Presented by: Roberta Ward CDHS Privacy Officer Phone: (916) 440-7750 www.dhs.ca.gov/privacyoffice Before We Begin… • Please write on your paper the following: – Your Name – Your Date Of Birth – Your Height – Your Weight – One Medical Condition that you have (Examples: Allergies, migraines, heart palpitations) Privacy Breach • A Privacy Breach is an unauthorized disclosure of PHI/PCI that violates either federal or state laws – Federal: HIPAA Privacy Rule – State: Information Practices Act of 1977 • Privacy Breaches may be paper or electronic – Electronic breaches when name plus social security number, or DMV, or financial account number are involved require individual notification by law – CDHS is notifying individuals when name and SSN are on paper documents as well What is PHI? • PHI is information that identifies or can be used to identify an individual • Information that relates to the: – Past, present or future health condition of that individual – Health care provided to that individual – Payment for that health care • Information in any form, including paper, electronic (ePHI), and oral communications What Constitutes PHI – 18 Identifiers • Name • Address – Street address, city, county, zip code (more than 3 digits) or other geographic codes • Dates directly related to patient (except year), including DOB, admission or discharge date • Telephone & FAX Numbers • Driver’s License Number • Email Addresses • Social Security Number • Medical Record Number • Health Plan Beneficiary Number • Account Number • Certificate/License number • Any vehicle or device serial number, including license plates • Web Addresses (URLs) • Internet Protocol (IP) Address • Finger or Voice Prints • Photographic Images • Any other unique identifying number, characteristic, or code • Age greater than 89 (as the 90 year old and over population is relatively small) What is NOT PHI? • De-identified data is NOT covered by HIPAA • HIPAA does NOT cover: – Employee Records – Workers’ Compensation Records – Records about Providers • HOWEVER, CDHS considers all three of these records “personal confidential information” (PCI) and therefore must be safeguarded in the same manner as PHI “Personal Confidential Information” (PCI) • Information that is not public which identifies or describes an individual including: – – – – – – – Names Home Addresses Home Telephone Numbers Social Security Numbers Medical or Employment Histories Personnel Records Licensing Records Information Practices Act (California Civil Code section 1798 et seq.) • Establishes requirements for all state agencies for the collection, maintenance & dissemination of personal information • Allowed Disclosures: – To a person/agency where transfer is necessary to perform duties – To a law enforcement/regulatory agency when required for an investigation or for licensing, certification, or regulatory process – To another person/governmental organization for investigation of failure to comply with a law enforced by the agency Examples of Paper Breaches • Misdirected paper faxes with PHI/PCI outside of CDHS • Loss or theft of paper documents containing PHI/PCI • Mailings to incorrect providers or beneficiaries Examples of Electronic Breaches • Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI • Stolen, unencrypted thumb drives with PHI/PCI • Stolen briefcases with unencrypted compact discs containing PHI/PCI • Misdirected electronic fax with PHI/PCI to person outside of state government California Anti-Identity Theft Law • Senate Bill 1386 (Chapter 915, Statutes of 2002) requires that any breach of security of computerized data that includes personal information must be disclosed to any resident of California – Applies to state agencies, persons or businesses that conduct business in California – personal information was unencrypted and was or is reasonably believed to have been acquired by an unauthorized person Anti-Identity Theft/ Breach Notification Statute • Civil Code sections 1798.29 and 1798.82 Requires notification to California residents when there is a breach of unencrypted electronic data containing the following personal information: The individual’s first name or first initial and last name in combination with any one or more of the following data elements: • Social Security Number • Driver’s license or California ID number • Account number, credit or debit card number in combination with security code, access code or password Identity Thief #1 • Specialized in cashing phony checks using her victims checking accounts. This highly productive identity thief was arrested with a virtual goody bag of stolen identities indicating a dozen or more recent victims: Sentence: Over 13 years in prison – – – – 15 fraudulent university id cards 12 fraudulent driver licenses 14 checks to be drawn on various accounts Maps with directions to local area banks Identity Thief #2 • When this identity thief was arrested, she had a number of items indicating her specialty was in committing fraud in large volumes: Sentence: 2.5 years in prison – – – – Several laptop computers An ID manufacturing machine ID counterfeiting credit card machine 500 profiles of people (intended victims) • When arrested at the Phoenix airport, she had in her possession a plane ticket bought with a stolen credit card and several fake identifications. Identity Thief #3 Sentence: 2 years in prison • This identity thief used his job at a local area auto dealer to obscure his real cash making endeavor as an identity thief who created fake drivers licenses. • Identity thief #3 then would sell them to other employees for $75 apiece. The fake ID’s would then be used to obtain loans on used vehicles on behalf of illegal immigrants. Timing • California law requires the notice be made “in the most expedient time possible and without unreasonable delay” • Time may be allowed for law enforcement, if the notification would impede a criminal investigation Reporting Privacy Breaches • CDHS employees and business associates must take immediate action and report all Privacy Breaches to: – Your Supervisor – CDHS Privacy Officer – Information Security Officer • Privacy Breaches DO NOT include: – Misdirected mail within CDHS – Emails transmitted from outside CDHS to wrong email within CDHS or unencrypted email Internal Reporting Procedures 1. Inform your manager or supervisor of an unauthorized disclosure or potential breach. 2. Send an email or call the Privacy Office with the following information: – – – Brief description of the incident Date, time, and location of the incident Name of affected parties/witnesses 3. A written report to the CDHS Privacy Officer is required after the initial email or call. – Use the Privacy Breach Reporting Form to describe the incident, identify potential harm & determine a corrective action plan to prevent future occurrences Please see Privacy Breach Reporting Form Privacy Office Procedures 1. Upon receipt of a report of a potential breach, the Privacy Office staff is responsible for notifying: • • • • Program Area’s Chief Deputy Director Deputy Director Assistant Deputy Director OLS Deputy Director • • • • • Privacy Officer ISO Rich Bayquen Person who notified Agency 2. A complete investigation is then performed. • The investigative team may include but is not limited to members of CDHS Privacy Office, Audit & Investigations Division, & program staff. Privacy Office Procedures cont… 3. Privacy Office will work closely with program staff to perform the following: a. Mitigation activities, including any legally required notification to beneficiaries • Notification must be given to individuals in the most expedient time possible and without unreasonable delay b. Formal Corrective Action Plan c. Remediation Efforts d. Follow up to ensure all resolution activities are completed e. Formal Agency Breach Report to close out breach Please see Agency Breach Report Office of Privacy Protections Notification Recommendations • Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft • Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union • If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report – Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert on your driver’s license • California Office of Privacy Protection Recommendations available at: www.privacy.ca.gov Please see Sample Notification Letter Breach Contacts Privacy Officer E-mail: privacyofficer@dhs.ca.gov Phone: (916) 440-7750 FAX: (916) 440-7710 Information Security Officer E-mail: dhsiso@dhs.ca.gov Phone: (916) 440-7000 or (800) 579-0874