Presented by:
Roberta Ward
CDHS Privacy Officer
Phone: (916) 440-7750
www.dhs.ca.gov/privacyoffice
Before We Begin…
• Please write on your paper the following:
– Your Name
– Your Date Of Birth
– Your Height
– Your Weight
– One Medical Condition that you have
(Examples: Allergies, migraines, heart
palpitations)
Privacy Breach
• A Privacy Breach is an unauthorized
disclosure of PHI/PCI that violates either federal
or state laws
– Federal: HIPAA Privacy Rule
– State: Information Practices Act of 1977
• Privacy Breaches may be paper or electronic
– Electronic breaches when name plus social security
number, or DMV, or financial account number are
involved require individual notification by law
– CDHS is notifying individuals when name and SSN
are on paper documents as well
What is PHI?
• PHI is information that identifies or can
be used to identify an individual
• Information that relates to the:
– Past, present or future health condition of
that individual
– Health care provided to that individual
– Payment for that health care
• Information in any form, including paper,
electronic (ePHI), and oral
communications
What Constitutes PHI – 18 Identifiers
• Name
• Address – Street address,
city, county, zip code (more
than 3 digits) or other geographic
codes
• Dates directly related to
patient (except year),
including DOB, admission
or discharge date
• Telephone & FAX Numbers
• Driver’s License Number
• Email Addresses
• Social Security Number
• Medical Record Number
• Health Plan Beneficiary
Number
• Account Number
• Certificate/License number
• Any vehicle or device serial
number, including license
plates
• Web Addresses (URLs)
• Internet Protocol (IP)
Address
• Finger or Voice Prints
• Photographic Images
• Any other unique identifying
number, characteristic, or
code
• Age greater than 89 (as the
90 year old and over
population is relatively small)
What is NOT PHI?
• De-identified data is NOT covered by HIPAA
• HIPAA does NOT cover:
– Employee Records
– Workers’ Compensation Records
– Records about Providers
• HOWEVER, CDHS considers all three of
these records “personal confidential
information” (PCI) and therefore must be
safeguarded in the same manner as PHI
“Personal Confidential Information”
(PCI)
• Information that is not public
which identifies or describes an
individual including:
–
–
–
–
–
–
–
Names
Home Addresses
Home Telephone Numbers
Social Security Numbers
Medical or Employment Histories
Personnel Records
Licensing Records
Information Practices Act
(California Civil Code section 1798 et seq.)
• Establishes requirements for all state agencies
for the collection, maintenance & dissemination
of personal information
• Allowed Disclosures:
– To a person/agency where transfer is necessary to
perform duties
– To a law enforcement/regulatory agency when
required for an investigation or for licensing,
certification, or regulatory process
– To another person/governmental organization for
investigation of failure to comply with a law enforced
by the agency
Examples of
Paper Breaches
• Misdirected paper faxes with
PHI/PCI outside of CDHS
• Loss or theft of paper documents
containing PHI/PCI
• Mailings to incorrect providers or
beneficiaries
Examples of
Electronic Breaches
• Stolen, unencrypted laptops, hard drives,
PCs with PHI/PCI
• Stolen, unencrypted thumb drives with
PHI/PCI
• Stolen briefcases with unencrypted
compact discs containing PHI/PCI
• Misdirected electronic fax with PHI/PCI to
person outside of state government
California Anti-Identity
Theft Law
• Senate Bill 1386 (Chapter 915, Statutes of 2002)
requires that any breach of security of
computerized data that includes personal
information must be disclosed to any resident of
California
– Applies to state agencies, persons or businesses that
conduct business in California
– personal information was unencrypted and was or is
reasonably believed to have been acquired by an
unauthorized person
Anti-Identity Theft/
Breach Notification Statute
• Civil Code sections 1798.29 and 1798.82 Requires
notification to California residents when there is a
breach of unencrypted electronic data containing
the following personal information:
 The individual’s first name or first initial and last name in
combination with any one or more of the following
data elements:
• Social Security Number
• Driver’s license or California ID number
• Account number, credit or debit card number in
combination with security code, access code or password
Identity Thief #1
• Specialized in cashing phony checks
using her victims
checking accounts. This highly
productive identity thief was arrested
with a virtual goody bag of stolen
identities indicating a dozen or more
recent victims:
Sentence:
Over 13 years in
prison
–
–
–
–
15 fraudulent university id cards
12 fraudulent driver licenses
14 checks to be drawn on various accounts
Maps with directions to local area banks
Identity Thief #2
• When this identity thief was arrested,
she had a number of items indicating
her specialty was in committing fraud
in large volumes:
Sentence:
2.5 years in
prison
–
–
–
–
Several laptop computers
An ID manufacturing machine
ID counterfeiting credit card machine
500 profiles of people (intended victims)
• When arrested at the Phoenix airport,
she had in her possession a plane
ticket bought with a stolen credit card
and several fake identifications.
