Chapter 5 – Administrative

Policy

• The California Correctional Health Care Services (CCHCS), Health Care Regulations and Policy Section (RPS), shall facilitate the development, revision, adoption and publication of health care regulations, the Health Care Department Operations Manual (HCDOM), and health care forms. Health care regulations shall be adopted and maintained according to statutory requirements pursuant to the Administrative Procedure Act (APA) as set forth in Government Code, Section 11340, et seq. CCHCS’ designated internal and external stakeholders shall have the opportunity to review health care regulations, and the HCDOM prior to implementation as defined within this policy.

• References to regulations, HCDOM, and forms within this procedure pertain to medical and dental services. The Regulation and Policy Management Branch (RPMB), California Department of Corrections and Rehabilitation (CDCR), provides guidance and support for non-health care related regulations and policies.

Responsibility

• Approval Authority

  • The Receiver and the Undersecretary, Health Care Services, are the approval authorities for the content of the HCDOM.

• Headquarters

  • CDCR and CCHCS departmental leadership at all levels of the organization, within the scope of their authority, are responsible for the review, approval, and implementation of health care regulations, HCDOM, and health care forms.

  • RPS consists of the Health Care Regulations and HCDOM Teams and is responsible for the implementation, monitoring, and evaluation of this procedure.

  • RPS shall ensure noticed and adopted regulatory packages, as required by statute, and the current version of the HCDOM are available electronically on Lifeline, CDCR Hub, and the CCHCS internet.

    • All CCHCS documents posted to the public-facing internet shall be compliant with the Americans with Disabilities Act, pursuant to Government Code, Section 11546.7.

  • RPS is responsible for notifying CDCR and CCHCS staff of changes to health care regulations, HCDOM, care guides, protocols, and health care forms via statewide email distribution.

• Regional

  • Regional Health Care Executives (RHCEs) shall aggregate and provide feedback from their assigned region on draft health care regulations or HCDOM sections during the executive approval process.

• Institutional

  • The Chief Executive Officer (CEO), or designee, of each institution shall ensure:

  • Training is provided to health care staff on new and revised health care regulations, HCDOM sections, care guides, protocols, and health care forms.

  • Local operating procedures are maintained in accordance with the HCDOM and provided to the RHCEs, as required.

  • Documentation of health care regulations and HCDOM implementation activities are maintained in an established training file (proof of practice file).

  • Hardcopies of the current versions of Title 15 of the California Code of Regulations (CCR), appropriate HCDOM sections, care guides, and policy memoranda are available in the law library of each institution.

• Health Care Regulations and Policy Section

  • RPS staff shall ensure Title 15, Division 3, Chapter 2, the HCDOM, and forms do not include informal terms or language.

Procedure

• Content Review and Development

  • Each health care regulation, HCDOM section, and health care form shall be reviewed biennially. RPS shall provide notification to affected program(s) based on the last revision or review date.

  • The program shall have 14 calendar days to review applicable health care regulations and HCDOM sections (including links) to ensure content is current and accurate and notify RPS of any necessary revisions.

  • RPS shall track the review to ensure the program communicates if revisions are required or if the content remains current and accurate.

  • When health care regulations revisions are required, the program shall contact the Regulations Team via HealthCareRegulations@cdcr.ca.gov for assignment of the regulatory package to staff.

  • If the program confirms the content of the regulation remains current, the Regulations Team shall input the confirmation into an electronic tracking system.

  • When HCDOM or form revisions are required, the program shall contact the HCDOM Team via HealthCareDOM@cdcr.ca.gov to request the current published version and submit the revision to the HCDOM Team upon completion.

  • If the program confirms the content of the HCDOM section remains current, the HCDOM Team shall update the revision history to include the date reviewed.

• Health Care Regulations

  • Revision or Development

    • The Regulations Team shall:

      • Review and revise or develop the regulatory text to ensure it meets the standards set forth in the APA in collaboration with the program, CCHCS Office of Legal Affairs (COLA), and Office of Legal Affairs (OLA), CDCR.

      • Develop the initial statement of reasons in collaboration with the program, COLA, and OLA.

