Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.11 Privacy Incidents and Breach Reporting

  • Policy

    • California Correctional Health Care Services (CCHCS) shall identify, investigate, and mitigate privacy incidents, provide notices when necessary to those affected and report breaches to California Department of Corrections and Rehabilitation (CDCR) and CCHCS’s oversight agencies as required by federal and state law.

  • Procedure Overview

    • CCHCS Chief Privacy Officer (CPO) shall have oversight in the reporting of privacy incidents and breaches under applicable federal and state laws, regulations, and requirements in the Health Care Department Operations Manual.

    • CCHCS Privacy Office (PO) shall provide guidance to workforce members on reporting privacy incidents and breaches and conduct mitigation efforts.

    • Privacy incidents and breaches originating from CDCR activities including, but not limited to, the CDCR Undersecretaries and offices that report to the CDCR Secretary, shall be referred to the CDCR CPO for fact-finding, analysis, intake, and response.

    • Privacy incidents and breaches which involve CDCR and CCHCS shall be cooperative and both entities shall coordinate fact-finding, analysis, intake, and response.

  • Workforce Requirements in Responding to Privacy Incidents

    • CCHCS workforce members shall:

      • Report all privacy incidents to the CCHCS Office of Information Security (OIS) via the Report Unauthorized Disclosure form within 24 hours of when an incident occurs or is discovered.

        • The form is located on Lifeline in the Service Portal.

        • Document all pertinent details in plain language in the required fields.

        • Complete all assigned Service Portal tasks.

      • Cooperate with the investigation to include providing requested documents and completing any necessary mitigation requests, attestation(s) of non-redisclosure, or training.

    • Privacy Incident and Breach Management

      • Protocol for Escalation, Internal Reporting, and Response

        • The CPO notifies executive management via email at the onset of an incident, during the incident, and upon conclusion of the incident as warranted.

        • An Incident Response Team (IRT) shall be assembled by the PO to ensure the incident is addressed in the most expeditious and efficient manner. An IRT shall respond to an incident and may include:

          • The CCHCS CPO, or designee, to act as the Escalation Manager and coordinate the response when additional program areas are required to assist.

          • Program Manager of the program area experiencing the breach.

          • CCHCS Chief Information Security Officer (CISO).

          • Public Information or Communications Officer (if the breach involves 500 or more individuals).

          • Legal Counsel.

          • Other workforce members as identified by CCHCS CPO or CISO.

            • If the breach involves multiple agencies or state entities, an IRT from each agency or state entity may be involved.

        • IRT members shall attend an initial impact assessment and response coordination meeting when a breach involves notifying 500 or more individuals, multiple agencies or state entities, or is likely to garner media attention.

          • This meeting shall clarify roles, responsibilities, and timelines for reporting and response activities.

          • When multiple agency personnel are involved, meeting attendee lists or equivalent are used to track participant involvement.

          • Non-redisclosure agreements may also be used to ensure confidential information remains confidential and communications do not compromise or complicate an active investigation.

      • Incident Tracking, Fact-Finding and Case File

        • The PO workforce members shall:

          • Monitor the incident tracking solution daily

          • Screen incidents received and update relevant details in the incident tracking solution within 24 hours of receipt.

          • Conduct fact-finding to determine if a breach occurred.

          • Notify the CPO when escalation is necessary to obtain cooperation from other program areas to complete fact-finding.

          • Conduct a risk assessment and document all relevant information to recover, correct, or resolve the incident, including the root cause, potential harm, and mitigation efforts.

          • Maintain an electronic case file, identified by a unique case number.  The case file shall contain all relevant information and documentation.

          • The CCHCS CPO, or designee, shall review the risk assessment to determine if additional information or corrective actions are needed and approve the completed risk assessment.

        • The information maintained in the incident tracking solution shall be:

          • Utilized for regular review of system activity, such as for audits, incident tracking reports, and sharing threat information electronically with the California Department of Technology (CDT).

          • Available for risk analysis or assessment which shall include, at a minimum, assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.

        • All impermissible disclosures shall be recorded in the Accounting of Disclosures within the incident tracking solution.

          • The Accounting of Disclosures shall record, at a minimum, the date of disclosure, name and address of the person or entity who received the PHI, PII, or HRCI, a brief description of the information disclosed, and a brief description of the intended reason for the disclosure.

