their representatives, as necessary for
the administration of federally-assisted programs which provide assistance in cash,
in-kind, or services directly to individuals on the basis of need. If such confidential
information is released, the superintendent shall be informed of the criminal
prohibition against the use or disclosure of such information for any purpose other
than that for which it was obtained.
Information concerning the number of CalWORKs families living within a particular
school district requested to support entitlement to funds under the Elementary and
Secondary Education Act (ESEA) may be released to authorized representatives of
the school district. A signed agreement with the school district stating that the
confidential information obtained will only be used for purposes of fund claiming
under the ESEA and that the district understands that there is a criminal penalty for
release or use by the school district for any other purpose shall be obtained. The
prohibition includes the use of confidential records to identify applicants or
recipients to school teachers and administrators.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-10
Confidentiality
Note:
Written consent must be obtained from the client prior to releasing specific
client information to any school official, such as but not limited to, verification
of the receipt of or the amount of assistance a client is receiving.
40.6.8
Disclosure to Parents Who Wish to be Reunited With
Their Family
• Where a person claims to be an absent parent, his/her identification should be
verified.
• No acknowledgement to the requesting parent that the child(ren) or other parent
are receiving aid may be made.
• If the family is aided, the aided caretaker shall be contacted for permission to
release information. If permission is granted, the information shall be released.
• If the absent parent alleges that the aided parent has kidnapped, abused or
neglected the child(ren), the case must be referred to the child protective
services for appropriate action. The name and address of the applicant or
recipient may be released to law enforcement officials for the purpose of locating
abducting parents and the abducted child(ren).
40.6.9
Release to Research Organizations
Information requested by research organizations may be released without
authorization of the applicant/recipient, provided that specific case information is
not released, only case load statistics as a whole. Research organizations
requesting information must guarantee in writing that they will meet the conditions
and protections of this division and W & I Codes Section 10850.
40.7 Release to Client or Authorized Representative
(AR)
For purposes of this section, an authorized representative (AR) is a person or
group who has authorization from the applicant/recipient to act on his/her behalf.
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-11
Confidentiality
Prior to releasing any case information, the client or AR must be properly identified.
Acceptable items to identify the client or AR may include but are not limited to such
items as identification card, case number, driver’s license number, social security
account numbers or the mother’s maiden name.
40.7.1
Authorized Representative Authorizations
Except as otherwise provided, all authorizations to provide information to an
authorized representative (AR) are to be provided by the client in writing. Written
authorizations shall be dated and shall expire one year from the date on which they
are given unless they are expressly limited to a shorter period or revoked. In cases
involving pending appeals or state hearings, the time period, unless the
authorization is expressly limited or revoked, shall extend to the final disposition of
the issue involved in the fair hearing or, where applicable, by the courts.
When the AR and the client or responsible relative caring for the CalWORKs child
are both present, written authorization is required for that particular occasion.
40.7.2
Information Supplied By the Client
Information relating to eligibility that was provided solely by the client contained in
applications and other records made or kept by the Social Services Agency in
connection with the administration of the public assistance program shall be open
to inspection by the client or his/her AR.
40.7.3
Telephone and email Inquiries
Information provided by the client may also be released to the client and their AR
by telephone and email when they have been properly identified.[See Telephone
Authorizations below for acceptable items that may be used to identify a client or
AR.] In instances where the client has previously provided us with their email
address, this is sufficient verification that the request for information is coming from
the client.
Reminder:
Any email correspondence containing Personal Identifiable Information (PII)
must be sent as Secure email.
Information that was NOT provided by the client, such as Client Index Number
(CIN), absent parent’s whereabouts etc.,shall not be disclosed.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-12
Confidentiality
When the AR and the client, or responsible relative caring for the CalWORKs child
are both present, no written authorization is required for that particular occasion.
40.7.4
Telephone Authorizations
Telephone Authorizations may be accepted in lieu of a written authorization where
circumstances ensure that the applicant or recipient has adequately identified
him/herself to the county. A telephone authorization is temporary and should be
followed up by a written authorization and documented in the Maintain Case
Comments subsystem.
Acceptable items to identify the applicant or recipient by phone may include but are
not limited to such items as case numbers, driver’s license numbers, social security
account numbers or the mother’s maiden name.
