Chapter 2 – Patients’ Entitlements and Responsibilities

Policy

• Protected Health Information (PHI) maintained by California Correctional Health Care Services (CCHCS) is private and confidential. CCHCS workforce members may not use or disclose PHI, except as permitted or required by this chapter or as otherwise permitted or required by law.

Purpose

• To provide guidance regarding general use and disclosure of PHI.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for the general use and disclosure of PHI.

• CCHCS workforce members shall report incidents of inappropriate disclosure of PHI to the CCHCS Office of Information Security Office (ISO) via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal for fact-finding, analysis, intake, and response, except for those currently delegated to the CCHCS Privacy Office pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.11, Privacy Incidents and Breach Reporting.

Use and Disclosure of PHI

• Use and Disclosure of PHI at Patient or Personal Representative Request

  • CCHCS workforce members may use or disclose PHI to the patient or the patient’s personal representative when requested pursuant to the HCDOM Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization.

• Use and Disclosure of PHI for Treatment, Payment or Health Care Operations (TPO) Purposes

  • CCHCS workforce members may use or disclose PHI without patient authorization as follows:

    • For TPO activities related to CCHCS patients.

    • To communicate with or notify a patient’s family member or others involved in the patient’s care if the disclosure is in the best interest of the patient and it can be reasonably inferred the patient does not object.

    • To an entity conducting research, provided that the research has been approved by the California Health and Human Services Agency Committee for the Protection of Human Subjects or a legally authorized institutional review board or a privacy board as set forth in Health Insurance Portability and Accountability Act, Section 164.512(i).

    • To another covered entity (health care organization) or health care provider for its payment activities.

    • To another covered entity for its health care operations activities if CCHCS workforce members and the other covered entity have or had a relationship with the patient who is the subject of the PHI being requested, and the disclosure includes, but is not limited to, conducting the following:

      • Quality assessments and improvement activities, including developing clinical guidelines.

      • Competency assessments during practitioner and provider performance evaluations.

      • Approved health care fraud and abuse detection or compliance by CCHCS or another federal or state agency.

  • CCHCS workforce members shall process routine requests for all or a subset of patients’ PHI pursuant to the HCDOM, Sections 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information, and 2.3.4, Release of Protected Health Information.

  • Requests to access mental health records may be denied when:

    • A licensed health care professional determined that access could endanger the life or physical safety of the patient or another person.

    • The request is made by the patient’s representative, and a licensed health care professional has determined that access is reasonably likely to cause substantial harm to the patient or another person.

    • The report would be made to the patient’s representative, and the state entity determines the patient’s representative may be responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the patient.

    • For more information regarding the privacy and confidentiality of mental health records, contact m_MHPolicyUnit@cdcr.ca.gov.

• Use and Disclosure of PHI for Non-TPO Purposes

  • CCHCS workforce members shall not use or disclose PHI for non-TPO purposes unless the disclosure is pursuant to a valid written authorization from the patient or the personal representative of the patient, or meets an exception in one of the following HCDOM, Sections:

  • 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization

  • 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions

  • 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets

  • 2.2.9, Business Associate Use and Disclosure of Protected Health Information

  • 2.2.13, Handling Protected Health and Personally Identifiable Information

• Requirements for Use and Disclosures of Specially Protected Health Information

  • Specially Protected Health Information as defined in California’s Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information, is subject to further limitations pursuant to the HCDOM, Sections 2.3.4, Release of Protected Health Information, and 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization.

• Third Party or Media Inquiries

  • CCHCS workforce members shall not use or disclose PHI pursuant to the HCDOM, Section 2.2.13 Handling Protected Health and Personally Identifiable Information.

• Health Records Disclosure

  • Disclosure of all or part of a patient’s health record shall be performed pursuant to the HCDOM, Chapter 2, Article 3, Health Information Management.

Policy

Purpose

• To authorize specific uses or disclosures of PHI based on patient’s authorization and to identify applicable requirements for such patient authorizations.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI maintained by CCHCS.

When Patient Authorization is Required

• As outlined in detail in the HCDOM, Section 2.2.1, General Use and Disclosure of Protected Health Information, CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain treatment, payment, or health care operations activities. In addition, privacy law permits the release of PHI without a patient’s authorization pursuant to specific exceptions outlined in the HCDOM, Section 2.2.6, Use and Disclosure of Protected Health Information Special Exceptions, or pursuant to a Business Associate Agreement as provided in the HCDOM, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information. CCHCS workforce members shall require a signed authorization for all other uses and disclosures of PHI.

• Disclosure of the Health Record

• Health Information Management (HIM) is the custodian of the health record and shall have the sole authority to disclose the health record, in whole or in part, pursuant to patient authorization.

• Valid Authorizations

  • A patient’s or their personal representative’s authorization is considered valid if it contains at least the following elements:

    • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

    • The name or other specific identification of the person(s) authorized to make the requested use or disclosure.

    • The name or other specific identification of the person(s) to whom CCHCS may make the requested use or disclosure.

    • A description of each purpose of the requested use or disclosure and the specific uses and limitations on the use of the health information by the persons or entities authorized to receive it.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.

    • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure after which disclosure is no longer authorized.

    • A signature which serves no other purpose than to execute the document and date.  If the authorization is signed by a personal representative of the patient, a description of such representative’s authority to act for the individual must also be provided.

    • A statement that the patient has the right to revoke the authorization in writing and a description of how the individual may revoke the authorization.

    • A statement that CCHCS may not condition treatment on whether the patient signs the authorization.

    • A statement concerning the potential for the information disclosed to be subject to redisclosure by the recipient and no longer protected by applicable federal and state law.

    • A statement advising the patient of their right to receive a copy of the authorization.

    • The authorization must be in writing in at least 14-point type and must be clearly separate from any other language present in the same document.

  • The CDCR 7385, Authorization for Release of Protected Health Information, satisfies the above requirements and is the preferred form for disclosures pursuant to patient authorization.  Other authorization forms are disfavored but may be accepted if they conform to all the requirements listed above in section (d)(3)(A)1. through 11.

  • An authorization is considered defective and invalid if any material information in the authorization is known to be false by CCHCS or its workforce members or if any of the following defects exist:

    • The expiration date has passed.

    • The authorization has not been filled out completely or lacks a required element.

    • The authorization is known to have been revoked.

• Authorization for Specially Protected Health Information

• A valid written authorization to disclose specially protected health information shall be obtained before making such a disclosure.  Each specific type of specially protected health information disclosure requires a separate authorization and cannot be combined with an authorization requesting general health information.  Further information regarding specially protected health information including any exceptions can be found in the HCDOM Section, 2.3.4, Release of Protected Health Information.

• Revocation or Restriction of Authorization

  • A patient may revoke an authorization at any time in writing.  No such revocation shall apply to information already released while the authorization was valid and in effect.

  • Patients have the opportunity to agree or object to certain or specific uses and disclosures of their health information.

  • Exception: Alcohol and drug treatment participants may verbally revoke authorization to disclose information obtained from alcohol and drug treatment programs. Verbal authorizations and revocations must be documented and maintained in the health record.

• Verification of Individuals Receiving Information.

• Information about a patient may only be disclosed pursuant to a written authorization after verifying the identity of the person receiving the information.

Policy

Purpose

Responsibility

• The Chief Privacy Officer (CPO) shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI, PII, and HRCI maintained by CCHCS and is responsible for recommending sanctions for violations of privacy and information security laws, regulations, or policies.

• The Hiring Authority (HA) is responsible for imposing appropriate sanctions and informing the CPO of the sanction imposed.

• CCHCS workforce members shall safeguard PHI, PII, and HRCI against improper uses or disclosures and supervisors are responsible for assuring workforce members who have access to PHI, PII, and HRCI are informed of their responsibilities.

Procedure

• Sanctions and Penalties

  • The CPO shall consult with the Chief Information Security Officer, Performance Management Unit manager, HA, and CCHCS Office of Legal Affairs Privacy Attorney after fact-finding to make a recommendation regarding sanctions and progressive discipline.

  • CCHCS shall apply appropriate sanctions against workforce members who fail to comply with privacy and security laws, regulations, or policies, which include, but are not limited to, improperly viewing, using, disclosing, or allowing access to health information, failing to report a known breach, or reporting a privacy or information security incident in bad faith or for malicious reasons.  Sanctions shall be determined in accordance with civil service and departmental progressive discipline laws, regulations, and policies and shall be appropriate to the severity of the violation, up to and including termination.

  • Depending on the severity of the violation, law enforcement notification may be required.  Workforce members may be charged with a misdemeanor or incur fines and civil penalties, depending on the economic loss to the patient and the degree of malice.

• Confidentiality and Record Keeping of Privacy and Security Violations

  • All deliberations of privacy or security violations may be subject to a claim of exemption under the Public Records Act regardless of level. Deliberations shall be treated confidentially for both the workforce member and the patient whose protected confidential information is impacted. For all violations, all supporting documentation shall be stored in a confidential electronic file in the Privacy Office (PO).

  • All confirmed violations shall be tracked by the PO in the Disclosure Log for PHI or PII.

  • CCHCS is responsible for documenting any sanctions that were applied and maintaining the documentation for a minimum of six years.

Policy

• California Correctional Health Care Services (CCHCS) and its workforce shall make reasonable efforts to limit the use, access, request, and disclosure of Protected Health Information (PHI) to the minimum necessary to accomplish the intended purpose.  CCHCS shall determine what access to PHI is relevant and necessary by workforce members to carry out job duties.

Purpose

• To ensure CCHCS workforce members have appropriate access to PHI and only use, request, or disclose the minimum necessary PHI required to accomplish the missions, goals, and objectives of CCHCS while maintaining compliance with privacy and related health information law.

