Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.11 Privacy Incidents and Breach Reporting

  • Policy

    • California Correctional Health Care Services (CCHCS) shall identify, investigate, and mitigate privacy incidents, provide notices when necessary to those affected and report breaches to California Department of Corrections and Rehabilitation (CDCR) and CCHCS’s oversight agencies as required by federal and state law.

  • Purpose

    • To provide guidance on reporting privacy incidents and breaches and ensure CCHCS Privacy Office (PO) conducts mitigation efforts in compliance with federal and state law.

  • Responsibility

    • The CCHCS Chief Privacy Officer (CPO) shall have oversight of this policy and assist in reporting privacy incidents and breaches under applicable federal and state laws, regulations, and requirements in the Health Care Department Operations Manual.

    • Privacy incidents and breaches originating from CDCR activities including, but not limited to, the CDCR Undersecretaries and offices that report to the CDCR Secretary, shall be referred to the CDCR CPO for fact-finding, analysis, intake, and response.

    • Privacy incidents and breaches which involve CDCR and CCHCS shall be cooperative and both entities shall coordinate fact-finding, analysis, intake, and response.

  • Procedure for Reporting Privacy Incidents

    • CCHCS workforce members shall:

      • Report all privacy incidents to the CCHCS Office of Information Security (OIS) within 24 hours of when an incident occurs or is discovered.

      • Document all details on the CCHCS Information Security Incident Report (ISIR) found on Lifeline, under Information Technology, OIS.

      • Ensure all instructions listed on the ISIR are followed by documenting incidents in plain language and include the following reporting requirements:

        • The name and contact information of the reporting individual.

        • A list of the types of confidential information reasonably believed to be the subject of an incident.

        • The date or estimated date range when the incident occurred.

        • The date the incident was discovered.

        • A general description of the incident.

        • Identification of any CCHCS program areas that may have information regarding the incident which may assist the investigation and fact-finding.

        • Efforts to mitigate harm and any additional steps taken to prevent further disclosure or future occurrences.

        • The number of patients or individuals affected by the potential disclosure and number of individuals who potentially received the information.

        • The date the ISIR is submitted to OIS.

      • Submit the ISIR via email to the CCHCS OIS who shall review the ISIR, conduct an initial assessment, and assign a case number to the incident.

    • Privacy Incident and Breach Management

      • Protocol for Escalation, Internal Reporting, and Response

        • The CPO notifies executive management via email at the onset of an incident, during the incident, and upon conclusion of the incident as warranted.

        • An Incident Response Team (IRT) shall be assembled by the PO to ensure the incident is addressed in the most expeditious and efficient manner. An IRT shall respond to an incident and may include:

          • The CCHCS CPO, or designee, to act as the Escalation Manager and coordinate the response when additional program areas are required to assist.

          • Program Manager of the program area experiencing the breach.

          • CCHCS Chief Information Security Officer (CISO).

          • Public Information or Communications Officer (if the breach involves 500 or more individuals).

          • Legal Counsel.

          • Other workforce members as identified by CCHCS CPO or CISO.

            • If the breach involves multiple agencies or state entities, an IRT from each agency or state entity may be involved.

        • IRT members shall attend an initial impact assessment and response coordination meeting when a breach involves notifying 500 or more individuals, multiple agencies or state entities, or is likely to garner media attention.

          • This meeting shall clarify roles, responsibilities, and timelines for reporting and response activities.

          • When multiple agency personnel are involved, meeting attendee lists or equivalent are used to track participant involvement.

          • Non-redisclosure agreements may also be used to ensure confidential information remains confidential and communications do not compromise or complicate an active investigation.

      • Incident Tracking, Fact-Finding and Case File

        • The PO workforce members shall:

          • Monitor the mailbox daily. 

          • Screen ISIRs received and document the case number and incident details in the incident tracking solution within 24 hours of receipt from CCHCS OIS.

          • Conduct fact-finding to determine if a breach occurred and as required supplement the ISIR with additional information from the individual who submitted the ISIR or other workforce members who may have relevant information about the incident including Information Technology, Health Information Management, or program area managers.

          • Notify the CPO when escalation is necessary to obtain cooperation from other program areas to complete fact-finding.

          • Conduct a risk assessment and document all relevant information to recover, correct, or resolve the incident, including the root cause, potential harm, and mitigation efforts as follows:

            • The nature and extent of the Personal Health Information (PHI), Personally Identifiable Information (PII), or High-Risk Confidential Information (HRCI) involved, including the types of identifiers and the likelihood of re-identification.

            • The unauthorized person or entity who used the PHI, PII, or HRCI or to whom the disclosure was made.

            • Whether the PHI, PII, or HRCI was actually acquired or viewed or, alternatively, if the opportunity existed for the information to be acquired or viewed.