The procedure for telephone authorizations will usually involve the client first calling
their EW and notifying them of whom will be calling on his/her behalf. This call will
authorize the release of confidential information. Examples of typical
circumstances for releasing confidential information by telephone authorization
include inquires from medical offices, welfare rights organizations or legislators
calling on behalf of the recipients.
40.7.5
Applicant/Recipient Written Requests for Assistance to
Legislators
Written inquiries to members of legislative bodies signed by applicants or recipients
of public social services concerning the receipt of public social services may serve
as authorization for release of information sufficient to answer such an inquiry.
40.7.6
Release of Information in Conjunction With a State
Hearing
The client or his/her attorney or AR may inspect the case records including the
entire case narrative relating to the client.
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-13
Confidentiality
40.8 Information Which May NOT Be Released to the
Client or Authorized Representative
Portions of the client’s record which would qualify as privileged communications as
defined by Evidence Code. This would include Sections 954 (lawyer-client) and
1041 (identity of informer).
Note:
The physician-patient privilege in Evidence Code Section 990 belongs to the
patient and may be waived by him/her. The right of the patient to inspect
his/her records is confined to record maintained by the CWD and does not
extend to the records kept by the physician.
[Refer to “Privileged and Confidential Information [EAS 19-006],” page 42-2]
40.9 Eligibility Determinations
The following is allowed when making eligibility determinations:
40.9.1
Collateral Contacts
Individual consent forms, signed by the applicant or recipient are required for each
contact made during the evidence gathering process. An exception to this rule is
found in MPP Section 20-007.36 which exempts Special Investigative Units (SIUs)
from the requirement of permission to contact collateral sources.
40.9.2
Permission
If the client does not wish the county to contact a private or public source in order to
determine eligibility, the client shall have the opportunity to obtain the desired
information or verification for him/herself.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-14
Confidentiality
40.9.3
Acceptability and Discontinuances
If the information or verification is unacceptable to the county and the applicant
refuses to grant the county permission to collect the information, the applicant will
be given the opportunity to withdraw his/her application or the application shall be
denied for noncooperation.
Recipients who refuse to give consent for a collateral contact for which no
acceptable evidence or verification has been obtained by the recipient, shall be
given the opportunity to withdraw from the program or shall be terminated.
40.9.4
Outside Contacts by Agencies Other than the CWD
When the assigned Eligibility Worker determines eligibility, he/she shall inform the
client that, if it is necessary to contact outside sources (including employers) and
the client wishes to keep the service confidential, he/she is entitled to request that
such contacts be made by our Agency.
The Social Services Agency, upon notification of the individual’s request, shall
make the outside contacts for the client. While the client may not object to such
contacts, he/she may object to a contact’s learning of the particular kind of service
sought. To the maximum extent possible, such inquiries should not reveal the
specific nature of the service sought by the client.
40.10Documentation in Case Record
The purpose of public assistance and social service records is to evidence eligibility
and the delivery of public social services. The applicant/recipient’s record should
only contain facts relevant to his/her case.
40.11Medi-Cal Personal Identifiable Information (PII)
Federal law requires that a Medi-Cal client’s Personally Identifiable Information
(PII) be protected and secured. As such, the California Department of Health
Services (DHCS) and the County of Santa Clara have entered into a “Medi-Cal
Data Privacy and Security Agreement.”
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-15
Confidentiality
All information, whether written or oral, of any individual for whom or about whom
information is obtained is confidential and must be safeguarded.
40.11.1
Privacy and Confidentiality
Client’s information, such as: name, social security number, date of birth, driver’s
license or identification number and address are confidential and shall be
safeguarded.
County workers must only use or disclose client’s information to perform their
official job related functions.
Unauthorized disclosure is a violation of Welfare & Institutions Code, Section
14100.2 and County Policy and is subject to disciplinary action, as well as civil and
criminal sanctions.
40.11.2
MEDS Privacy and Confidentiality
Staff is not to share their Medi-Cal Eligibility Data System (MEDS) password or
User Name with anyone. Passwords must be changed immediately if revealed.
Any suspected unauthorized use of an ID or password is to be reported to the
Supervisor/Manager immediately.
Any unauthorized release of confidential information will be subject to civil and
criminal sanctions.
40.11.3
CalWIN Privacy and Confidentiality
All CalWIN information is confidential and must not be disclosed. Unauthorized
disclosure is a violation of County Policy and a violation of law.