      • Perform all processes required by the APA and Title 1 of the CCR, including preparing all required documents and forms.

      • Notify the HCDOM Team of any proposed regulatory changes for determination of potential impact to the HCDOM via HealthCareDOM@cdcr.ca.gov.

    • The HCDOM team shall:

      • Perform a HCDOM impact determination, as needed, to identify existing HCDOM sections that may require revision or new HCDOM provisions that may be needed based on the proposed regulations.

      • Assist the program with the development or revision, and facilitate workgroups, if necessary.

  • Executive Routing

    • The following review and approval process shall occur for each regulatory package. The Regulations Team shall incorporate feedback and obtain approval of any changes from COLA, OLA, the program, the Associate Director, Risk Management Branch, and the Deputy Director, Policy and Risk Management Services, as needed, at each level of executive routing. The Regulations Team shall preserve electronic feedback and approvals throughout the process.

    • Level One: the Regulations Team shall route the package to the following as indicated for approval, in consecutive order:

      • COLA, OLA, and program(s) Subject Matter Experts via email.

      • Associate Director, Risk Management Branch, CCHCS.

      • Deputy Director, Policy and Risk Management Services, CCHCS.

      • Deputy Director, Fiscal Management, CCHCS, for signature.

    • Level Two: the Regulations Team shall concurrently email the package to the following for review and feedback:

      • CCHCS Deputy Directors.

      • RHCEs.

      • Office of Legislation, CDCR, to determine if review by the Governor’s Office is required.

      • Office of the Special Master.

      • Prison Law Office (PLO).

      • Rosen, Bien, Galvan and Grunfeld (RBGG)

      • The Regulations Team shall notify non-responsive executives that their lack of response is recorded as assumed concurrence.

    • Level Three: the Regulations Team shall concurrently email the package to the following for approval:

      • CCHCS Directors.

      • Director, Division of Adult Institutions.

      • Chief Counsel, COLA.

      • General Counsel, OLA.

    • Level Four: the Regulations Team shall email the package to the following for approval, in consecutive order:

      • Undersecretary, Health Care Services.

      • Receiver.

    • Following receipt of all approvals, the regulatory package shall be routed via Docusign to the Secretary, CDCR, for final signature. If necessary, the Regulations Team shall concurrently submit the package to the Governor’s Office and/or the Department of Finance for a 30-day review following approval and signature by the Secretary.

    • Upon completion of all reviews, the Regulations Team shall submit the regulatory package to the Office of Administrative Law

  • Notice Posting and Distribution

    • Upon publication of the Notice, the Regulations Team shall email the Public Information Officer (PIO) at each institution the following:

      • A PDF containing all the documents included in the Notice, including the CDCR 7554, Notice of Change to Health Care Regulations.

      • A blank CDCR 621-HC, Certification of Posting.

    • Within five calendar days of receipt of the Notice, each institution’s PIO, or designee, shall:

      • Post the CDCR 7554 on staff and incarcerated person bulletin boards.

      • Post the CDCR 7554 in incarcerated person housing units, corridors, and other areas easily accessible to incarcerated persons.

      • Post the CDCR 7554 in institution health care facilities.

      • Post the CDCR 7554 in incarcerated person security housing and specialized housing units.

      • Provide the full contents of the Notice to incarcerated person law libraries.

      • Provide the full contents of the Notice to incarcerated person advisory committees/councils.

    • Within ten calendar days of receipt of the Notice, each institution’s PIO, or designee, shall submit a single, completed CDCR 621-HC to HealthCareRegulations@cdcr.ca.gov certifying the institution’s compliance with the posting and distribution requirements outlined in Section (c)(2)(C)2.

    • The Regulations Team shall track each institution’s compliance with the posting and CDCR 621-HC submittal requirements and notify the PIO, CEO, and Warden of non-responsive institutions 11 calendar days following the initial email to the PIOs.

  • Public Comment Period and Public Hearing

    • The 45-day public comment period begins upon publication of the Notice in the California Regulatory Notice Register and shall conclude with a public hearing.