    • Recovery and Destruction of Information Unlawfully or Improperly Disclosed

      • The PO workforce members shall:

        • Work with the responsible program area to ensure the original information is immediately recovered by the program area or obtain written verification from the program area that the data in all media types have been properly destroyed when appropriate.

        • Document all efforts and outcomes regarding recovery and destruction in the incident tracking solution.

      • Once the information (e.g., hard copies, electronic, and portable media) is recovered by the responsible program area, they shall ensure it is secured in an approved locked shred container, shredded, deleted, or disposed of according to the OIS process for electronic destruction.

    • Breach Reporting Responsibilities between CCHCS and Oversight Agencies

      • When it is determined that a breach occurred, the PO workforce members shall report the breach to the CDT OIS and the California Highway Patrol (when required by law) via the California Compliance Security Incident Reporting System (Cal-CSIRS).

      • When the breach occurs at a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (CDPH), CCHCS workforce members shall:

        • Report the breach to CDPH no later than 24 hours after the incident is discovered and no later than 24 hours if the PO workforce members determine the incident is a breach.

        • Notice the patient no later than 15 business days after a breach has been determined pursuant to the California Code of Regulations, Title 22, Section 79902, Breach Reporting for Licensed Facilities.

      • Business associates, or contracted entities shall notify the CCHCS OIS no later than 24 hours after detection of a breach of PHI, PII, or HRCI via email CCHCS-ISO@cdcr.ca.gov, or by phone: (916) 691-3243.

      • Upon receipt of a CCHCS Information Security Incident Report involving a business associate, the PO workforce members shall contact the CCHCS program area(s) responsible for monitoring the business associate agreement and contact the business associate to begin mitigation efforts for the business associate’s or its sub-contractor’s involvement in the incident.

        • If the incident breach occurs after business hours or on a weekend or holiday and involves electronic PHI, notification shall be provided by calling the CCHCS ITSD Solution Center at 1-888-735-3470.

      • When a breach affects:

        • 500 or more individuals, the PO workforce members shall notify:

          • The Center for Data Insights and Innovation (CDII) within two business days of breach determination at CDIIPrivacyOffice@chhs.ca.gov.

          • The United States (US) Department of Health and Human Services (HHS), Office for Civil Rights (OCR) on the Breach Reporting form located at US HHS at the time notice is issued to those affected.

        • Fewer than 500 individuals, the PO shall maintain a log documenting the breaches and assigned workforce members shall submit aggregated breach information to US HHS, OCR no later than 60 calendar days after the end of each calendar year.

          • The submission shall include all breaches discovered during the preceding calendar year.

      • PO workforce members shall submit an annual accounting of all PHI breaches to CDII at the end of each calendar year or as requested.

        • The information shall be submitted on the CDII Annual Breach Reporting form and shall include actions taken to investigate and mitigate each event.

    • Breach Notification to Affected Individuals

      • The PO workforce members or entity responsible for the breach shall notify each individual who has had, or is reasonably believed to have had, PHI, PII, or HRCI inappropriately accessed, acquired, used, or disclosed as follows:

        • Notify by US first-class mail to the affected individuals’ last known address.

          • If the individual whose information has been breached is deceased, the next of kin or personal representative for the individual or patient shall be notified by US first-class mail.

        • Email is permitted if the individual agrees to electronic notice.

        • If it is determined that there is possible imminent misuse of any PHI, PII, or HRCI, notice shall be provided by telephone or other means as appropriate.

        • If the contact information is insufficient or out of date preventing written notification to the individual, the notice shall be provided as follows:

          • When fewer than ten individuals are affected, an alternate form of written notice, telephone, or other means may be provided.

          • When more than ten individuals are affected, a posting shall be placed for a period of 90 calendar days on the homepage of the CDCR or CCHCS website or in a major print or broadcast media in the geographic area where the individuals likely reside.

      • Written notifications shall use plain language and be titled “Notice of Data Breach.”  The notice shall include all of the following, to the extent possible:

        • “What Happened,” a brief description of what happened, including the date of the breach, the date the breach was discovered, and, if applicable, if the notification was delayed due to a law enforcement investigation.

        • “What Information Was Involved,” a description of the types of information involved in the breach (e.g., PHI, PII, or HRCI, and other identifiers).

        • “What We Are Doing,” a brief description of the actions the state entity is taking to investigate the breach, mitigate harm to the individuals, and protect against further breaches.