Responsibility

• The Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI maintained by CCHCS.

When Minimum Necessary Uses or Disclosures of PHI Applies

• Unless an exception set forth in this policy applies, CCHCS workforce members may only use, access, request, and disclose the minimum amount of PHI necessary to perform their duties including the fulfillment of a request for the use or disclosure of PHI.

  • Uses or disclosures of entire health records

    • CCHCS workforce members shall not use, access, request, or disclose a patient’s entire health record except when use or disclosure of the entire health record is specifically justified as reasonably necessary to accomplish the use, request, or disclosure.

  • Routine and recurring disclosures

    • CCHCS program areas shall determine the minimum PHI accessible to staff that is reasonably necessary to achieve the purpose of the disclosure or in order for staff to fulfill their job duties.

  • Non-routine disclosures

    • CCHCS program areas  shall determine the minimum PHI accessible to staff that is reasonably necessary to achieve the purpose of the disclosure . Requests for non-routine disclosures shall be reviewed on an individual basis in accordance with such criteria.

• Reasonable Reliance

  • CCHCS workforce members may rely on the judgment of the party requesting a disclosure in determining the minimum amount of information that is needed when:

  • Making disclosures to public officials pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions, if the public official represents that the PHI requested is the minimum necessary for the stated purpose.

  • The information is requested by another covered entity.

  • The information is requested by a professional who is a member of the CCHCS workforce or is a CCHCS business associate for the purpose of providing professional services if the professional represents that the information requested is the minimum necessary for the stated purpose.

• Role Based Access and Use

  • CCHCS program areas shall establish role-based access controls that provide only the minimum amount of information necessary for workforce members to perform their job duties.  CCHCS program areas shall safeguard information accessible by computer, information kept in files, or other forms of information consistent with CCHCS policy.

When Minimum Necessary Uses or Disclosures of PHI Does Not Apply

• Disclosures to or requests by a health care provider for treatment.

• Disclosures to the patient who is the subject of the information.

• Uses and disclosures based upon a valid authorization to use and disclose PHI, limited to the scope of what is covered by the authorization.

• Uses and disclosures required for compliance with the Health Insurance Portability and Accountability Act Administrative Simplification Rule.

• Disclosures to the Secretary of the U.S. Department of Health and Human Services when disclosure of information is required under the Privacy Rule for enforcement purposes.

• Uses or disclosures required by law.

Policy

• California Correctional Health Care Services (CCHCS) shall take steps to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII) from intentional or unintentional violation of federal and state privacy laws and CCHCS privacy policies.

Purpose

• To specify the safeguards required to minimize the risk of unauthorized access, use, or disclosure of PHI and PII.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with laws, policies, and standards for protecting the privacy rights of individuals.

Safeguards

• CCHCS workforce members shall take all necessary precautions to safeguard PHI and PII pursuant to the State Health Information Policy Manual and the Statewide Information Management Manual Chapter 5300.

• All CCHCS workforce members with assigned job duties requiring the access, use, or disclosure of PHI shall apply administrative, technical, and physical safeguards to protect PHI.

• Each program shall have information technology (IT) and information security controls to safeguard PHI and PII, including administrative, technical, and physical controls.

• CCHCS programs shall conduct internal reviews periodically to evaluate the effectiveness of these safeguards.

Specific Safeguarding Procedures

• Paper Practices

  • CCHCS workforce members shall be educated on the risks of creating paper documents and how they shall be used, handled, shared, stored, and destroyed.

  • Each CCHCS program shall ensure all paper documents including those awaiting disposal or destruction in locked desk-site containers, storage rooms, centralized waste and shred bins, or other storage devices are labeled, disposed of regularly, and secured through reasonable measures to prevent unauthorized access.

  • Each CCHCS program shall ensure that shredding of paper documents is performed on a timely basis consistent with record retention requirements.

• Verbal Practices

  • CCHCS workforce members shall take reasonable steps to protect the privacy of all verbal exchanges or discussions of PHI and PII regardless of where the discussion occurs.

    • CCHCS workforce members shall provide only the minimally necessary verbal information to fulfill their job functions.

  • Each CCHCS program shall use enclosed offices or interview rooms to verbally exchange PHI and PII if available.

    • In open office environments, incidental use or disclosure is not considered a privacy violation if CCHCS workforce members have complied with the reasonable safeguards and minimum necessary requirements.

    • Each CCHCS program shall ensure workforce members are educated on the potential for inadvertent verbal disclosure of PHI and PII.

• Visual Practices

  • CCHCS workforce members shall ensure PHI and PII are adequately shielded from unauthorized visual disclosure.

  • CCHCS programs and workforce members shall use best practices to ensure that PHI and PII in any visual medium such as photos, videos, images, or documents displayed on computer screens are not visible to unauthorized persons.

• Electronic Practices

  • Format of PHI and PII (e.g., databases, email, phone, fax) shall be protected through IT-related controls. 

  • CCHCS workforce members shall be assigned to electronic groups that provide access only to the minimum necessary information to fulfill their job functions.

Policy

• California Correctional Health Care Services (CCHCS) workforce members may use or disclose Specially Protected Health Information (PHI) as permitted or required by the special exceptions specified in this policy and the Statewide Health Information Policy Manual (SHIPM), Section 2.3.0, Specially Protected Information.

Purpose

• To provide guidance on certain uses or disclosures of PHI based on specified exceptions in the law authorizing disclosure of PHI without patient authorization.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy including privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of personal information maintained by CCHCS.

Use and Disclosure of PHI

• General Rules

  • As outlined in the Health Care Department Operations Manual  (HCDOM), Section 2.2.1, General Use and Disclosure of Protected Health Information and the HCDOM, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization, CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain Treatment, Payment or Health Care Operations (TPO) activities, pursuant to and in compliance with a valid patient authorization, without a patient’s authorization pursuant to the specific exceptions in this policy, or as otherwise specifically permitted or required by law.

• When Patient Authorization is not Required

  • PHI may be used or disclosed without a valid authorization pursuant to an exception required or permitted by law.  All disclosures of health records under this policy shall be performed by Health Information Management (HIM) workforce members in accordance with HIM policies and procedures including requirements related to tracking of disclosures.

  • CCHCS workforce members may use or disclose PHI without patient authorization for reasons other than for TPO including, but not limited to:

    • PHI when required to do so by federal, state, or local law.

    • When the use or disclosure is otherwise specifically permitted by law including, for example, the voluntary reporting to the U.S. Food and Drug Administration of adverse events related to drug products or medical device problems.

    • A coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or conducting other duties authorized by law pursuant to the SHIPM, Section 2.2.1, Decedents.

    • Health oversight activities authorized by law, including audits; civil, criminal, or administrative investigations, prosecutions, or actions; and licensing or disciplinary actions.

    • Judicial or administrative proceedings, in response to an order of a court, a valid subpoena, search warrant, or other lawful process unless prohibited or otherwise limited by federal or state law applicable to the program or activity requirements.

    • Limited law enforcement purposes, to the extent authorized by applicable federal or state law, CCHCS workforce members may report certain injuries or wounds; provide information to identify or locate a suspect, victim, or witness; alert law enforcement of a death because of criminal conduct; and provide information which constitutes evidence of criminal conduct on CCHCS premises.

    • Organ procurement organizations or other entities engaged in procuring, banking, or transplantation of cadaver organs, eyes, or tissue for the purpose of facilitating transplantation.

    • A local health department for the purpose of preventing or controlling disease, injury, or disability including, but not limited to, the reporting of disease, injury, vital events, including death, and the conduct of public health surveillance, public health investigations, and public health interventions as authorized or required by federal or state law or regulations.

    • Entities providing mere courier services without requiring routine access to such PHI, e.g., the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers providing mere data transmission services.

Policy

• California Correctional Health Care Services (CCHCS) shall provide patients’ rights related to the use and disclosure of their Protected Health Information (PHI) and Personally Identifiable Information (PII) as outlined in this policy.

Purpose

• To provide guidance with respect to the privacy rights of patients regarding the use and disclosure of their PHI and PII.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI and PII maintained by CCHCS.

• CCHCS program areas shall ensure that procedures are developed and consistent with this policy while also ensuring workforce member compliance.

Patient Privacy Rights

• Right to Access PHI and PII

  • CCHCS and Business Associates (BA) shall provide patients with access to inspect, review, and obtain a copy of their PHI and PII in their health record for as long as they are maintained in the health record except for when:

    • Compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding.

    • Determined by the patient’s mental health provider to present a substantial risk of significant adverse or detrimental consequences to the patient in seeing or receiving a copy of the requested records. Such a denial of access is subject to procedures set forth in the Health Care Department Operations Manual (HCDOM), Chapter 2, Article 3, Health Information Management.

    • Protected by attorney work-product privilege.

    • Endangering the health, safety, security, custody, or rehabilitation of the individual or of other patients or the safety of any officer, employee, other person at the correctional institution, or individual responsible for the transporting of the patient.

    • Prohibited by law.

  • For access purposes, patient representatives are treated in the same manner as the patient, except if CCHCS is aware the patient has been or may be subject to domestic violence, abuse, neglect, or other endangerment by the individual and CCHCS decides it is not in the best interest to do so.

  • Information about a patient’s right to access specially protected health information can be found in the Statewide Health Information Policy Manual (SHIPM) Section, 2.3.0, Specially Protected Information.

  • Workforce members shall follow procedures pursuant to the HCDOM, Section 2.3.4, Release of Protected Health Information, when responding to a patients’ request to access their health record.

• Right to Amend PHI and PII

  • A patient or patient’s representative may request any portion of the patient’s health record to be changed, corrected, or amended by CCHCS.