Information may not be accessed unless there is a legitimate business need to do
so. Information may not be disclosed to anyone who does not have a legitimate
business need to receive it.
40.11.4
Computer Security Safeguards
The “Send Secure” e-mail option must always be used in Outlook when sending
messages containing information to recipients outside of our Agency. Staff must
ensure that data is encrypted when using Removable Media (Jump
Drives/CD/USB) to transport client information.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-16
Confidentiality
Staff must always log off/lock computer (using CNTRL+Alt+Delete) when away
from the work station, to avoid unauthorized access.
40.11.5
Physical Security
All client’s information must be stored in an area that is physically safe from access
by unauthorized persons during working and non-working hours.
County workers must wear their identification badges at all times.
40.11.6
Paper Control Documents
All paperwork containing client’s information must be discarded in burn bags. Burn
bags must be emptied daily, following the Agency’s Burn Bag Policy.
[Refer to “Burn Bag Policy,” page 40-26]
Staff is not to take any paperwork and/or file containing client’s information outside
the Agency except for identified routine/approved business purposes (i.e., home
visit).
Faxes and copies containing client information must be promptly picked up from fax
machines, as well as printers and copiers.
Client information must NEVER be left unattended at any time.
40.11.7
Miscellaneous
Client’s names or personal information is NEVER to be discussed with co-workers
not associated with the case, friends or family members. Staff is to avoid
discussions involving personally identifiable information in hallways or public
places.
Note:
Persons receiving faxes containing client information in error must be notified
to destroy them immediately.
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-17
Confidentiality
40.12Federal Tax Information (FTI)
Both the Internal Revenue Services (IRS) and the Social Security Administration
(SSA) require agencies that receive, store process or transmit FTI to develop,
document, and disseminate policy and procedures covering incident response for
FTI. Additionally, the SSA requires agencies that receive PII to establish a similar
incident response process.
FTI is data originally sourced from a federal tax return that the IRS then provides to
social services agencies. When the same information is provided by the taxpayer to
the county, it is NOT FTI.
Example:
If Jane Doe provides the county with her federal tax return, this data is not
considered FTI. When the IRS provides data from Jane Doe’s federal tax
return directly to the county, this data is considered FTI.
40.13Breach of Confidentiality Policy
[ACL 15-56, IRS Code Sect 6103, SSA Public Law
98-369 Sect 1137]
It is the responsibility of every county employee to protect the security and
confidentiality of client’s:
• Medi-Cal Personal Identifiable Information (PII)
• Federal Personally Identifying Information (PII)
• Federal Tax Information.
This section outlines the steps to be taken in the event of a real, perceived or
potential Medi-Cal or Federal PII or FTI security incident. To minimize county-wide
impact, it is imperative that a formal reporting and response policy be followed
when reporting Medi-Cal or Federal PII or FTI security incidents.
This policy applies to all users and staff with direct or indirect access to Medi-Cal
client information whether or not on County premises.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-18
Confidentiality
40.13.1
Responsibility
Designated personnel have the responsibility to take the action indicated in this
section in a timely manner as dictated by the nature and severity of the incident.
Those incidents having agency-wide implications should be given the most
immediate attention, including escalation during any time period, 24 hours a day/7
days a week:
User
Reports any perceived Medi-Cal or Federal PII or FTI security incidents to his/her
Supervisor or Manager.
Supervisor/Manager
• Evaluates the reported security incident.
• Keeps a record of actions taken.
• Completes the “Medi-Cal Personally Identifiable (PII) Incident Report”
(SCD 2284), if the Medi-Cal or Federal PII or FTI could have been accessed or
viewed by anyone other than those with direct business needs.
• Submits the SCD 2284 within the date of discovery to the Medi-Cal/Federal PII
and FTI Security Coordinator at 333 W. Julian Av.
• Takes prompt corrective action to reduce the risk of similar incidents.
Medi-Cal/Federal PII and FTI Security Coordinator
Receives the SCD 2284 and notifies the appropriate agencies if the information
breach involved any Information Systems Asset.
40.13.2
Frequently Asked Questions
The following are frequently asked questions concerning a breach of confidentiality:
• What is a privacy or security breach?
A privacy or security breach is an intended or unintended unauthorized
disclosure of client Medi-Cal data or personally identifiable information (PII).
