Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.3 Sanctions and Penalties for Privacy and Information Security Violations

  • Policy

  • California Correctional Health Care Services (CCHCS) shall comply with federal and state laws and regulations to protect the confidentiality and integrity of information security and health information and adhere to the California Department of Corrections and Rehabilitation (CDCR) and CCHCS privacy and information security policies. This includes recommending enforcement of appropriate sanctions against any workforce member who improperly views, uses, or discloses this information.

  • Purpose

  • To specify the procedure for sanctions, for CCHCS workforce members resulting from the violation of privacy laws or CCHCS policies regarding the improper use or disclosure of Protected Health Information (PHI), Personally Identifiable Information (PII) or High Risk-Confidential Information (HRCI).

  • Responsibility

    • The Chief Privacy Officer (CPO) shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI, PII, and HRCI maintained by CCHCS and is responsible for recommending sanctions for violations of privacy and information security laws, regulations, or policies.

    • The Hiring Authority (HA) is responsible for imposing appropriate sanctions and informing the CPO of the sanction imposed.

    • CCHCS workforce members shall safeguard PHI, PII, and HRCI against improper uses or disclosures and supervisors are responsible for assuring workforce members who have access to PHI, PII, and HRCI are informed of their responsibilities.

  • Procedure

    • Sanctions and Penalties

      • The CPO shall consult with the Chief Information Security Officer, Performance Management Unit manager, HA, and CCHCS Office of Legal Affairs Privacy Attorney after fact-finding to make a recommendation regarding sanctions and progressive discipline.

      • CCHCS shall apply appropriate sanctions against workforce members who fail to comply with privacy and security laws, regulations, or policies, which include, but are not limited to, improperly viewing, using, disclosing, or allowing access to health information, failing to report a known breach, or reporting a privacy or information security incident in bad faith or for malicious reasons.  Sanctions shall be determined in accordance with civil service and departmental progressive discipline laws, regulations, and policies and shall be appropriate to the severity of the violation, up to and including termination.

      • Depending on the severity of the violation, law enforcement notification may be required.  Workforce members may be charged with a misdemeanor or incur fines and civil penalties, depending on the economic loss to the patient and the degree of malice.

    • Confidentiality and Record Keeping of Privacy and Security Violations

      • All deliberations of privacy or security violations may be subject to a claim of exemption under the Public Records Act regardless of level. Deliberations shall be treated confidentially for both the workforce member and the patient whose protected confidential information is impacted. For all violations, all supporting documentation shall be stored in a confidential electronic file in the Privacy Office (PO).

      • All confirmed violations shall be tracked by the PO in the Disclosure Log for PHI or PII.

      • CCHCS is responsible for documenting any sanctions that were applied and maintaining the documentation for a minimum of six years.

  • References

    • United States Code, Title 42, Chapter 7, Subchapter XI, Part C, Section 1320d-5

    • Health Information Technology for Economic and Clinical Health Act Section 13410(d)

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160 and 162

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart C, Section 164.308(a)(1)(ii)(C) and (a)(5)

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.530 (b)(2)(i)(B) and (e)(1)

    • United States Code, Title 18, Part 1, Chapter 31, Section 641

    • United States Code, Title 18, Part 1, Chapter 47, Section1030

    • United States Code, Title 18, Part 1, Chapter 95, Section 1951 and 1952

    • California Constitution, Article 1, Section 1, Right to Privacy

    • California Civil Code, Division 1, Part 2.6, Chapter 7, Section 56.36

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 1, Section 1798- 1798.78

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 10, 1798.55 et seq.

    • California Government Code, Title 1, Division 7, Chapter 3, Section 6200

    • California Government Code, Title 2, Division 5, Part 2, Chapter 7, Article 1, Section 19570-19589

    • California Health and Safety Code, Division 2, Chapter 2, Article 3, Section 1280.18

    • California Penal Code, Part 1, Title 13, Chapter 5, Section 502

    • California Penal Code, Part 4, Title 1, Chapter 1, Article 6, Sections 11141-11143

    • California Penal Code, Part 4, Title 3, Chapter 2, Article 6, Sections13300-13305

    • California Code of Regulations, Title 15, Division 3, Chapter 1, Subchapter 5, Article 2, Section 3392

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.1, General Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.5, Administrative, Technical, and Physical Safeguards

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.17, Administrative Requirements for Privacy and Security Officials

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.25, Security and Privacy Awareness Training

    • Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements

    • California Department of Corrections and Rehabilitation, Department Operations Manual, Chapter 3, Article 22, Employee Discipline

    • Statewide Health Information Policy Manual, Sections 3.1.5, Security Awareness and Training

    • Statewide Health Information Policy Manual, Sections 4.1.2, Privacy Training

    • Statewide Health Information Policy Manual, Section 4.1.3, Sanctions for Violation

  • Revision History

    • Effective: 02/2012
      Revised: 03/03/2025