    • All requests for amendments shall be made in writing and submitted to Health Information Management (HIM) staff at the patient’s institution by utilizing the CDCR 7236, Request to Amend Health Records.

    • CCHCS is not obligated to agree to an amendment and may deny requests or partially accept amendments.

    • The patient or patient’s representative may file a statement of disagreement if they do not agree with the denial or partial approval of their request.

      • CCHCS shall prepare and provide a written rebuttal to the patient or patient’s representative to the statement of disagreement.

  • Workforce members shall follow procedures pursuant to the HCDOM Section 2.3.16, Patient’s Right to Amend Health Record, when responding to a patient’s request to amend their health record.

• Right to Request an Accounting of Disclosures

  • Patients have the right to request and receive an accounting of disclosures CCHCS has made of their PHI for up to six years prior to the date of requesting such accounting.  CCHCS shall account for all disclosures of PHI except for disclosures:

    • To carry out Treatment, Payment, or Health Care Operations (TPO) activities.

    • Made to the patient.

    • Authorized by the patient.

    • To persons involved in the patient’s care.

    • For national security or intelligence purposes.

    • Made to correctional institutions or law enforcement officials having lawful custody of a patient.

    • Made as part of a Limited Data Set (LDS) pursuant to the HCDOM, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets.

  • Patients have the right to receive an accounting of disclosures CCHCS has made of their non-medical PII for up to three years after the disclosure or until the disclosed information is destroyed, whichever is shorter.  CCHCS shall account for all disclosures of PII except for disclosures:

    • Made to the patient or the patient’s duly appointed guardian, representative, or conservator.

    • Authorized by the patient.

    • To CCHCS workforce members where disclosure is necessary for the performance of official duties and is related to the purpose for which the information was acquired.

    • Pursuant to the California Public Records Act.

    • Made as part of a LDS pursuant to the HCDOM, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets.

  • Workforce members shall follow procedures pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information, when responding to a patient’s request for an accounting of disclosures.

• Right to Request a Restriction on Uses and Disclosures of PHI and PII

  • Patients have the right to request restrictions on the uses and disclosures of their PHI and PII while carrying out TPO activities.  All requests shall be submitted in writing.

  • CCHCS is not obligated to agree to a restriction and may deny the request or agree to a restriction more limited than the patient requested.  HIM staff shall be responsible for receiving and processing any requests for restriction.

• Right to Request Confidential Communication

  • CCHCS shall ensure confidential communications to the patient are made at the appropriate patient location within a CDCR facility. Patients have a right to request to receive confidential communications related to health information by alternative means or at an alternative location under the following conditions:

    • The confidential communication can be accommodated after considering the need to maintain the safety and security of patients or staff and the safety and good order of the institution.

    • The request is provided in writing.

    • An alternative address or other method of contact is provided.

    • Information as to how payment, if any, shall be handled.

  • Any written requests received shall be forwarded to HIM for processing.

  • CCHCS and BAs shall communicate the request for confidential communication within two business days of the request to each other.

  • CCHCS shall not ask for an explanation from the patient as to why the request is being made, as an explanation is not required. The request cannot be denied solely because an explanation was not given.

  • Workforce members shall follow procedures pursuant to SHIPM, Section 5.5.2, Confidential Communication when responding to a patient’s request for confidential communication.

Notice to Patients of Privacy Rights

• The requirements of the Code of Federal Regulations, Title 45, Section 164.520(a)(3) do not apply to CCHCS patients. CCHCS is not required to provide a Notice of Privacy Practices to patients.

• CCHCS notifies patients of their privacy rights in various ways including, but not limited to, notices in the clinics, law libraries, and the CCHCS Patient Orientation to Health Care Services handbook.

• Right to File Complaints

  • Patients may object to specific uses and disclosures of their health information through the health care grievance process.

  • Patients have the right to submit complaints if they believe their PHI or PII has been improperly used or disclosed or if they have concerns regarding compliance with the CCHCS privacy policies. Such complaints may be filed through the health care grievance process.

  • Patients have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services if they believe there has been non-compliance with the Health Insurance Portability and Accountability Act or other applicable law. This right cannot be waived.  CCHCS is prohibited from requesting that a patient waive this right for any reason, including as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits.

Policy

• California Correctional Health Care Services (CCHCS) workforce members may use and disclose health information as appropriate without authorization if CCHCS workforce members or another entity has taken steps to de-identify the health information consistent with the requirements and restrictions of this policy unless restricted or prohibited by federal or state law. CCHCS workforce members may use or disclose a Limited Data Set (LDS) if a Data Use Agreement (DUA) is obtained.

Purpose

• To provide guidance regarding standards under which patient information may be used and disclosed after information that can identify a person has been removed or restricted to an LDS.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of Protected Health Information (PHI) maintained by CCHCS.

De-Identification of Patient Information

• Requirements

• Patient health information is sufficiently de-identified so it cannot be used to identify the patient only if:

  • Done by CCHCS workforce members with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

    • Applying such principles and methods, determines that there is minimal risk the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.

    • Documents the methods and results of the analysis that justify such determination.

  • CCHCS workforce members have ensured the following identifiers of the patient or of relatives, employers, and household members of the patient are removed:

    • Names.

    • All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes.  However, the initial three digits of a zip code may remain on the information if, according to current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contain more than 20,000 people; and the initial three digits for all such geographic unit containing 20,000 or fewer people is changed to 000.

    • All elements of dates (except year) directly relating to the patient, including birth date, dates of admission and discharge from a health care facility, and date of death.  For persons aged 90 and older, all elements of dates (including year) that would indicate such age must be removed, except that such ages and elements may be aggregated into a single category of “aged 90 or older.”

    • Telephone numbers.

    • Fax numbers.

    • Electronic mail addresses.

    • Social security numbers.

    • Health record numbers.

    • Health plan beneficiary numbers.

    • Account numbers.

    • Certificate or license numbers.

    • Vehicle identifiers and serial numbers, including license plate numbers.

    • Device identifiers and serial numbers.

    • Web URLs.

    • IP address numbers.

    • Biometric identifiers including fingerprints and voiceprints.

    • Full face photographic images and any comparable images.

    • Any other unique identifying number, characteristic, or codes, except as permitted under section (d)(2)(A) and (B).

  • CCHCS workforce members have no actual knowledge the information could be used alone or in combination with other information to identify the patient who is the subject of the information.

• Re-identification

  • CCHCS workforce members may assign a code or other means of record identification to allow information de-identified under this policy to be re-identified provided that:

  • The code or other means of record identification is not derived from or related to information about the patient and cannot otherwise be translated to identify the patient.

  • CCHCS workforce members do not use or disclose the code or other means of record identification for any other purpose and does not disclose the mechanism for re-identification.

Use of Limited Data Sets

• Contents of a Data Use Agreement

  • CCCHCS workforce members may disclose an LDS only if the receiving entity enters a written DUA agreement with CCHCS.  A DUA is to ensure such entity shall use or disclose the PHI only as specified in the written agreement and it is only for the purposes of research, public health, or health care operations.  A DUA between CCHCS and the recipient of the LDS must:

  • Specify the permitted uses and disclosures of such information by the LDS recipient.  CCHCS workforce members shall not use the DUA to authorize the LDS recipient to use or further disclose the information in a manner that would violate the requirements of this policy.

  • Specify who is permitted to use or receive the LDS.

  • Specify that the LDS recipient shall:

    • Not use or further disclose the information other than as specified in the DUA or as otherwise required by law.

    • Use appropriate safeguards to prevent use or disclosure of the information other than as specified in the DUA.

    • Report to CCHCS when the recipient becomes aware of any use or disclosure of the information not specified in its DUA with CCHCS.

    • Ensure any CCHCS workforce members to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient with respect to such information.

    • Not identify the information or contact the patient whose data is being disclosed.

• Compliance

  • CCHCS workforce members are in compliance with the LDS standard if they are aware of a pattern of activity or practice of the LDS recipient that constitutes a material breach or violation of the DUA and takes reasonable steps to cure the breach or end the violation. If CCHCS workforce members are unable to cure the breach or end the violation, they shall:

  • The Privacy Office shall report the problem to the Secretary of the U.S. Department of Health and Human Services.

Policy

• California Correctional Health Care Services (CCHCS) is permitted to disclose Protected Health Information (PHI) to a business associate (BA) when CCHCS enters into a written Business Associate Agreement (BAA) with the BA.

Purpose

• To specify when CCHCS may disclose a patient’s PHI to a CCHCS BA and provisions that shall be included in CCHCS contracts requiring a BAA.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) shall have oversight of this policy and facilitate annual review to comply with privacy laws, policies, and standards respecting the privacy rights of individuals, and shall collaborate with the CCHCS Office of Legal Affairs (COLA) and elevate to executive leadership to decide on matters of organizational risk.

Procedure

• Use and Management of Business Associate Agreements

  • The current approved version of the CCHCS BAA shall be distributed to contracting units and posted on the intranet.

  • When another state agency, another entity, or a contracted organization requests access or use of PHI, the CCHCS programs shall notify the Privacy Office (PO), and the applicable CCHCS programs, such as, Direct Care Contracts Section, Acquisitions Management Services, Information Technology Services Division, Healthcare Invoicing Section, and Health Information Management.

  • The CCHCS program shall:

    • Execute the BAA.

    • Track and log all executed contracts that contain a BAA.

    • Send a report of all contracts, Data Sharing Agreements (DSAs), or Memorandum of Understandings (MOUs) containing BAAs to the PO on a quarterly basis or as required for operational need.

  • The PO shall:

    • Maintain a current list of all contracts, DSAs, and MOUs containing BAAs.

    • Generate a current list upon request, based on contracting unit updates.