      • Public Hearing

        • The Regulations Team shall schedule a hearing to receive public comments and notify the program, COLA, and OLA via an Outlook invite.

        • Attendees shall be provided the opportunity to present their comments orally or in writing.

        • If comments are received during the APA public comment period(s), the Regulations Team shall work collaboratively with the program, COLA, and OLA, if necessary, to develop responses to the comments and revise the final rulemaking package as needed.

    • The Regulations Team shall post noticed and adopted regulatory packages on Lifeline, CDCR Hub, and the CCHCS internet in accordance with statutory requirements. All adopted regulations shall be distributed to CDCR and CCHCS staff via statewide email upon publication on Westlaw.

  • Petitions

    • The Regulations Team shall process responses to petitions to adopt, amend, or repeal health care regulations, as well as underground regulations petitions related to health care documents, according to requirements set forth in the APA and in collaboration with the impacted program(s), COLA, and OLA, if necessary.

    • Any petitions related to health care regulations received by any CDCR/CCHCS staff shall be immediately forwarded to HealthCareRegulations@cdcr.ca.gov.

  • Pilot Programs

    • Programs considering a pilot related to the provision of health care shall submit the concept to the HealthCareRegulations@cdcr.ca.gov.

    • The Regulations Team shall determine whether the potential pilot meets the definition of a pilot program in Penal Code, Section 5058.1.

    • The Regulations Team shall develop and process all documents necessary for incorporation of the pilot program into the CCR, according to requirements set forth in the APA and in collaboration with the impacted program(s), COLA, and OLA, if necessary.

  • Annual Mailing

    • Pursuant to Government Code, Section 14911, the Regulations Team shall send a notification to all individuals on the CDCR/CCHCS notice of regulatory action mailing and email lists requesting that individuals verify they wish to remain on the list and/or provide updated contact information.

    • This notification shall be sent out via postcard to the mailing list and via email to the email list in April of each calendar year.

    • The Regulations Team shall remove the names of individuals from the CDCR notice of regulatory action mailing and email lists when:

      • They do not respond within 30 calendar days of the notification.

      • Their notifications (email or postcard) are undeliverable or “returned to sender.”

      • They request to be removed from the list.

    • At any time and upon request, the Regulations Team shall add an individual or entity to the mailing and/or email list.

  • Annual Rulemaking Calendar

    • RPMB is responsible for preparation of the Annual Rulemaking Calendar, which covers all regulatory actions that may be filed in the coming calendar year.

    • At RPMB’s request, the Regulations Team shall provide RPMB with an Annual Rulemaking Calendar for health care regulatory actions in accordance with Government Code, Section 11017.6.

  • Annual Title 15 Printing

    • The Regulations Team shall incorporate changes to Title 15, Division 3, Chapter 2, in real time throughout the year into a searchable PDF available to all CDCR/CCHCS staff and provide RPMB with the adopted, amended, and repealed regulations since the last printing, including a revised table of contents.

    • RPMB oversees the annual publication of the printed Title 15 and its distribution to institutions, facilities, and offices.

  • Stakeholder Review

    • The Regulations Teams shall process and respond to requests for CCHCS stakeholder review regarding proposed regulatory changes.

• Health Care Department Operations Manual

  • New and Revised HCDOM Sections

    • Upon statewide release of a HCDOM section, the Regulations Team shall perform a Regulatory Impact Determination to identify existing regulations that require revision or new regulations.

    • The HCDOM Team shall review, format, and edit the HCDOM section and resolve issues collaboratively with all impacted programs, as necessary.

  • Content Approval and Distribution

    • Clinical Operations Team (COT) and Joint Clinical Executive Team (JCET)

      • The HCDOM Team shall submit the HCDOM sections to COT and JCET for approval.

      • A representative from the HCDOM Team shall attend the COT meeting in which the content will be reviewed.

      • If COT or JCET has revisions, the HCDOM Team shall incorporate the changes and collaborate with the program(s), as necessary.

      • The JCET representative shall notify the HCDOM Team of the outcome of the JCET meeting.

      • Following COT and JCET’s approval, the HCDOM Team shall prepare the HCDOM section for executive routing.