            • A determination if the incident created a risk and, if so, the extent to which the risk has been mitigated.

            • Ensure sufficient information is obtained upon completion of the risk assessment to determine if a breach notification will be issued.

          • Determine if the incident is a breach.

          • Maintain an electronic case file, identified by a unique case number.  The case file shall contain all relevant information as documented on the ISIR and risk assessment.

          • The CCHCS CPO, or designee, shall review the risk assessment to determine if additional information or corrective actions are needed and approve the completed risk assessment.

        • The information maintained in the incident tracking solution shall be:

          • Utilized for regular review of system activity, such as for audits, incident tracking reports, and sharing threat information electronically with the California Department of Technology (CDT).

          • Available for risk analysis or assessment which shall include, at a minimum, assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.

        • All impermissible disclosures shall be recorded in the Accounting of Disclosure tracking log within the incident tracking solution.

          • The log shall record, at a minimum, the date of disclosure, name and address of the person or entity who received the PHI, PII, or HRCI, a brief description of the information disclosed, and a brief description of the intended reason for the disclosure.

    • Recovery and Destruction of Information Unlawfully or Improperly Disclosed

      • The PO workforce members shall:

        • Work with the responsible program area to ensure the original information is immediately recovered by the program area or obtain written verification from the program area that the data in all media types have been properly destroyed.

        • Document all efforts and outcomes regarding recovery and destruction in the incident tracking solution.

      • Once the information (e.g., hard copies, electronic, and portable media) is recovered by the responsible program area, they shall ensure it is secured in an approved locked shred container, shredded, deleted, or disposed of according to the OIS process for electronic destruction.

    • Breach Reporting Responsibilities between CCHCS and Oversight Agencies

      • When it is determined that a breach occurred, the PO workforce members shall report the breach to the CDT OIS and the California Highway Patrol (when required by law) via the California Compliance Security Incident Reporting System (Cal-CSIRS).

      • When the breach occurs at a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (CDPH), CCHCS workforce members shall:

        • Report the breach to CDPH no later than 24 hours after the incident is discovered and no later than 24 hours if the PO workforce members determine the incident is a breach.

        • Notice the patient no later than 15 business days after a breach has been determined pursuant to the California Code of Regulations, Title 22, Section 79902, Breach Reporting for Licensed Facilities.

      • Business associates, or contracted entities shall notify the CCHCS OIS no later than 24 hours after detection of a breach of PHI, PII, or HRCI via email CCHCS-ISO@cdcr.ca.gov, or by phone: (916) 691-3243.

      • Upon receipt of an ISIR involving a business associate, the PO workforce members shall contact the CCHCS program area(s) responsible for monitoring the business associate agreement and contact the business associate to begin mitigation efforts for the business associate’s or its sub-contractor’s involvement in the incident.

        • If the incident breach occurs after business hours or on a weekend or holiday and involves electronic PHI, notification shall be provided by calling the CCHCS ITSD Solution Center at 1-888-735-3470.

      • When a breach affects:

        • 500 or more individuals, the PO workforce members shall notify:

          • The Center for Data Insights and Innovation (CDII) within two business days of breach determination at CDIIPrivacyOffice@chhs.ca.gov.

          • The United States (US) Department of Health and Human Services (HHS) on the Breach Reporting form located at US HHS at the time notice is issued to those affected.

        • Fewer than 500 individuals, the PO shall maintain a log documenting the breaches and assigned workforce members shall submit aggregated breach information to US HHS no later than 60 calendar days after the end of each calendar year on the Breach Reporting Log located at US HHS.

          • The submission shall include all breaches discovered during the preceding calendar year.

      • PO workforce members shall submit an annual accounting of all PHI breaches to CDII at the end of each calendar year or as requested.

        • The information shall be submitted on the CDII Annual Breach Reporting form and shall include actions taken to investigate and mitigate each event.

    • Breach Notification to Affected Individuals

      • The PO workforce members or entity responsible for the breach shall notify each individual who has had, or is reasonably believed to have had, PHI, PII, or HRCI inappropriately accessed, acquired, used, or disclosed as follows:

        • Notify by first-class mail to the affected individuals’ last known address.

          • If the individual whose information has been breached is deceased, the next of kin or personal representative for the individual or patient shall be notified by first class mail.

        • Email is permitted if the individual agrees to electronic notice.

        • If it is determined that there is possible imminent misuse of any PHI, PII, or HRCI, notice shall be provided by telephone or other means as appropriate.

        • If the contact information is insufficient or out of date preventing written notification to the individual, the notice shall be provided as follows:

          • When fewer than ten individuals are affected, an alternate form of written notice, telephone, or other means may be provided.

          • When more than ten individuals are affected, a posting shall be placed for a period of 90 calendar days on the homepage of the CDCR or CCHCS website or in a major print or broadcast media in the geographic area where the individuals likely reside.