  • When CCHCS enters into an agreement with another government entity, CCHCS may fulfill the BAA requirement through an Interagency Agreement, MOU, or DSA that contains terms that accomplish the objectives of a BAA.

  • A BAA, DSA, or MOU shall be executed prior to exchange, access, use, disclosure, movement, or storage of PHI.

• CCHCS Responsibilities Prior to Disclosure of PHI

  • Prior to disclosing PHI, CCHCS shall:

    • Enter into written agreements with the contractors who access PHI as part of the services they are providing. The agreement shall fulfill the minimum requirements of a valid BAA or comparable DSA and obligations of a BA regarding the privacy, security, and administrative activities relating to health information.

    • Ensure written agreements safeguard electronic health information created, received, maintained, or transmitted to or by other organizations on behalf of CCHCS, and provides protections for electronic health information as for any other health information shared.

  • The current published version of the CCHCS BAA shall be used as the primary document when contracting with a BA.

    • The CPO, in consultation with COLA, may consider a BA’s proposed alternative language within the current published version of the BAA if the proposed language does not violate CCHCS or state privacy policy.

    • Only if the CCHCS BAA is not agreed to in Sections (d)(2)(B) or (d)(2)(B)(1), an alternate form of a BAA, such as the third party’s BAA, may be used following a legal review and recommendation by COLA.

  • CCHCS shall utilize the CDII-approved BAA template when conducting business with a No View Host Services Provider or a Cloud Services Provider.

• Exceptions to the Requirement to Execute a Business Associate Agreement

  • For BA functions required by law, including, but not limited to, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, technology services, financial services and similar services, CCHCS may disclose the minimum PHI necessary to comply with the legal mandate without meeting the requirements of a BA contract.  The CCHCS program in consultation with COLA shall attempt in good faith to obtain satisfactory assurances that the BA shall protect health information to the extent required by a CCHCS BAA.  If such an attempt fails, CCHCS shall document the attempt and the reasons that such assurances cannot be obtained.

  • A BAA is not required between CCHCS and the subcontractors of a BA when a valid CCHCS BAA is maintained.

  • The following situations may still require an agreement containing the requirements of this policy when CCHCS discloses PHI:

    • Based on a patient’s or patient representative’s authorization.

    • To a health care provider concerning the treatment of an individual.

    • As a plan sponsor to the extent that CCHCS is acting in the capacity of a group health plan as defined in the Health Insurance Portability and Accountability Act of 1996.

    • To a government agency to determine eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting PHI for such purposes, to the extent such activities are authorized by law.

    • To a covered entity participating in an organized health care arrangement that performs the function or activity of a BA to or for such organized health care arrangement by virtue of such contracted activities or services.

    • To a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to CCHCS and does not require access on a routine basis to such PHI.

    • Or patient information such as personally identifiable information.

    • Or health information that is de-identified in accordance with the Health Care Department Operations Manual (HCDOM), Section 2.2.8, De-identification of Patient Information and Use of Limited Data Sets Policy.

• CCHCS Responsibilities Post Execution of Business Associate Agreements

  • CCHCS’ responsibilities include, but are not limited to:

    • Receiving, logging, and reporting a patient’s complaints regarding the uses and disclosures of PHI by the BA.

    • Receiving, logging, and reporting notices from the BA of possible violations of the BA contract.

    • Instructing the BA on the process to notify CCHCS if or when any violations of law, policy, or contract occurs.

    • Monitoring BA performance to detect and ensure that the BA is not engaged in a pattern or practice that violates their obligations under the BAA.

    • Implementing corrective action plans, as needed.

    • Mitigating, if necessary, known violations up to and including contract termination.

    • Coordinating any requested changes to a health record with the BA pursuant to HCDOM Section 2.3.16, Patient’s Right to Amend Health Record.

    • Communicating a patient’s request regarding confidential communications and restrictions on use and disclosure to the BA within two business days of the request.

    • Conducting risk analyses and risk assessments to:

      • Identify, evaluate, and include any risks from BA relationships from the PO’s risk analysis.

      • Include in the CCHCS-wide risk assessment any risks identified from a specific BA relationship.

      • Verify and document BA adherence with privacy and security protocols required by law and the State Health Information Policy Manual quarterly.

  • CCHCS shall not require any patient to waive their right to file a complaint with the Secretary of the U.S. Department of Health and Human Services (HHS) as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits when CCHCS is a BA of another covered entity.

• Business Associate Responsibilities Post-Execution of Business Associate Agreements

  • BA responsibilities shall include, but are not limited to:

    • Transmitting data as permitted in the BAA and in compliance with:

      • Federal and state laws and regulations for Health Information Exchange, if applicable.

      • HCDOM Section 2.3.5, Health Information Exchange, if applicable.

    • Providing a patient with access or a copy, which may be in an electronic form, or granting or transmitting access or a copy to a person or entity designated by a patient’s request to a BA for access to, or a copy of, PHI about the patient.

    • Documenting, tracking, and accounting for all disclosures and respond to a patient’s request for an accounting of disclosures of PHI.  The BA shall respond to accounting of disclosure requests to CCHCS or to the patient (at the direction of CCHCS) within 14 calendar days, and include information related to such disclosures, in accordance with Code of Federal Regulations, Title 45, Section 164.528.

    • Communicating a patient’s request regarding confidential communications and restrictions on use and disclosure to CCHCS within two business days of the request.

    • Adhering to a patient’s request regarding confidential communications and restrictions on use and disclosure when received directly from the patient or from CCHCS on behalf of the patient.

    • Notifying CCHCS if there is a violation of law, policy, or contract resulting in a breach or security incident no later than 24 hours after detection. Notification shall be made pursuant to the HCDOM Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

    • Adhering to privacy and security protocols required by the BAA.

    • Identifying and informing CCHCS of the results of any risk analysis or assessment conducted by the BA that impacts its adherence to the BA’s obligations under the BAA.

  • The BA shall not require any patient to waive their right to file a complaint with the Secretary of the U.S. Department of HHS as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits.

• Business Associate Non-Compliance

  • If CCHCS becomes aware of a material breach or violation of a BAA or other arrangement, CCHCS shall take reasonable steps to mitigate the breach and end the violation. This may include providing consultation to the BA, terminating the BAA or agreement, and reporting the problem to the Secretary of the U.S. Department of HHS.

• Updating Business Associate Agreements for Changes in Federal and State Laws

  • When changes occur in federal or state law that affect the requirements in the BAA or impact the obligations of a BA, the PO shall:

    • Revise the CCHCS BAA template.

    • Determine if an amendment is required to existing contracts that contain the prior version of the CCHCS BAA.

  • CCHCS contracting units shall coordinate the execution of the revised BAA with current vendors.

• Business Associate Training Requirements and Contact Information

  • Any BA staff who will require access to CCHCS systems or PHI to perform their function or activities under a contract or agreement shall complete information security and privacy awareness training prior to being granted access pursuant to as required by law.

  • For questions or clarification, please contact: CCHCSPrivacyOffice@cdcr.ca.gov or 1-877-974-4722.

Policy

• Personally Identifiable Information (PII) maintained by California Correctional Health Care Services (CCHCS) is private and confidential.  CCHCS workforce members shall use PII to conduct business in compliance with federal and state law.

• CCHCS workforce members shall not use or disclose PII except as permitted or required by this chapter or as otherwise permitted or required by law.

Purpose

• To provide guidance to CCHCS workforce members regarding the use and disclosure of PII.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy rights laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of personal information maintained by CCHCS.

• CCHCS workforce members shall report incidents of inappropriate disclosure of PII to the CCHCS Office of Information Security via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal for fact-finding, analysis, intake, and response, except for those currently delegated to the CCHCS Privacy Office pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.11, Privacy Incidents and Breach Reporting.

General Use and Disclosure of PII

Information Collection and Minimum Necessary Use of PII

Third Party or Media Inquiries

• CCHCS workforce members shall not use or disclose PII pursuant to the HCDOM, Section 2.2.13, Handling Protected Health and Personally Identifiable Information.

Policy

• California Correctional Health Care Services (CCHCS) shall identify, investigate, and mitigate privacy incidents, provide notices when necessary to those affected and report breaches to California Department of Corrections and Rehabilitation (CDCR) and CCHCS’s oversight agencies as required by federal and state law.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) shall have oversight of this policy and assist in reporting privacy incidents and breaches under applicable federal and state laws, regulations, and requirements in the Health Care Department Operations Manual.

• Privacy incidents and breaches originating from CDCR activities including, but not limited to, the CDCR Undersecretaries and offices that report to the CDCR Secretary, shall be referred to the CDCR CPO for fact-finding, analysis, intake, and response.

• Privacy incidents and breaches which involve CDCR and CCHCS shall be cooperative and both entities shall coordinate fact-finding, analysis, intake, and response.

Procedure for Reporting Privacy Incidents

• CCHCS workforce members shall:

  • Report all privacy incidents to the CCHCS Office of Information Security (OIS) within 24 hours of when an incident occurs or is discovered.

  • Document all details on the CCHCS Information Security Incident Report (ISIR) found on Lifeline, under Information Technology, OIS.

  • Ensure all instructions listed on the ISIR are followed by documenting incidents in plain language and include the following reporting requirements:

    • The name and contact information of the reporting individual.

    • A list of the types of confidential information reasonably believed to be the subject of an incident.

    • The date or estimated date range when the incident occurred.

    • The date the incident was discovered.

    • A general description of the incident.

    • Identification of any CCHCS program areas that may have information regarding the incident which may assist the investigation and fact-finding.

    • Efforts to mitigate harm and any additional steps taken to prevent further disclosure or future occurrences.

    • The number of patients or individuals affected by the potential disclosure and number of individuals who potentially received the information.