Privacy or security breaches may be paper or electronic. If the breach involves
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-19
Confidentiality
computerized information that is unencrypted; including name, social security
number (SSN), Department of Motor Vehicles (DMV) financial account
information, then the breach triggers state breach notification law.
• What are some examples of privacy or security breaches that involve
paper?
• Misdirected paper faxes with PII outside of Santa Clara County’s Social
Service Agency.
• Loss or theft of paper documents or listings containing PII.
• Mailings to incorrect providers or beneficiaries.
• What are some examples of electronic privacy or security breaches?
• Stolen, unencrypted laptops, hard drives, PCs with PII.
• Stolen, unencrypted thumb drives with PII.
• Stolen briefcases with unencrypted compact discs containing PII.
• Misdirected electronic fax with PII to persons outside of Santa Clara County’s
Social Services Agency.
• If some of the information is stolen or otherwise involved in a privacy or
security breach, does this mean that the client is a victim of identity theft?
No, this does not mean that the client is a victim of identity theft. The fact that
some of the information may have been involved in a privacy breach does not
mean that a person attempted to or did access the information or that the
information has been used inappropriately. Clients may be advised to place a
fraud alert on their credit files and review their credit reports.
• How will clients know if any of their personal information was used by
someone else?
The best way to find out is for them to order their credit reports from the three
credit bureaus: Equifax, Experian and Trans Union. If they notice accounts on
their credit report that they did not open or applications for credit (“inquiries”) that
they did not make, these could be indications that someone else is using their
personal information, without permission.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-20
Confidentiality
• Do clients have to pay for a credit report?
As a possible fraud victim, they are entitled to a free copy of their credit report.
They can call any one of the three credit bureaus at the numbers provided and
follow the “fraud victim” instructions. They will automatically place a fraud alert
on their credit file with all three of the bureaus.
They will soon receive a letter from each bureau confirming the fraud alert and
telling them how to order a free copy of their credit report. Clients should follow
the instructions in the letters to receive their free reports.
NOTE: This free credit report that they are entitled to as a potential fraud victim
is in addition to the free annual report that everyone is now entitled to. Clients
should be referred to www.privacy.ca.gov for more information on the free
annual report.
• Trans Union - 1-800-680-7289
• Experian - 1-888-397-3742
• Equifax - 1-800-525-6285
• Are credit bureaus going to ask for the client’s SSN? Is it okay to provide
it?
The credit bureaus ask for an SSN and other information in order to identify the
client and avoid sending their credit report to the wrong person. It is okay for the
client to give this information to the credit bureau that they call.
• Does the client have to call all three credit bureaus?
No. If they call just one of the bureaus, that bureau will notify the other two. A
fraud alert will be placed on their file with all three and the client will receive a
confirming letter from all three.
• Why can’t the client talk to someone at the credit bureaus?
They must first order their credit reports. When they receive their reports, each
one will have a phone number they can call to speak with a live person in the
bureau’s fraud unit. If they see anything on any of their reports that looks
unusual or that they don’t understand, they may call the number on the report.
• What is a fraud alert?
A fraud alert is a message that credit issuers receive when someone applies for
new credit in their name. The message tells creditors that there is a possible
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-21
Confidentiality
fraud associated with the account and gives them a phone number to call (the
client’s) before issuing new credit. When the client calls the credit bureau fraud
line, he/she will be asked for identifying information and will be given the
opportunity to enter a phone number for creditors to call. The client may want to
make this his/her cell phone number.
• Will a fraud alert stop the client from using his/her credit cards?
No. A fraud alert will not stop the client from using your existing credit cards for
other accounts. It may slow down his/her ability to get new credit. Its purpose is
to help protect the client against identity thieves trying to open credit accounts in
their name. Credit issuers get a special message alerting them to the possibility
of fraud. Creditors know that they should take “reasonable steps” to re-verify the
identity of the person applying for credit.
• How long does a fraud alert last?
An initial fraud alert lasts 90 days. An alert can be removed by calling the credit
bureaus at the phone number given on a credit report. If the client wants to
reinstate the alert, he/she can also do so.
• What if the client has a fraud alert on, but wants to apply for credit?
The client should still be able to get credit. While a fraud alert may slow down the
application process, the client can prove his/her identity to a prospective creditor
by providing identifying information.
• How long does it take to receive a credit report?