    • Executive Routing – Clinical HCDOM Sections

      • The HCDOM Team shall email the final draft of the clinical HCDOM section to the following, concurrently in each group, in consecutive order depending upon legal authority:

      • Attorney, COLA; Attorney, OLA; Labor Relations, CCHCS; Human Resources, CCHCS; RHCEs; Information Technology (IT); Institution Operations; Acquisitions Management; Direct Care Contracts; Fiscal Management; Coleman experts, PLO, and RBGG.

      • Director, Health Care Services; Director, Health Care Policy and Administration; Chief Counsel, COLA; Director, Legislation and Special Projects; and Director, Corrections Services, concurrently, and a separate email to the Director, Division of Adult Institutions.

      • Undersecretary, Health Care Services.

      • Receiver

    • Prison Law Office 30-Day Notice

      • Following executive approval, the HCDOM Team shall submit the clinical HCDOM section to the PLO for the notice period, pursuant to the Plata court order.

      • If formal written comments are received from the PLO, the HCDOM Team shall collaborate with the program(s), as necessary, to provide a response to the PLO. Following the response to the PLO or if no comments are received from the PLO, the HCDOM Team shall post the clinical HCDOM section on Lifeline and the CCHCS internet and distribute to CDCR and CCHCS staff via statewide email.

  • Executive Routing – Dental HCDOM Section

    • The HCDOM Team shall email the final draft of the dental HCDOM section to the following, concurrently in each group, in consecutive order depending upon legal authority:

    • Attorney, COLA; Attorney, OLA; Labor Relations, CCHCS; Human Resources CCHCS; IT; Acquisitions Management; Direct Care Contracts; and Fiscal Management.

    • Director, Health Care Services; Director, Health Care Policy and Administration; Chief Counsel, COLA; Director, Legislation and Special Projects; and Director, Corrections Services, concurrently, and a separate email to the Director, Division of Adult Institutions.

    • Undersecretary, Health Care Services.

    • Following executive approval, the HCDOM Team shall post the dental HCDOM section on Lifeline and the CCHCS internet and distribute to CDCR and CCHCS staff via statewide email.

  • Administrative Content Approval and Distribution

    • The program shall obtain approval of content from COLA, Labor Relations, CCHCS, and the Director, Health Care Policy and Administration for all new policies, prior to submitting the draft section to the HCDOM Team. Content review for policy revisions shall be reviewed and approved by the Deputy Director of the program.

    • The HCDOM Team shall:

      • Submit the section to COT and JCET if there is a clinical impact, to Field Operations if there is a custody impact, and to IT if there is an IT impact.

      • Submit the section to applicable programs for feedback, as needed.

      • Route the final draft for review and approval to the following, in consecutive order:

        • Associate Director, Risk Management Branch, CCHCS.

        • Deputy Director, Policy and Risk Management Services, CCHCS.

        • Director, Health Care Policy and Administration, CCHCS.

      • Following executive approval, post the administrative HCDOM section on Lifeline and distribute via email to the distribution list specified by the program (e.g., CDCR and CCHCS all staff, executive staff).

  • The Chief Privacy Officer and the Chief Information Security Officer shall:

    • Complete an annual self-attestation to certify that the appropriate HCDOM policies related to the Health Insurance Portability and Accountability Act have been reviewed and are compliant with the most recent version of the Statewide Health Information Policy Manual and Office of Civil Rights annual review requirement.

    • Provide the self-attestation to the Center for Data Insights and Innovation.

  • Revision history that includes the month, day, and year of the revision shall be updated for each revised HCDOM section.

  • Archived HCDOM sections shall be retained for a minimum of six years.

• Health Care Forms

  • New and Revised Forms

    • The HCDOM Team shall review, format, and edit the form and resolve issues collaboratively with the program, as necessary.

  • Approval and Distribution

    • The HCDOM Team shall submit the form to COT and JCET for approval.

      • A representative from the HCDOM Team shall attend the COT meeting in which the form will be reviewed.

      • If COT or JCET has revisions, the HCDOM Team shall incorporate the changes and work collaboratively with the program(s), as necessary.