    • The date the ISIR is submitted to OIS.

  • Submit the ISIR via email to the CCHCS OIS who shall review the ISIR, conduct an initial assessment, and assign a case number to the incident.

    • The CCHCS OIS shall forward any ISIRs that document privacy incidents to CCHCSPrivacyOffice@cdcr.ca.gov.

• Privacy Incident and Breach Management

  • Protocol for Escalation, Internal Reporting, and Response

    • The CPO notifies executive management via email at the onset of an incident, during the incident, and upon conclusion of the incident as warranted.

    • An Incident Response Team (IRT) shall be assembled by the PO to ensure the incident is addressed in the most expeditious and efficient manner. An IRT shall respond to an incident and may include:

      • The CCHCS CPO, or designee, to act as the Escalation Manager and coordinate the response when additional program areas are required to assist.

      • Program Manager of the program area experiencing the breach.

      • CCHCS Chief Information Security Officer (CISO).

      • Public Information or Communications Officer (if the breach involves 500 or more individuals).

      • Legal Counsel.

      • Other workforce members as identified by CCHCS CPO or CISO.

        • If the breach involves multiple agencies or state entities, an IRT from each agency or state entity may be involved.

    • IRT members shall attend an initial impact assessment and response coordination meeting when a breach involves notifying 500 or more individuals, multiple agencies or state entities, or is likely to garner media attention.

      • This meeting shall clarify roles, responsibilities, and timelines for reporting and response activities.

      • When multiple agency personnel are involved, meeting attendee lists or equivalent are used to track participant involvement.

      • Non-redisclosure agreements may also be used to ensure confidential information remains confidential and communications do not compromise or complicate an active investigation.

  • Incident Tracking, Fact-Finding and Case File

    • The PO workforce members shall:

      • Monitor the mailbox daily. 

      • Screen ISIRs received and document the case number and incident details in the incident tracking solution within 24 hours of receipt from CCHCS OIS.

      • Conduct fact-finding to determine if a breach occurred and as required supplement the ISIR with additional information from the individual who submitted the ISIR or other workforce members who may have relevant information about the incident including Information Technology, Health Information Management, or program area managers.

      • Notify the CPO when escalation is necessary to obtain cooperation from other program areas to complete fact-finding.

      • Conduct a risk assessment and document all relevant information to recover, correct, or resolve the incident, including the root cause, potential harm, and mitigation efforts as follows:

        • The nature and extent of the Personal Health Information (PHI), Personally Identifiable Information (PII), or High-Risk Confidential Information (HRCI) involved, including the types of identifiers and the likelihood of re-identification.

        • The unauthorized person or entity who used the PHI, PII, or HRCI or to whom the disclosure was made.

        • Whether the PHI, PII, or HRCI was actually acquired or viewed or, alternatively, if the opportunity existed for the information to be acquired or viewed.

        • A determination if the incident created a risk and, if so, the extent to which the risk has been mitigated.

        • Ensure sufficient information is obtained upon completion of the risk assessment to determine if a breach notification will be issued.

      • Determine if the incident is a breach.

      • Maintain an electronic case file, identified by a unique case number.  The case file shall contain all relevant information as documented on the ISIR and risk assessment.

      • The CCHCS CPO, or designee, shall review the risk assessment to determine if additional information or corrective actions are needed and approve the completed risk assessment.

    • The information maintained in the incident tracking solution shall be:

      • Utilized for regular review of system activity, such as for audits, incident tracking reports, and sharing threat information electronically with the California Department of Technology (CDT).

      • Available for risk analysis or assessment which shall include, at a minimum, assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.

    • All impermissible disclosures shall be recorded in the Accounting of Disclosure tracking log within the incident tracking solution.

      • The log shall record, at a minimum, the date of disclosure, name and address of the person or entity who received the PHI, PII, or HRCI, a brief description of the information disclosed, and a brief description of the intended reason for the disclosure.

• Recovery and Destruction of Information Unlawfully or Improperly Disclosed

  • The PO workforce members shall:

    • Work with the responsible program area to ensure the original information is immediately recovered by the program area or obtain written verification from the program area that the data in all media types have been properly destroyed.

    • Document all efforts and outcomes regarding recovery and destruction in the incident tracking solution.

  • Once the information (e.g., hard copies, electronic, and portable media) is recovered by the responsible program area, they shall ensure it is secured in an approved locked shred container, shredded, deleted, or disposed of according to the OIS process for electronic destruction.

• Breach Reporting Responsibilities between CCHCS and Oversight Agencies

  • When it is determined that a breach occurred, the PO workforce members shall report the breach to the CDT OIS and the California Highway Patrol (when required by law) via the California Compliance Security Incident Reporting System (Cal-CSIRS).

  • When the breach occurs at a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (CDPH), CCHCS workforce members shall:

    • Report the breach to CDPH no later than 24 hours after the incident is discovered and no later than 24 hours if the PO workforce members determine the incident is a breach.

    • Notice the patient no later than 15 business days after a breach has been determined pursuant to the California Code of Regulations, Title 22, Section 79902, Breach Reporting for Licensed Facilities.

  • Business associates, or contracted entities shall notify the CCHCS OIS no later than 24 hours after detection of a breach of PHI, PII, or HRCI via email CCHCS-ISO@cdcr.ca.gov, or by phone: (916) 691-3243.

  • Upon receipt of an ISIR involving a business associate, the PO workforce members shall contact the CCHCS program area(s) responsible for monitoring the business associate agreement and contact the business associate to begin mitigation efforts for the business associate’s or its sub-contractor’s involvement in the incident.

    • If the incident breach occurs after business hours or on a weekend or holiday and involves electronic PHI, notification shall be provided by calling the CCHCS ITSD Solution Center at 1-888-735-3470.

  • When a breach affects:

    • 500 or more individuals, the PO workforce members shall notify:

      • The Center for Data Insights and Innovation (CDII) within two business days of breach determination at CDIIPrivacyOffice@chhs.ca.gov.

      • The United States (US) Department of Health and Human Services (HHS) on the Breach Reporting form located at US HHS at the time notice is issued to those affected.

    • Fewer than 500 individuals, the PO shall maintain a log documenting the breaches and assigned workforce members shall submit aggregated breach information to US HHS no later than 60 calendar days after the end of each calendar year on the Breach Reporting Log located at US HHS.

      • The submission shall include all breaches discovered during the preceding calendar year.

  • PO workforce members shall submit an annual accounting of all PHI breaches to CDII at the end of each calendar year or as requested.

    • The information shall be submitted on the CDII Annual Breach Reporting form and shall include actions taken to investigate and mitigate each event.

• Breach Notification to Affected Individuals

  • The PO workforce members or entity responsible for the breach shall notify each individual who has had, or is reasonably believed to have had, PHI, PII, or HRCI inappropriately accessed, acquired, used, or disclosed as follows:

    • Notify by first-class mail to the affected individuals’ last known address.

      • If the individual whose information has been breached is deceased, the next of kin or personal representative for the individual or patient shall be notified by first class mail.

    • Email is permitted if the individual agrees to electronic notice.

    • If it is determined that there is possible imminent misuse of any PHI, PII, or HRCI, notice shall be provided by telephone or other means as appropriate.

    • If the contact information is insufficient or out of date preventing written notification to the individual, the notice shall be provided as follows:

      • When fewer than ten individuals are affected, an alternate form of written notice, telephone, or other means may be provided.

      • When more than ten individuals are affected, a posting shall be placed for a period of 90 calendar days on the homepage of the CDCR or CCHCS website or in a major print or broadcast media in the geographic area where the individuals likely reside.

  • Written notifications shall use plain language and be titled “Notice of Data Breach.”  The notice shall include all of the following, to the extent possible:

    • “What Happened,” a brief description of what happened, including the date of the breach, the date the breach was discovered, and, if applicable, if the notification was delayed due to a law enforcement investigation.

    • “What Information Was Involved,” a description of the types of information involved in the breach (e.g., PHI, PII, or HRCI, and other identifiers).

    • “What We Are Doing,” a brief description of the actions the state entity is taking to investigate the breach, mitigate harm to the individuals, and protect against further breaches.

    • “What You Can Do,” advisement of the steps individuals should take to protect themselves from potential harm resulting from the breach. The major credit reporting agencies’ toll-free telephone numbers and mailing addresses shall be included if the breach exposed PII such as Social Security number, driver’s license number, California identification card number, or other personal identifiers.

      • Credit Reporting Agency Information

        • Equifax: 1-800-525-6285

        • Trans Union: 1-800-680-7289

        • Experian: 1-888-397-7342

      • Advise the individuals that they may request a copy of their credit report by mail by completing an Annual Credit Report Request Form from one of the three credit reporting agency websites and sending the completed form to the following address: P.O. Box 105281, Atlanta, GA 30348-5281.

    • “Other Important Information,” the enclosure “Breach Help – Consumer Tips from the California Attorney General.” This information is available in English and Spanish and can be downloaded from https://oag.ca.gov/privacy/other-privacy/breach-help-tips-for-consumers.

    • “For More Information,” the statement “For information about your medical or personal privacy rights, you may visit the State of California Department of Justice, Office of Attorney General (OAG), Privacy Enforcement and Protection.”

    • “Agency Contact, “the name, toll free number, and the website of the designated agency official or agency unit handling inquiries.

  • Before releasing the breach notification, the PO workforce members shall:

    • Provide a draft of the breach notification to the CDT OIS using Cal-CSIRS for review and approval.

    • Electronically report the incident to the OAG if the breach notification will be sent to 500 or more individuals

    • Notify the CCHCS Director of Communications who shall provide a press release to the prominent media outlets serving the state and regional area without unreasonable delay when a breach affects 500 or more individuals.

