Chapter 2 – Patients’ Entitlements and Responsibilities

2.2.17 Administrative Requirements for Privacy and Security Officials

• Policy

  • California Correctional Health Care Services (CCHCS) shall develop and maintain an entity-wide information security, privacy, and risk management strategy and program to support health information privacy and security compliance as required by federal and state privacy and security laws.

• Purpose

  • To define specific workforce roles related to privacy and security and outline those roles in duty statements to ensure privacy and security policies and procedures are developed, implemented, monitored, and maintained.

• Responsibility

  • The CCHCS Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO) are responsible for the implementation, monitoring, and maintenance of this policy.

• CCHCS Workforce Staffing Roles

  • CCHCS Chief Privacy Officer

    • The CPO shall ensure compliance with CCHCS’s policies and procedures relating to privacy. Responsibilities include, but are not limited to:

      • Assisting in the development and implementation of privacy policies and procedures.

      • Monitoring compliance with privacy policies and procedures pursuant to applicable federal and state privacy laws, standards, and industry best practices.

      • Performing ongoing compliance monitoring activities including initial and periodic information privacy risk assessments or analyses and implementing mitigation and remediation efforts.

      • Working with legal counsel and management to ensure forms, authorizations, and notices are current.

      • Assisting with, coordinating, and supporting departmental tracking of workforce member access to health information as needed for Privacy Office operations.

      • Developing, revising, and monitoring compliance with Privacy Awareness Training and ensuring that all users who have access to CCHCS data complete training before being provisioned and annually thereafter.

      • Monitoring patients’ rights to access, amend, and restrict access to their health information.

      • Ensuring a process for addressing complaints on privacy policies and procedures, including complaints on denial of access to health information and responding to privacy questions and issues.

      • Coordinating control activities with the CISO.

      • Conducting fact-finding for reported information security incidents, making breach determinations, and issuing notifications required by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state law and policy.

      • Coordinating with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Center for Data Insights and Innovation (CDII), state regulators, and other oversight entities in compliance reviews and investigations.

      • Coordinating with the CISO to recommend sanctions for privacy violations.

      • Coordinating with the CISO and contracting units in the development, implementation, and ongoing compliance monitoring of business associates (BA) and business associate agreements (BAA) to ensure privacy concerns, requirements, and responsibilities are addressed.

      • Identifying a point of contact by name, title, or office and telephone number in any notice describing how a patient’s health information may be used and disclosed, and how the patient may access their information, including the designated contact person or office that is responsible for receiving privacy-related complaints and providing additional information about the content of the privacy notice.

  • CCHCS Chief Information Security Officer

    • The CCHCS CISO shall ensure compliance with CCHCS’ policies and procedures relating to information security.  Responsibilities include, but are not limited to:

      • Building a strategic and comprehensive information security program that defines, develops, maintains, and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality, and availability of information that is owned, controlled, or processed within the organization.  

      • Ensuring information security policies, standards, and procedures are up-to-date with applicable federal and state information security laws, licensing and certification requirements and accreditation standards.

      • Initiating, facilitating, and promoting activities to foster information security awareness within the organization.

      • Creating a culture of cyber security with information technology to drive behavioral change within the organization.

      • Evaluating security trends, evolving threats, risks, and vulnerabilities and applying tools to mitigate risk as necessary.

      • Managing security incidents and events involving electronic health information.

      • Ensuring that the technology recovery, business continuity, risk management, and access control needs of the organization are addressed.

      • Ensuring the organization complies with the administrative, technical, and physical safeguards.

      • Working closely with the CPO to ensure alignment between security and privacy compliance programs, including policies, practices, and investigations, and assisting with reporting to oversight agencies.    

      • Performing and analyzing initial and periodic information security risk assessments and implementing mitigation and remediation.

      • Developing and implementing information security risk management plans.

      • Ensuring the organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.

      • Overseeing periodic monitoring and reviewing of audit records to ensure the appropriateness of system activity, including, but not limited to, logons and logoffs, file accesses, updates, edits, and printing.

      • Ensuring the organization has and maintains an appropriate system use and disclosure and confidentiality statement.

      • Overseeing, developing, and delivering initial and ongoing security training to the workforce.

      • Participating in the development, implementation, and ongoing compliance monitoring of BAs and BAAs, to ensure security concerns, requirements, and responsibilities are addressed.

      • Assisting the CPO as needed with breach determination and notification processes under HIPAA and applicable state breach rules and requirements.

      • Establishing and administering a process for investigating and acting on security incidents which may result in a privacy breach.

      • Partnering with the CPO to recommend sanctions for information security violations.

      • Cooperating with the HHS OCR, CDII, state regulators, and other legal entities, organizations, or officers in any compliance reviews or investigations.

• References

  • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart C, Section 164.308 – Administrative Safeguards

  • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.520 – Notice of Privacy Practices for Protected Health Information

  • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.530 – Administrative Requirements

  • Health Care Department Operations Manual, Section 2.2.9 Business Associate Use and Disclosure of Protected Health Information

  • Health Care Department Operations Manual, Section 5.3.25 Security and Privacy Awareness Training

  • State Administrative Manual 5305.3, Information Security Roles and Responsibilities

  • State Administrative Manual 5305.5, Information Asset Management

  • State Administrative Manual 5310, Privacy

  • Statewide Health Information Policy Manual, Section 5.3.1, Notice of Privacy Practices

  • Statewide Health Information Policy Manual, Section 4.1.4, Staffing: Privacy Official, Security Official

• Revision History

  • Effective: 10/23/2023

  • Reviewed: 09/09/2025