      • The JCET representative shall notify the HCDOM Team of the outcome of the JCET meeting.

    • Following COT and JCET approval, the HCDOM Team shall finalize the form.

      • Clinical forms shall be posted on Lifeline and the CDCR Hub and distributed to CDCR and CCHCS staff via statewide email.

      • Dental forms shall be provided to the program.

• Stakeholder Review

  • Requests for CCHCS stakeholder review of CDCR Department Operation Manual revisions shall be submitted to the Deputy Director, Policy and Risk Management Services.

  • The HCDOM Team shall solicit and aggregate CCHCS program feedback and provide a response to RPMB or any other requesting agency.

• Care Guides

  • The program shall submit new or revised care guides that have been approved by the Clinical Documentation and Decision Support Committee, COT, and JCET to the HCDOM Team via HealthCareDOM@cdcr.ca.gov.

  • Approval and Distribution

    • The HCDOM Team shall:

    • Email the final draft of the care guide to the following, in consecutive order:

      • Director, Health Care Services.

      • Labor Relations, CCHCS.

    • Following executive approval, post the care guide on Lifeline and the CCHCS internet, provide a courtesy notice to CCHCS executives and the PLO, and distribute to CDCR and CCHCS staff via statewide email.

• Protocols

  • The program shall submit new or revised protocols approved by the Deputy Director, Nursing Services, to the HCDOM Team via HealthCareDOM@cdcr.ca.gov.

  • Approval and Distribution

    • The HCDOM Team shall:

    • Email the final draft of the protocol to the following, in consecutive order:

      • Director, Health Care Services.

      • Labor Relations, CCHCS

    • Following executive approval, post the protocol to Lifeline, provide a courtesy notice to CCHCS executives and the PLO, and distribute to CDCR and CCHCS staff via statewide email.

• Policy Memorandums

  • The program shall submit draft policy memorandums to the HCDOM Team via HealthCareDOM@cdcr.ca.gov.

  • The HCDOM Team shall:

    • Review, format, edit, and assign a number to the policy memorandum and resolve issues collaboratively with the program(s), as necessary.

    • Route the final draft of the policy memorandum for signature to the designated signers.

    • Following approval and signature, post the policy memorandum on Lifeline and distribute to the distribution list designated by the program and initiate HCDOM revisions, if necessary.

• Written Language Translations

  • The program shall:

  • Send health care forms and patient education that require language translation (e.g., English to Spanish) to the contracted vendor.

  • Upon completion and verification of the translated material, submit to the HCDOM team to post and distribute the document accordingly.

• Content Approval Tracking

  • RPS shall monitor and track the status of new and revised health care regulations, HCDOM sections, health care forms, care guides, and protocols that are pending approval, through SharePoint matrices.

  • RPS shall generate a status report from the SharePoint matrices and provide it to the Director, Health Care Policy and Administration, on a weekly basis, and to CCHCS executive leadership as requested.

Policy

• The California Public Records Act (PRA) requires that government records be released to the public, upon request, unless the records are specifically exempt from disclosure by law.  Under provisions of the PRA, California Correctional Health Care Services (CCHCS) shall ensure timely responses to all health care-related PRA requests.

• Responsive records to a PRA request shall be released unless they disclose personal, medical, or other private information about an individual; confidential financial or trade secret information about a company/vendor; are exempt under the PRA; or the PRA requester chooses not to remit the assessed fee for the records.  All requests for records shall be considered PRA requests with the exception of subpoenas, court orders, search warrants, or legal documents.  It is not necessary for a records request to cite the PRA or any other authority, to state the purpose for the request, or to identify themselves or their affiliation.

Responsibilities

• The Deputy Director, Policy and Risk Management Services, or designee, has the authority to release records requested under the PRA and shall ensure departmental compliance with this policy.

• The Associate Director, Risk Management Branch (AD RMB), shall designate a CCHCS PRA Coordinator, or designee, responsible for releasing all health care-related PRA requests.