• Timing of Notification to Affected Individuals

  • The PO workforce members or entity responsible for the breach shall provide notifications in accordance with the following:

  • When the incident or breach involves a clinic, health facility, home health agency, or hospice licensed by the CDPH, a breach notification to the affected patient or patient’s representative no later than 15 business days after the breach was discovered.

    • A law enforcement agency may delay notification up to 60 calendar days with a written request or up to 30 calendar days with an oral request, if it is determined that notification will impede a criminal investigation.

  • When the incident or breach involves a non-licensed area, a breach notification within ten business days from the date a breach was reported, or reasonably believed to have occurred, to the extent possible. However, notice is required without unreasonable delay within and no later than 60 calendar days.

    • Any decision to delay notification beyond ten business days but less than 60 calendar days shall be made by the CCHCS CPO in writing.

    • Notification may be delayed if a law enforcement agency determines the notification will impede a criminal investigation.

• Documentation Retention

  • CCHCS shall retain breach policies and procedures, fact-finding, risk assessments, results, notifications, and reports for six years from the date of creation or the date when it last was in effect, whichever is later.

Policy

• California Department of Corrections and Rehabilitation (CDCR) and California Correctional Health Care Services (CCHCS) workforce members shall ensure compliance with federal and state privacy requirements and CCHCS policies for Protected Health Information (PHI) and Personally Identifiable Information (PII). The PHI and PII maintained by CCHCS is private and confidential, and CCHCS workforce members shall not use or disclose PHI or PII, except as permitted or required by law, and as outlined in this policy.

Purpose

• To ensure CCHCS and its workforce members comply with federal and state privacy requirements for state entities that maintain PII and PHI.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the collection, use, and disclosure of PHI and PII maintained by CCHCS.

• CCHCS workforce members are responsible for complying with requirements for use, disclosure, and access when handling PHI and PII.

Procedure

• Permitted Use and Disclosure of PHI

  • CCHCS workforce members shall only use or disclose PII in a manner that would not link the information disclosed to the patient to whom it pertains pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.10, General Use and Disclosure of Personally Identifiable Information.

• Permitted Use and Disclosure of PHI

  • CCHCS workforce members may use or disclose PHI pursuant to the HCDOM, Section 2.2.1, General Use and Disclosure of Protected Health Information.

• Access to PHI and PII of the Deceased

  • A written authorization for the release of information (ROI) or CDCR 7385 from the appointed patient representative is required before information may be disclosed.

  • A signed ROI is not valid or permitted based on prior authorization from the patient.

  • Exceptions to the written authorization requirement are limited to certain external law enforcement, coroner, research functions, or individuals involved in or relevant to the patient’s care and organ procurement.

  • All other cases require a signed ROI from the appointed patient representative pursuant to the Federal Code of Regulations, Title 45, Section 164.502(g)(4).

  • CCHCS workforce members shall:

    • Not disclose, use, or make available personal information collected from patients for purposes other than those for which it was originally collected.

    • Limit PHI use and disclosure to the minimum necessary information required to complete the desired task.

    • Protect the PHI of decedents in the same manner, and to the same extent, as required for the PHI of living persons.

  • Requests for a decedent’s health care information received from any source by CDCR or CCHCS shall be forwarded to Health Information Management (HIM) for further handling pursuant to the HCDOM, Chapter 2, Patients’ Entitlements and Responsibilities, Article 3, Health Information Management.

• External Law Enforcement Requests or Inquiries

  • Pursuant to Statewide Health Information Policy Manual (SHIPM), Chapter 2, Section 2.2.6, Law Enforcement, CCHCS workforce members shall disclose PHI to external law enforcement officials in response to the following:

    • A court order, court-ordered warrant, subpoena, or summons issued by a judicial officer.

    • A grand jury subpoena.

    • An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process permitted under the law provided that the:

      • Information sought is relevant and material to a legitimate external law enforcement inquiry.

      • Request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.

      • De-identified information could not reasonably be used.

      • Request or a separate document indicates that the requirements listed within section (d)(4)(A)3.a. through c., have been satisfied.

  • Pursuant to SHIPM, Chapter 2, Section 2.2.6, Law Enforcement, CCHCS workforce members are permitted to disclose PHI to external law enforcement officials in response to the following:

    • A written or verbal request when information is needed to identify or locate a suspect, fugitive, material witness, or missing person limited to the following information:

      • Name and address

      • Date and place of birth

      • ABO blood type and Rh factor

      • Social Security Number

      • Type of injury

      • Date and time of treatment

      • Date and time of death (if applicable)

      • A description of distinguishing physical characteristics, including height, weight, gender, race, hair, and eye color, presence or absence of facial hair, scars, and tattoos.

    • A written or verbal request for information about a patient who is or suspected to be the victim of a crime if:

      • The patient agrees to the disclosure.

      • The patient’s agreement cannot be obtained because of incapacity or other emergency circumstances, provided that all of the following are met:

        • The external law enforcement official represents that:

          • The information is needed to determine whether a violation of law by a person other than the victim has occurred, and that the information is not intended to be used against the victim;

          • Immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the patient is able to agree to the disclosure.

        • The disclosure is in the best interests of the patient as determined by CCHCS.

      • It is suspected that the patient may be a victim of child abuse or neglect, elder abuse or neglect, or domestic violence pursuant to SHIPM, Section 2.2.16, Victims of Abuse, Neglect, or Domestic Violence.

    • An inquiry about a patient who has died if there is suspicion that the death may have resulted from criminal conduct pursuant to SHIPM, Chapter 2, Section 2.2.1, Decedents, III.B (1) and (2).

    • An inquiry if there is a reasonable and honest belief that it constitutes evidence of criminal conduct.

    • An inquiry when providing emergency medical care that is not on its premises.  CCHCS workforce members are permitted to the disclose PHI to external law enforcement if the disclosure appears necessary to alert the authorities to the:

      • Commission and nature of a crime.

      • Location of the crime or the victim(s) of the crime.

      • Identity, description, and location of the perpetrator of the crime.

• Victims of Abuse, Neglect, or Domestic Violence

  • If CCHCS believes that the medical emergency results from abuse, neglect, or domestic violence of the patient in need of emergency health care pursuant to SHIPM, Chapter 2, Section 2.2.16, Victims of Abuse, Neglect or Domestic Violence, CCHCS workforce members may disclose a patient’s PHI without the patient’s authorization to a government authority authorized by law to receive reports if they reasonably believe the patient is the victim of abuse, neglect, or domestic violence.  CCHCS workforce members shall disclose the minimum PHI necessary to file a report and shall ensure the patient is notified of the disclosure unless notification would place the patient at risk of serious harm. The nature and date of disclosure and notification shall be documented on the CDCR 7219, Medical Report of Injury or Unusual Occurrence.

• Appropriate Safeguards

  • All email and portable electronic storage media including, but not limited to, CDs and thumb drives containing PHI and PII, shall be encrypted when sent to entities outside the CCHCS network utilizing the appropriate administrative, technical, and physical controls pursuant to the Statewide Information Management Manual, Chapter 5300.

• Documentation and Tracking of Disclosures

  • CCHCS workforce members shall document, track, and maintain the documentation regarding disclosures of PHI when the disclosure is not for TPO reasons. This tracking shall include what, when, why, and to whom disclosures are made pursuant to SHIPM, Chapter 5, Section 5.1.0, Accounting of Disclosures.

• CCHCS Workforce Members Access to PHI and PII

  • CCHCS workforce members may only access or use the minimum information necessary to conduct business in compliance with federal and state law.

• Third Party or Media Inquiries

  • CCHCS workforce members shall:

    • Forward all media inquiries regarding the release of patient PHI or PII to the CCHCS, Office of Communications at via email at Lifeline@cdcr.ca.gov.

    • Refer patient health care inquiries containing PHI or PII from third parties to the Health Care Correspondence and Appeals Branch (HCCAB) by emailing CCHCSPHCI@cdcr.ca.gov.  HCCAB shall respond to patient health care inquiries pursuant to the HCDOM, Section 2.3.15, Patient Health Care Inquiries.

    • Not use or disclose PHI or PII to third parties (e.g., attorney, legislative, or advocacy group) or to media.

  • Inquiries for PHI and PII are not subject to the California Public Records Act pursuant to the HCDOM, Section 5.1.2, California Public Records Act Requests.

• Management and Redaction of Health Information

  • Designated HIM workforce members shall perform the routine disclosure of all or part of a patient’s health record, as permitted by law or subsequent to a HIPAA-compliant authorization or CDCR 7385, for each request pursuant to the HCDOM, Section 2.3.4, Release of Protected Health Information.

  • Various disclosures, including but not limited to, mandated reporting or gathering statistical or population-based information, may not require identifying characteristics, such as name, date of birth, address, and more. For this reason, designated CCHCS workforce members shall redact all identifying information when the information is not necessary to fulfill the request. California Health and Human Services, Data Playbook, provides Data De-Identification Guidelines, Federal Code of Regulations, Title 45, Section 164.514.

• Information Security and Incident Breaches

  • If there is an incident or breach regarding an unlawful disclosure of PHI or PII, it shall be reported to the Office of Information Security immediately via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal. The instructions for reporting security incidents are available on Lifeline through the following links: CCHCS Security Incident Reporting Procedures (sharepoint.com).

• General Staff and Patient Information

  • Information Accuracy and Integrity

    • Information owners and CCHCS workforce members shall:

    • Maintain all records with accuracy, relevance, timeliness, and completeness.

    • Make appropriate corrections submitted by record subjects as required by law.

  • Accounting of Disclosures

    • Information owners and CCHCS workforce members shall:

    • Keep an accurate accounting of the date, nature, and purpose of each disclosure of a record as required by law.  The accounting shall include the date of the disclosure and the name, title, and business address of the individual or to whom the disclosure was made pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information.