It could take about 20 days from the day the client calls the credit bureaus. It
takes about 5 to 10 days from the time the client calls the credit bureaus to get
his/her fraud alert confirmation letter with instructions on ordering his/her credit
report. The client should receive his/her reports in another 5 to 10 days from the
time they are ordered.
• Should the client contact the Social Security Administration and change
his/her SSN?
The Social Security Administration rarely changes a person’s SSN. The mere
possibility of fraudulent use of your SSN would probably not be viewed as a
justification. There are drawbacks to doing so. The absence of any history under
the new SSN would make it difficult to get credit, continue college, rent an
apartment, open a bank account, get health insurance, etc. In most cases,
getting a new SSN would not be a good idea.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-22
Confidentiality
• Should the client close his/her bank account?
No, not unless the client’s bank account number was among the items of
personal information compromised in the breach. As a general privacy protection
measure, the client should limit the use of your SSN where it's not required. For
example, if his/her bank account number or PIN is the client’s SSN, he/she
should ask the bank to give him/her a different number. Clients should NOT use
the last four digits of their SSN, their mother’s maiden name or their birth date as
a password for financial information.
• Should the client close his/her credit card or other accounts?
No, not unless his/her account number was among the items of personal
information compromised in the breach. As a general privacy protection
measure, the client should always look over his/her credit card bills carefully to
see if there are any purchases he/she didn’t make. If so, the card company
should be contacted immediately.
• What should a client look for on his/her credit report?
The client should look for any accounts that he/she doesn’t recognize, especially
accounts opened recently. Clients should look at the inquires or requests section
for names of creditors from whom they haven’t requested credit. It should be
noted that some kinds of inquiries, labeled something like “promotional
inquiries,” are for unsolicited offers of credit, mostly from companies with whom
they do business.
Clients should not be concerned about those inquiries as a sign of fraud.
(Persons are automatically removed from lists to receive unsolicited
pre-approved credit offers when a fraud alert is placed on an account. Offers can
also be stopped by calling 888-5OPTOUT).
Clients should look into the personal information section for addresses where
they’ve never lived. Any of these things might be indications of fraud. Also they
should be on the alert for other possible signs of identity theft, such as calls from
creditors or debt collectors about bills that they don’t recognize, or unusual
charges on their credit card bills.
• What happens if the client finds out that they have been a victim of identity
theft?
The client should immediately notify his/her local law enforcement agency,
contact any creditors involved and notify the credit bureaus. For more
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-23
Confidentiality
information on what to do, they should view the Identity Theft Victim Checklist on
the Identity Theft page of the California Office of Privacy Protection’s Website at
www.privacy.ca.gov.
• How often should a client order new credit reports and how long should
he/she go on ordering them?
It might be a good idea for clients to order copies of credit reports every three
months for a while. How long they continue to order them is up to them. Identity
thieves usually, but not always, act soon after stealing personal information. We
recommend checking credit reports at least twice a year as a general privacy
protection measure.
• I heard that the client could “freeze” his/her credit files. How does that
work?
A security freeze is a stronger measure than a fraud alert. A freeze prevents
others from seeing the client’s credit history without his/her permission. Unlike
the fraud alert that lasts 90 days, a credit freeze remains in effect until such time
as the consumer elects to terminate the freeze. It costs $10 to place a freeze
with each of the three credit bureaus, for a total cost of $30. The client can also
temporarily lift the freeze for $10, if he/she wants to apply for new credit. For
more information on the freeze, the client should view the Identity Theft page of
the Office of Privacy Protection’s Website:
http://www.privacy.ca.gov/cover/identitytheft.htm. If the client has no internet
access, they may call the California Office of Privacy Protection at
1-866-785-9663.
• If the notice is addressed to a child who is a minor, what should the client
do?
The client should call each of the credit bureaus at the numbers in the notice
letter. The fraud cues on the automated system should be followed and the
child’s information entered. If he/she gets a message of “report not found” or
something of that nature, that’s good. That means the child doesn’t have a credit
history. A creditor doing a credit check would get the same message, pretty
much eliminating the risk of new credit being established in the child’s name.
The client may want to go through this process every few months for six months
to a year.
If the fraud alert process goes through, then the client will receive a confirming
letter in the mail from each of the credit bureaus with instructions for ordering
his/her child’s credit report. The client should check the report(s) and call the
credit bureaus about any information that looks suspicious or inaccurate.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-24
Confidentiality
• If the notice is addressed to the client’s spouse, who is deceased, what
should the client do?