• The CCHCS PRA Coordinator, or designee, shall ensure instructions for making a PRA request are posted at CCHCS headquarters and https://cchcs.ca.gov/pra/ at all times. The Chief Executive Officer, or designee, at each institution shall ensure the PRA instructions are posted in the law libraries.

• Health Care Litigation Support Section (LSS) staff are responsible for researching PRA requests; contacting programs for responsive records; calculating costs for compiling, copying, and furnishing records, if produced by LSS; preparing PRA responses; and submitting responses to the CCHCS PRA Coordinator for approval to release which may include responsive records, a denial, notification of extension, or confirmation of records, and instructions on remittance or in-person inspection.

Procedure

• Submittal of Public Records Act Requests

  • PRA requests may be sent via email to CCHCSHealthPRAs@cdcr.ca.gov, or by mail to California Correctional Health Care Services, Attention: PRA Coordinator, Building C, P.O. Box 588500, Elk Grove, CA  95758.

  • Health care-related PRA requests submitted to CCHCS or California Department of Corrections and Rehabilitation (CDCR) employees shall be forwarded to LSS within 24 hours of receipt.

    • Requests for contract records made during a contract’s procurement shall not be considered PRA requests and shall be forwarded immediately to the CCHCS contracting office responsible for that procurement. This shall ensure that vendors are provided timely information prior to the close of the procurement. 

    • Only upon completion of a contract’s procurement, including any applicable protest period, will requests for contract records be processed as PRA requests and forwarded to LSS.

  • LSS shall contact the requester to clarify requests that are overly broad, vague, or not sufficiently descriptive, and assist in focusing the request, if possible.

• Fee Determination and Collection

  • CCHCS shall collect fees for responsive records if:

    • Hardcopy records are requested; or

    • Data compilation, extraction, or programming to produce the record is required.

  • LSS shall contact the appropriate CCHCS program area to determine if there is a fee associated with the PRA request.

  • Prior to performing any tasks to gather responsive documents, LSS shall email to the program area the Public Records Act Staff Salary and Cost Breakdown worksheet to complete which includes:

    • An estimate of the calculated hours needed to complete the request, and

    • The number and classifications of staff that will be utilized.

  • LSS shall:

    • Calculate the hourly rate based on the mid-range salary for the classification performing the data compilation, extraction, or programming to produce the record.

    • Prepare a cost estimate.

    • Provide the estimate to the requester, in writing, with instructions on remittance of payment and due date.

  • If full payment is not received by the due date, which is 30 calendar days, LSS shall close the PRA request.

• Responding to Public Records Act Requests

  • The CCHCS PRA Coordinator, or designee, shall respond to the PRA requests within ten calendar days of receipt by providing to the PRA requester one of the following:

    • Confirmation that responsive records exist, an approximate date the records will be available, and instructions about cost remittance or in-person inspection, if requested.

    • A denial letter indicating no records shall be provided and the reason(s) for the denial.

    • A notification of a 14-calendar day extension pursuant to California Government Code Section 7922.535(b).

    • The requested records.

    • A portion of the requested records with an estimated time for the balance of the records to be provided.

• Processing of Public Records Act Requests

  • Upon receipt of the full payment of fees (refer to Section (c)(2) above), LSS shall request responsive documents from the appropriate CCHCS program area within a specified timeframe.

  • The appropriate CCHCS program area shall:

    • Process the request including redacting all personal or exempt information within the responsive records and notify LSS of any information redacted and the reason(s) for the redaction.

    • Provide responsive records to LSS in their original and redacted formats.

  • The CCHCS’ Office of Legal Affairs (COLA) shall consider the appropriateness of proposed redactions and provide legal guidance as needed.

• Release of Public Records

  • Prior to the CCHCS PRA Coordinator releasing records under the PRA, the AD RMB, and COLA shall provide written approval to LSS (except for records in Section (c)(5)(B)1. and 2. below).

  • Release of the following records does not require AD RMB or COLA approval:

    • Official CDCR medical, mental health, or dental forms.

    • Prior versions of the Health Care Department Operations Manual and CCHCS Care Guides.