    • Retain accountings of non-medical PII for at least three years after the disclosure for which the accounting is made or until the record is destroyed per the record retention policy, whichever is shorter.

    • Retain accountings of PHI for at least six years after the disclosure for which the accounting is made.

  • Privacy Impact Assessments

    • The Privacy Office shall assist program management with conducting Privacy Impact Assessments.

  • General Privacy Statement

    • The Privacy Office shall review and revise the general CCHCS internet privacy statement as needed.

Policy

• California Correctional Health Care Services (CCHCS) workforce members shall exercise due diligence to limit and prevent incidental disclosures of Protected Health Information (PHI).

Purpose

• To provide guidance regarding the incidental use or disclosures of PHI.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for the collection, use, and disclosure of PHI.

Procedure

• Methods and Processes to Limit and Prevent Incidental Use or Disclosure of Health Information

  • All CCHCS workforce members shall adhere to the minimum necessary requirements for using or disclosing PHI. PHI shall only be used or disclosed when necessary to satisfy a particular authorized purpose or carry out an assigned work-related function.

  • CCHCS workforce members acting on behalf of the patient clinically or administratively, including clinicians, ancillary services, administrative, clerical, and custodial workforce, shall only access, use, or disclose the minimum necessary PHI to carry out or perform assigned duties. Refer to the Code of Federal Regulations, Title 45, Section 164.514 (d)(e).

  • CCHCS workforce members shall limit access, use, or disclosure of PHI to the amount and type of information allowed by assigned job duties and necessary to complete assignments, pursuant to the Health Care Department Operations Manual (HCDOM) Section 5.3.14, Access Control and shall follow the rules for disclosure. Refer to HCDOM Sections 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information and 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

• Appropriate Safeguards

  • All CCHCS workforce members with assigned job duties requiring access, use, or disclosure of PHI shall, to the extent possible, apply appropriate administrative, technical, and physical safeguards pursuant to the HCDOM Section 2.2.5, Administrative, Technical, and Physical Safeguards for the protection and confidentiality of PHI.

• Accounting of Disclosures

  • CCHCS workforce members are not required to include incidental disclosures in the accounting of disclosures.

Policy

• California Correctional Health Care Services (CCHCS) workforce members may disclose health information, without a patient authorization, when the use or disclosure involves, or is related to, a specialized government function defined below.

Purpose

• To provide guidance regarding the permitted uses and disclosures of Protected Health Information (PHI) for specialized government functions.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the disclosure of PHI maintained by CCHCS for specialized government functions.

Procedure

• Measures and Processes Utilized to Disclose Health Information for Specialized Government Functions

  • CCHCS workforce members are permitted to disclose health information, without patient authorization for any of the following specialized government functions:

    • Law enforcement or custodial situations if the disclosure of health information is made to authorized correctional or law enforcement officials with lawful custody of the patient, and the health information is needed, according to the law enforcement official or representative of the correctional institution, to do any of the following:

      • Provide custodial access for the patient’s health care needs to support health care delivery in a custodial setting,

      • Ensure the health and safety of the patient or other incarcerated persons,

      • Ensure the health and safety of officers, employees, or others at the correctional institution,

      • Ensure the health and safety of correctional individuals responsible for transporting or transferring of patients from one institution, facility, or setting to another,

      • Enforce the law on the premises of the correctional institution,

      • Administer and maintain the safety, security, and good order of the correctional institution.

    • Government programs providing public benefits if the health information is related to the purpose for which the information was collected and any of the following:

      • The state entity is a health care plan that is a government program,

      • The disclosure is to another entity administering a government program providing public benefits,

      • The disclosure is required or expressly authorized by law, and

        • Is the sharing of eligibility or enrollment information,

        • Is required for the maintenance of information in a single or combined data system accessible to both government agencies.

    • Government agencies administering a government program providing public benefits if the health information is related to the purpose for which the information was collected, and any of the following:

      • The state entity is a covered entity administering a government program providing public benefits,

      • The disclosure is to another covered entity that is a government agency administering a government program providing public benefits,

      • Both programs serve the same or similar populations,

      • The disclosure is necessary to coordinate Health Insurance Portability and Accountability Act covered functions of the program, or to improve administration and management relating to the programs covered functions.

    • Military and Veteran activities if upon separation or discharge from military service, disclosure is made by a component of the Departments of Defense or Homeland Security to provide information to the Department of Veterans Affairs to determine eligibility for benefits.

    • National security and intelligence activities if the disclosure of health information is made to authorized federal officials conducting lawful intelligence, counterintelligence and other national security activities authorized by the National Security Act, and the disclosure is any of the following:

      • Required by law,

      • Compelled due to circumstances affecting the health or safety of an individual,

      • Compelled through subpoena or warrant.

    • Protective Services for the president and others if the disclosure of health information is made to authorized federal officials to protect the president and other persons, including foreign heads of state, or to conduct investigations authorized by United States Code, and the disclosure is any of the following:

      • Required by law,

      • Compelled due to circumstances affecting the health or safety of an individual,

      • Compelled through subpoena or warrant.

  • CCHCS and California Department of Corrections and Rehabilitation are responsible for:

    • Verifying the identity of federal officials or correctional and law enforcement representatives pursuant to Statewide Health Information Policy Manual (SHIPM), Chapter 3, Section 3.1.7, Verification of Identity.

    • Ensuring that only the minimum amount of health information to achieve the purpose is disclosed pursuant to the HCDOM, Section 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information.

  • CCHCS workforce members are responsible to document, track, and maintain information concerning disclosures of health information. This tracking must document what, when, why, and to whom disclosures are made pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information.

Policy

• California Correctional Health Care Services (CCHCS) shall permit the use and disclosure of health information to legally authorized government agencies that conduct health oversight activities regarding the appropriate operation and management of programs, the provision of health care or health care related services, and health information governance in the provision of those services.

Purpose

• To provide guidance regarding uses or disclosures of health information for health oversight purposes, as required by law, and to ensure processes are maintained related to the use and disclosure of health information to government agencies performing health oversight activities, and health information governance.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) is responsible for the oversight of this policy.

• Hiring authorities are responsible to ensure staff comply with this policy.

Applicability

• This policy applies to CCHCS as a Covered Entity.

Procedure

• CCHCS shall meet health oversight obligations by:

  • Understanding what constitutes health oversight activities, and how to respond to requests for health information by other agencies for this purpose.

  • Cooperating with federal and state agencies responsible for determining compliance with the Health Insurance Portability and Accountability Act and other laws relating to the privacy, security, and administration of health information.

  • Ensuring all workforce members receive training to limit disclosure of health information to the minimum necessary when a health oversight agency conducts health oversight activities pursuant to this policy.

  • Addressing health information privacy concerns of other state entities when requesting health information.

  • Understanding that health oversight agency representatives will be required to provide verification of both identity and authority when requesting health information for authorized oversight activities.

  • Requiring reasonable evidence or legal authority in the forms listed below:

    • A written statement of identity on agency letterhead.

    • An identification badge.

    • Similar proof of official status.

    • A written request provided on agency letterhead describing legal authority for release of health information.

• Permitted Uses and Disclosures to Oversight Agencies

  • A state entity that is also a health oversight agency may use health information for health oversight activities.

  • Health information may be disclosed to a health oversight agency, without an authorization, for authorized oversight activities, including, but not limited to, audits, licensure, investigations, or disciplinary actions permitted by law.

• Exceptions to Permitted Disclosures to Health Oversight Agencies

  • A health oversight activity does not include an investigation or other activity in which the patient is the subject of the investigation or activity, when it is not a direct result of, or directly related to:

    • The receipt of health care.

    • A claim for public benefits related to health.

    • Qualification for, or receipt of, public benefits or services when a patient’s health is vital to the claim for public benefits or services.

    • A report of child abuse, neglect, or domestic violence.

    • A report of sexual abuse or violence in accordance with the Prison Rape Elimination Act.

    • Payment collection activities related to provision of health care.

• Temporary Suspension of Accounting of Disclosures

  • Health oversight agencies may request a temporary suspension of a patient’s right to receive an accounting of disclosures.

    • The temporary suspension shall be made in writing, include the reason why the disclosure would impede the health oversight activities, and indicate the timeframe the suspension is required.

    • For verbal requests, the patient’s right to an accounting shall be suspended for no more than 30 business days unless a written request is submitted during that timeframe.

• Joint Activities or Investigations

  •  If a health oversight activity is conducted in conjunction with a public benefits investigation not related to health, the joint activity or investigation is considered a health oversight activity.

    • Inquiries or investigations of Medi-Cal fraud involving health treatment or investigations involving other federal or state public benefits are considered a health oversight activity for purposes of this policy.

• Health Information Governance

  • Roles and Responsibilities

    • The CCHCS CPO shall:

      • Notify Hiring Authorities of noncompliance of their staff with this policy or privacy laws.

      • Recommend that action be taken, when appropriate.  Recommendations may include, but are not limited to:

        • Creating a process to mitigate risk or prevent future privacy breaches.

        • Advising CCHCS on staffing or resources needed to respond to and mitigate a privacy breach, and to prevent future privacy breaches.

        • Consulting with the CCHCS Performance Management Unit to advise CCHCS Hiring Authorities on recommended action regarding a specific workforce member.

      • Communicate with the California Department of Corrections and Rehabilitation (CDCR) CPO to identify their respective areas of responsibility, including the following functions:

        • Collaborating with the CDCR CPO regarding areas of overlapping responsibility.

        • Developing a joint plan for health information governance that would apply to both CDCR and CCHCS.