The client should call each of the credit bureaus at the numbers in the notice
letter. The fraud cues should be followed and the deceased person’s information
entered. If the message received says “reported deceased” or “no report on file”
or something of that nature, that’s good. That means the credit bureaus have
been notified by the Social Security Administration that the holder of the SSN is
deceased.
A creditor doing a credit check would get the same message, pretty much
eliminating the risk of new credit being established in the deceased person’s
name/number.
NOTE: Counties notify SSA when a death certificate is filed.
If the fraud alert process on the automated phone system goes through, that
may mean that the credit bureaus haven’t been notified of the death. In that case
the spouse (or the executor of the state) would notify the credit bureaus in writing
that the person is deceased and that the person’s information may be at risk of
identity theft. The credit bureaus will flag the file as deceased. The spouse (or
executor) must include the following information in the letters to the credit
bureaus:
• Deceased’s full name, date of birth, most recent address and SSN.
• Copy of the death certificate.
• The spouse may request and receive a copy of the deceased’s credit report at
the spouse’s home address.
• An executor wishing to receive a copy of the deceased’s credit report should
enclose a copy of the executorship papers.
Mail to the credit bureau addresses below:
Experian
Trans Union
Equifax
Phone
888-397-3742
800-680-7289
800-525-6285
TDD
800-972-0322
877-553-7803
1-800-255-0056 and ask
for Auto Disclosure Line,
1-800-685-1111
Address
P.O. Box 9532
Allen, TX 75013
P.O. Box 6790
Fullerton, CA 92834
P.O. Box 740241
Atlanta, GA 30374-0241
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-25
Confidentiality
40.14Numbering System in District Offices
To preserve client confidentiality, it is necessary for district offices to utilize a
numbering system when calling clients from the lobby. Workers must extend their
voice mail greeting to include: “Due to client confidentiality, if you are in the lobby,
please take a number and state it on the voice mail message along with your name
and case number.”
40.14.1
Clerical Staff
Clerical staff will no longer call client’s by their name. Instead, clerical staff will call
the client to the appropriate window using the numbering system. District Office
procedures must be followed in order to process the particular request.
40.14.2
Eligibility Staff
Eligibility Workers (EWs) and Department of Employment and Benefit Services
(DEBS) staff must page clients to the designated area using either:
• The number the client has selected, or
• The client’s first name or last name, not both, or
• The process established in the respective district office.
Note:
There may be a variance to the numbering system in each district office, as
policy is established using Social Services Program Manager (SSPM)
discretion.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-26
Confidentiality
40.15Confidentiality in Office Lobbies
As part of DEBS Program Improvement Plan to ensure the safeguard of
confidential information, the “Personal Information Registration” form (SCD 2377) is
to be used in office lobbies. This form replaces the interactive verbal request of
personal information needed to identify the case in reception areas. The process
associated with the form is as follows:
• Client approaches reception area based on order, such as through
kiosk-assigned number.
• Instead of front desk staff verbally requesting client Personal Information (PI),
the SCD 2377 is given to the client to complete.
• Front Desk Staff utilizes the PI on the form to assist client as per current
procedures (i.e. researches CalWIN or other systems, etc).
• Upon completion of current procedures, the SCD 2377 is placed in burn bag.
40.16Burn Bag Policy
Documents containing client information are strictly confidential and must be
treated as such. Under no circumstances are documents containing any source of
client information to be disposed of in regular trash receptacles. The Social
Services Agency provides “burn bags” to all employees to discard such information
(in the absence of a paper shredder).
Placing documents in a burn bag does not in itself comply with confidentiality
requirements. To protect client information, burn bags cannot be left out in the
open. On a daily basis, upon ending their shift, staff is to do the following with burn
bags containing confidential information:
• Place the burn bag in a drawer that has lock capabilities, or
• Shred the documents that were placed in the burn bag, or
• Empty the contents of the burn bag in one of the locked bins provided in each
district office.
Revised: 05/20/16
Update # 16-11
Common-Place Handbook
page 40-27
Confidentiality
There are no exceptions to this rule. Under no circumstances is staff allowed to
leave at the end of their shift without having taken one of the above actions with
their burn bags.
Update # 16-11
Revised: 05/20/16
Common-Place Handbook
page 40-28
Confidentiality
Revised: 05/20/16
Update # 16-11
Download