      • Written notifications shall use plain language and be titled “Notice of Data Breach.”  The notice shall include all of the following, to the extent possible:

        • “What Happened,” a brief description of what happened, including the date of the breach, the date the breach was discovered, and, if applicable, if the notification was delayed due to a law enforcement investigation.

        • “What Information Was Involved,” a description of the types of information involved in the breach (e.g., PHI, PII, or HRCI, and other identifiers).

        • “What We Are Doing,” a brief description of the actions the state entity is taking to investigate the breach, mitigate harm to the individuals, and protect against further breaches.

        • “What You Can Do,” advisement of the steps individuals should take to protect themselves from potential harm resulting from the breach. The major credit reporting agencies’ toll-free telephone numbers and mailing addresses shall be included if the breach exposed PII such as Social Security number, driver’s license number, California identification card number, or other personal identifiers.

          • Credit Reporting Agency Information

            • Equifax: 1-800-525-6285

            • Trans Union: 1-800-680-7289

            • Experian: 1-888-397-7342

          • Advise the individuals that they may request a copy of their credit report by mail by completing an Annual Credit Report Request Form from one of the three credit reporting agency websites and sending the completed form to the following address: P.O. Box 105281, Atlanta, GA 30348-5281.

        • “Other Important Information,” the enclosure “Breach Help – Consumer Tips from the California Attorney General.” This information is available in English and Spanish and can be downloaded from https://oag.ca.gov/privacy/other-privacy/breach-help-tips-for-consumers.

        • “For More Information,” the statement “For information about your medical or personal privacy rights, you may visit the State of California Department of Justice, Office of Attorney General (OAG), Privacy Enforcement and Protection.”

        • “Agency Contact, “the name, toll free number, and the website of the designated agency official or agency unit handling inquiries.

      • Before releasing the breach notification, the PO workforce members shall:

        • Provide a draft of the breach notification to the CDT OIS using Cal-CSIRS for review and approval.

        • Electronically report the incident to the OAG if the breach notification will be sent to 500 or more individuals

        • Notify the CCHCS Director of Communications who shall provide a press release to the prominent media outlets serving the state and regional area without unreasonable delay when a breach affects 500 or more individuals.

    • Timing of Notification to Affected Individuals

      • The PO workforce members or entity responsible for the breach shall provide notifications in accordance with the following:

      • When the incident or breach involves a clinic, health facility, home health agency, or hospice licensed by the CDPH, a breach notification to the affected patient or patient’s representative no later than 15 business days after the breach was discovered.

        • A law enforcement agency may delay notification up to 60 calendar days with a written request or up to 30 calendar days with an oral request, if it is determined that notification will impede a criminal investigation.

      • When the incident or breach involves a non-licensed area, a breach notification within ten business days from the date a breach was reported, or reasonably believed to have occurred, to the extent possible. However, notice is required without unreasonable delay within and no later than 60 calendar days.

        • Any decision to delay notification beyond ten business days but less than 60 calendar days shall be made by the CCHCS CPO in writing.

        • Notification may be delayed if a law enforcement agency determines the notification will impede a criminal investigation.

    • Documentation Retention

      • CCHCS shall retain breach policies and procedures, fact-finding, risk assessments, results, notifications, and reports for six years from the date of creation or the date when it last was in effect, whichever is later.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart D, Section 164.308(a)(1)(i)(D) and 164.400 et seq.

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.530(j)

    • 21st Century Cures Act, Public Law No 114-255 (12/13/2016)

    • Coronavirus Aid, Relief, and Economic Security Act or the “CARES Act,” Pub. L. No. 116-136 (2020)

    • California Civil Code, Division 1, Part 2.6, Section 56 et seq.

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 7, Section 1798.29

    • California Health and Safety Code, Division 2, Chapter 2, Article 3, Section 1280.15

    • California Code of Regulations, Title 22, Division 5, Chapter 13, Article 1, Section 79902

    • California Department of Corrections and Rehabilitation, Department Operations Manual, Section 41010.3, Definitions – High Risk Confidential Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.5, Administrative, Technical, and Physical Safeguards

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.13, Handling Protected Health and Personally Identifiable Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.17, Administrative Requirements for Privacy and Security Officials

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.15, Acceptable Use

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.21, Data Security

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.24, Incident Response

    • California State Administrative Manual, Section 5305.7 (1)

    • California State Administrative Manual, Section 5315

    • California State Administrative Manual, Section 5335.2

    • California Statewide Health Information Policy Manual Section 2.4.1

    • California Statewide Health Information Policy Manual Section 3.1.0

    • California Statewide Information Management Manual 5335-A

    • California Statewide Information Management Manual 5340-B-C

  • Revision History

    • Effective: 09/2015
      Revised: 07/30/2025