    • Hiring Authorities shall:

      • Consider recommendations from the CCHCS CPO and ensure CCHCS meets all timeframes for incident management required by federal and state law.

      • Advise the CCHCS CPO of actions taken in response to Privacy Office recommendations.

Policy

• California Correctional Health Care Services (CCHCS) shall develop and maintain an entity-wide information security, privacy, and risk management strategy and program to support health information privacy and security compliance as required by federal and state privacy and security laws.

Purpose

• To define specific workforce roles related to privacy and security and outline those roles in duty statements to ensure privacy and security policies and procedures are developed, implemented, monitored, and maintained.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO) are responsible for the implementation, monitoring, and maintenance of this policy.

CCHCS Workforce Staffing Roles

• CCHCS Chief Privacy Officer

  • The CPO shall ensure compliance with CCHCS’s policies and procedures relating to privacy. Responsibilities include, but are not limited to:

    • Assisting in the development and implementation of privacy policies and procedures.

    • Monitoring compliance with privacy policies and procedures pursuant to applicable federal and state privacy laws, standards, and industry best practices.

    • Performing ongoing compliance monitoring activities including initial and periodic information privacy risk assessments or analyses and implementing mitigation and remediation efforts.

    • Working with legal counsel and management to ensure forms, authorizations, and notices are current.

    • Assisting with, coordinating, and supporting departmental tracking of workforce member access to health information as needed for Privacy Office operations.

    • Developing, revising, and monitoring compliance with Privacy Awareness Training and ensuring that all users who have access to CCHCS data complete training before being provisioned and annually thereafter.

    • Monitoring patients’ rights to access, amend, and restrict access to their health information.

    • Ensuring a process for addressing complaints on privacy policies and procedures, including complaints on denial of access to health information and responding to privacy questions and issues.

    • Coordinating control activities with the CISO.

    • Conducting fact-finding for reported information security incidents, making breach determinations, and issuing notifications required by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state law and policy.

    • Coordinating with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Center for Data Insights and Innovation (CDII), state regulators, and other oversight entities in compliance reviews and investigations.

    • Coordinating with the CISO to recommend sanctions for privacy violations.

    • Coordinating with the CISO and contracting units in the development, implementation, and ongoing compliance monitoring of business associates (BA) and business associate agreements (BAA) to ensure privacy concerns, requirements, and responsibilities are addressed.

    • Identifying a point of contact by name, title, or office and telephone number in any notice describing how a patient’s health information may be used and disclosed, and how the patient may access their information, including the designated contact person or office that is responsible for receiving privacy-related complaints and providing additional information about the content of the privacy notice.

• CCHCS Chief Information Security Officer

  • The CCHCS CISO shall ensure compliance with CCHCS’ policies and procedures relating to information security.  Responsibilities include, but are not limited to:

    • Building a strategic and comprehensive information security program that defines, develops, maintains, and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality, and availability of information that is owned, controlled, or processed within the organization.  

    • Ensuring information security policies, standards, and procedures are up-to-date with applicable federal and state information security laws, licensing and certification requirements and accreditation standards.

    • Initiating, facilitating, and promoting activities to foster information security awareness within the organization.

    • Creating a culture of cyber security with information technology to drive behavioral change within the organization.

    • Evaluating security trends, evolving threats, risks, and vulnerabilities and applying tools to mitigate risk as necessary.

    • Managing security incidents and events involving electronic health information.

    • Ensuring that the technology recovery, business continuity, risk management, and access control needs of the organization are addressed.

    • Ensuring the organization complies with the administrative, technical, and physical safeguards.

    • Working closely with the CPO to ensure alignment between security and privacy compliance programs, including policies, practices, and investigations, and assisting with reporting to oversight agencies.    

    • Performing and analyzing initial and periodic information security risk assessments and implementing mitigation and remediation.

    • Developing and implementing information security risk management plans.

    • Ensuring the organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.

    • Overseeing periodic monitoring and reviewing of audit records to ensure the appropriateness of system activity, including, but not limited to, logons and logoffs, file accesses, updates, edits, and printing.

    • Ensuring the organization has and maintains an appropriate system use and disclosure and confidentiality statement.

    • Overseeing, developing, and delivering initial and ongoing security training to the workforce.

    • Participating in the development, implementation, and ongoing compliance monitoring of BAs and BAAs, to ensure security concerns, requirements, and responsibilities are addressed.

    • Assisting the CPO as needed with breach determination and notification processes under HIPAA and applicable state breach rules and requirements.

    • Establishing and administering a process for investigating and acting on security incidents which may result in a privacy breach.

    • Partnering with the CPO to recommend sanctions for information security violations.

    • Cooperating with the HHS OCR, CDII, state regulators, and other legal entities, organizations, or officers in any compliance reviews or investigations.

Policy

• California Correctional Health Care Services (CCHCS) shall maintain a process to account for the disclosures of patients’ Protected Health Information (PHI) in compliance with federal and state privacy laws.

Purpose

• To ensure disclosures of patient PHI are tracked and documented in order to provide an accounting of such disclosures to the patient upon their request.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the collection, use, and disclosure of PHI maintained by CCHCS.

• Under the direction of the Chief of Health Information Management (HIM), or designee, the HIM workforce members shall receive and respond to requests for an accounting of disclosures and provide reports on organization disclosures to the Privacy Office.

Procedure

• Tracking Disclosures

  • CCHCS program areas and Business Associates (BA) that disclose patient PHI shall ensure that the disclosures are documented and made available in responding to an accounting of disclosures request.

  • CCHCS program areas that disclose patient PHI shall maintain an electronic record of each accounting of disclosures sufficient to demonstrate compliance with the requirements.

    • Tracking information shall be maintained pursuant to the Health Care Department Operations Manual (HCDOM) Sections 2.3.1, Health Information Management Overview, 2.3.2, Security and Privacy, and 2.3.5, Health Information Exchange.

    • CCHCS program areas and BAs shall retain the tracking documentation records for a minimum of six years from the date of its creation or the date when it was last in effect, whichever is later.

    • CCHCS BAs shall be responsible for accounting of disclosures pursuant to the HCDOM Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information, and the Business Associate Agreement.

• Accounting of Disclosures

  • Processing Request for Accounting of Disclosures

    • HIM shall review the access and disclosure log to determine if the patient has requested an accounting of disclosures within the last 12 months. Subsequent requests of accounting of disclosures shall only include incremental disclosures made since the original accounting.

      • HIM shall print the accounting of disclosures document for the requested dates from the ‘Access HIM’ application within the Electronic Health Record System.

      • HIM shall ensure that the accounting of disclosures include the following, at a minimum:

        • The date(s) of the disclosure(s).

        • The names and title of the entity or person to whom the information was provided, and the recorded address.

        • A brief description of the health information disclosed.

        • The reason for the required or permitted disclosure.

    • HIM shall contact the program areas for the patient’s requested date(s) of disclosure(s). Programs and BAs shall provide to HIM the requested data within five calendar days of the request. HIM shall:

      • Gather, organize, and combine all data into one document.

      • Print and mail the document to the patient.

      • Update the Accounting of Disclosures tracking records.

  • Response Timing

    • HIM shall respond within 60 calendar days after receipt of a request for a patient’s accounting of disclosures.

    • If unable to respond within 60 calendar days, HIM may extend the time by no more than 30 calendar days, provided that within the initial 60-day period, HIM provides the patient with a written statement of the reasons for the delay and the date by which the accounting shall be provided.

      • Only one 30-day extension is permitted.

    • The following types of disclosures are excluded from the accounting of disclosures requirement:

      • Treatment, payment, and health care operations.

      • To the patient about themselves.

      • Resulting from or incident to an otherwise permitted disclosure.

      • Pursuant to an authorization.

      • For a facility’s directory, or to persons involved in the patient’s care or for related purposes.

      • That are part of a Limited Data Set.

      • To correctional institutions or law enforcement officials under the HIPAA corrections exception.

    • Disclosures Accounting for Research Purposes.

      • If during the period of time covered by the requested accounting, CCHCS makes disclosures for specific research purposes regarding 50 or more individuals’ records, CCHCS may account for the disclosures by providing all of the following:

        • The name of the protocol or other research activity.

        • A plain language description of the research protocol or activity, including the purpose of the research and the criteria for selecting certain records.

        • A brief description of the type of health information that was disclosed.

        • The dates or periods of time during which the disclosures occurred, or may have occurred, including the date of the last disclosure during the accounting period.

        • The name, address, and telephone number of the entity that sponsored the research and the researcher to whom the information was disclosed.

        • A statement that the health information may or may not have been disclosed for a particular protocol or particular research activity.

      • If it is reasonably likely that the health information was disclosed for a research protocol or activity, CCHCS shall, if requested by the patient, assist the patient in contacting the entity that sponsored the research and the researcher.

      • Upon request by the patient, state entities are responsible for providing an accounting of disclosures related to research for the six years prior to the request.

  • Charge for the Accounting of Disclosures

    • HIM shall not charge a fee to a currently incarcerated person who requests an accounting of disclosures.

    • HIM may charge a fee to a person no longer incarcerated as follows:

      • The first accounting of disclosures made to a person during any 12-month period of time shall be provided free of charge.

      • For any subsequent request for an accounting of disclosures made by the same person within this 12-month period, HIM may charge a reasonable, cost-based fee for the accounting, provided that HIM informs the person of the charge in advance and provides the person with an opportunity to withdraw or modify the request for a subsequent accounting to avoid or reduce the fee.

• Reporting of Accountings of Disclosures

  • HIM shall provide a report of all accountings of disclosures to the Privacy Office upon request. This report shall include all information required in each accounting, and the titles of persons or offices responsible for receiving and processing requests for accounting of disclosures.