Identity Thief #3
Sentence:
2 years in prison
• This identity thief used his job at a
local area auto dealer to obscure his
real cash making endeavor as an
identity thief who created fake
drivers licenses.
• Identity thief #3 then would sell them
to other employees for $75 apiece.
The fake ID’s would then be used to
obtain loans on used vehicles on
behalf of illegal immigrants.
Timing
• California law requires the notice be
made “in the most expedient time
possible and without unreasonable
delay”
• Time may be allowed for law
enforcement, if the notification would
impede a criminal investigation
Reporting Privacy Breaches
• CDHS employees and business
associates must take immediate action
and report all Privacy Breaches to:
– Your Supervisor
– CDHS Privacy Officer
– Information Security Officer
• Privacy Breaches DO NOT include:
– Misdirected mail within CDHS
– Emails transmitted from outside CDHS to wrong
email within CDHS or unencrypted email
Internal
Reporting Procedures
1. Inform your manager or supervisor of an unauthorized
disclosure or potential breach.
2. Send an email or call the Privacy Office with the
following information:
–
–
–
Brief description of the incident
Date, time, and location of the incident
Name of affected parties/witnesses
3. A written report to the CDHS Privacy Officer is
required after the initial email or call.
–
Use the Privacy Breach Reporting Form to describe the
incident, identify potential harm & determine a corrective
action plan to prevent future occurrences
Please see Privacy Breach Reporting Form
Privacy Office Procedures
1. Upon receipt of a report of a potential breach,
the Privacy Office staff is responsible for
notifying:
•
•
•
•
Program Area’s Chief
Deputy Director
Deputy Director
Assistant Deputy Director
OLS Deputy Director
•
•
•
•
•
Privacy Officer
ISO
Rich Bayquen
Person who notified
Agency
2. A complete investigation is then performed.
•
The investigative team may include but is not limited to
members of CDHS Privacy Office, Audit & Investigations
Division, & program staff.
Privacy Office Procedures
cont…
3. Privacy Office will work closely with program staff
to perform the following:
a. Mitigation activities, including any legally required
notification to beneficiaries
•
Notification must be given to individuals in the most expedient
time possible and without unreasonable delay
b. Formal Corrective Action Plan
c. Remediation Efforts
d. Follow up to ensure all resolution activities are
completed
e. Formal Agency Breach Report to close out breach
Please see Agency Breach Report
Office of Privacy Protections
Notification
Recommendations
• Notification letter: Advise individuals of steps they can
take to protect themselves against possibility of identity
theft
• Recommend contacting the three credit reporting
agencies: Equifax, Experian, and Trans Union
• If find suspicious activity on credit reports, call your local
police or sheriff and file an identity theft report
– Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert
on your driver’s license
• California Office of Privacy Protection Recommendations
available at: www.privacy.ca.gov
Please see Sample Notification Letter
Breach Contacts
Privacy Officer
E-mail: privacyofficer@dhs.ca.gov
Phone: (916) 440-7750
FAX: (916) 440-7710
Information Security Officer
E-mail: dhsiso@dhs.ca.gov
Phone: (916) 440-7000 or
(800) 579-0874