        • “What You Can Do,” advisement of the steps individuals should take to protect themselves from potential harm resulting from the breach. The major credit reporting agencies’ toll-free telephone numbers and mailing addresses shall be included if the breach exposed PII such as Social Security number, driver’s license number, California identification card number, or other personal identifiers.

          • Credit Reporting Agency Information

            • Equifax: 1-800-525-6285

            • Trans Union: 1-800-680-7289

            • Experian: 1-888-397-3742

          • Advise the individuals that they may request a copy of their credit report by mail by completing an Annual Credit Report Request Form from one of the three credit reporting agency websites and sending the completed form to the following address: P.O. Box 105281, Atlanta, GA 30348-5281.

        • “Other Important Information,” the enclosure “Breach Help – Consumer Tips from the California Attorney General.” This information is available in English and Spanish and can be downloaded from https://oag.ca.gov/privacy/other-privacy/breach-help-tips-for-consumers.

        • “For More Information,” the statement “For information about your medical or personal privacy rights, you may visit the State of California Department of Justice, Office of Attorney General (OAG), Privacy Enforcement and Protection.”

        • “Agency Contact, “the name, toll free number, and the website of the designated agency official or agency unit handling inquiries.

      • Before releasing the breach notification, the PO workforce members shall:

        • Provide a draft of the breach notification to the CDT OIS using Cal-CSIRS for review and approval.

        • Electronically report the incident to the OAG if the breach notification will be sent to 500 or more individuals

        • Notify the CCHCS Director of Communications who shall provide a press release to the prominent media outlets serving the state and regional area without unreasonable delay when a breach affects 500 or more individuals.

    • Timing of Notification to Affected Individuals

      • The PO workforce members or entity responsible for the breach shall provide notifications in accordance with the following:

      • When the incident or breach involves a clinic, health facility, home health agency, or hospice licensed by the CDPH, a breach notification to the affected patient or patient’s representative no later than 15 business days after the breach was discovered.

        • A law enforcement agency may delay notification up to 60 calendar days with a written request or up to 30 calendar days with an oral request, if it is determined that notification will impede a criminal investigation.

      • When the incident or breach involves a non-licensed area, a breach notification within ten business days from the date a breach was reported, or reasonably believed to have occurred, to the extent possible. However, notice is required without unreasonable delay within and no later than 60 calendar days.

        • Any decision to delay notification beyond ten business days but less than 60 calendar days shall be made by the CCHCS CPO in writing.

        • Notification may be delayed if a law enforcement agency determines the notification will impede a criminal investigation.

    • Documentation Retention

      • CCHCS shall retain breach policies and procedures, fact-finding, risk assessments, results, notifications, and reports for six years from the date of creation or the date when it last was in effect, whichever is later.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart D, Section 164.308(a)(1)(i)(D) and 164.400 et seq.

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.530(j)

    • 21st Century Cures Act, Public Law No 114-255 (12/13/2016)

    • Coronavirus Aid, Relief, and Economic Security Act or the “CARES Act,” Pub. L. No. 116-136 (2020)

    • California Civil Code, Division 1, Part 2.6, Section 56 et seq.

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 2, Section 1798.3

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 7, Section 1798.29

    • California Health and Safety Code, Division 2, Chapter 2, Article 3, Section 1280.15

    • California Code of Regulations, Title 22, Division 5, Chapter 13, Article 1, Section 79902

    • California Department of Corrections and Rehabilitation, Department Operations Manual, Section 41010.3, Definitions – High Risk Confidential Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.5, Safeguards for Protected Health Information and Personally Identifiable Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.13, Handling Protected Health and Personally Identifiable Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.17, Administrative Requirements for Privacy and Security Officials

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.15, Acceptable Use

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.21, Data Security

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.24, Incident Response

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.25, Security and Privacy Awareness Training

    • California State Administrative Manual, Section 5305.7

    • California State Administrative Manual, Section 5310

    • California State Administrative Manual, Section 5320

    • California State Administrative Manual, Section 5335.2

    • California State Administrative Manual, Section 5340

    • California Statewide Health Information Policy Manual Section 2.4.1

    • California Statewide Health Information Policy Manual Section 3.1.0

    • California Statewide Information Management Manual 5340-A & C

  • Policy Control
    Executive Sponsor: Deputy Director, Policy and Risk Management Services
    Effective: 09/2015
    Revised: 05/06/2026