  • Responsive records shall be transmitted electronically whenever possible; however, records shall be provided to the requester in the format requested and paid for, if applicable (i.e., hardcopies of public records may also be mailed, if appropriate).

• Physical Inspection of Public Records

  • Physical inspection of responsive records to a PRA request shall be permitted within a CCHCS Headquarters’ office during normal business hours or facilitated through the institution Litigation Coordinator. 

  • There is no fee for inspection of public records.

  • LSS staff shall remain present for the duration of the inspection in order to prevent the PRA requester from destroying, mutilating, defacing, altering, or removing any records from the premises.

  • Upon completion of the inspection or at the request of LSS staff, the PRA requester shall relinquish physical possession of the records.

• Denial of Public Records Request

  • LSS shall deny the release of records which are exempt from disclosure under the PRA.

  • If a request is denied, in whole or in part, LSS shall provide the requester with legal justification for withholding the record. 

  • If LSS denies a PRA request with knowledge that the records may be available within CDCR, CCHCS shall provide contact information for CDCR’s PRA Coordinator to the PRA requester.

• Public Records Act Request Tracking and Reporting Requirements

  • LSS shall utilize a tracking system for each PRA request.

  • The AD RMB, or designee, shall issue a weekly PRA report to designated CCHCS executive staff providing the status of PRA requests, as well as compile an annual report at the conclusion of each fiscal year.

• Document Retention

  • Copies of PRA records shall be maintained within LSS at CCHCS headquarters for a minimum of five years following closure of the request.  PRA records shall be purged after the five-year period, unless there is duty to preserve the documentation pursuant to litigation.

Policy

• The California Department of Corrections and Rehabilitation (CDCR)/California Correctional Health Care Services (CCHCS) adopted a Medical Classification System (MCS) to serve as the process for considering medical factors in making patient placement decisions.

Purpose

• The Health Care Placement Oversight Program (HCPOP), in conjunction with CCHCS headquarters Utilization Management (UM), is responsible for providing management and oversight of institutional Specialized Medical Beds and for making patient placement decisions to ensure maximum and efficient bed utilization and to facilitate timely access to the continuity of care.  Specialized Medical beds are defined as Outpatient Housing Unit, Hospice, Correctional Treatment Center, Skilled Nursing Facility, and General Acute Care Hospital Beds.

Local Level Placements and Discharges

• Admissions and discharges can be made at the local level and shall be reported as they occur unless HCPOP/UM has placed a hold on the medical bed.  HCPOP/UM staff will review all admissions for appropriate level of care placement.

Health Care Placement Oversight Program

• Once HCPOP has placed a hold on a medical bed for an identified placement, the bed shall not be used without authorization from HCPOP. 

• If an institution holding a bed requests to utilize a medical bed on which HCPOP has placed a hold, the institution shall provide the appropriate  documents (CDCR Form 128-C3, Medical Classification Chrono), CDCR Form 7410, Comprehensive Accommodation Chrono, and CDCR Form 1845, Disability Placement Program Verification) to HCPOP for review by UM to determine appropriate bed utilization.

• As the availability of beds, programs, and other capacities change, the HCPOP staff will ensure the Medical Classification Matrix and the Medical Classification Matrix Database are updated as needed.  All updated information shall be disseminated to the field through the CDCR Division of Adult Institutions Population Management Unit.

Medical Bed Placement/Weekends and Holidays

• When institutional medical staff determines the need for an in-patient medical bed within their institution and one is not available, medical staff shall contact HCPOP to determine if the needed type of specialized medical bed is available at an alternate institution prior to placing/retaining a patient in a community hospital.

• The need for a specialized medical bed may be for a medical admission, to clear a swing bed (a bed that can be used for either medical or mental health) for mental health, or to return a patient from a community hospital.

• All transfers made during weekends/holidays are medical and return for short duration to avoid a hospital admission or delay in a community discharge.  The transferred patient shall be returned to the sending institution upon bed availability.

Contact

• For questions or clarification, please contact the Chief, Health Care Placement Oversight Program.

Forms

• CDCR Form 128-C3, Medical Classification Chrono

• CDCR Form 1845, Disability Placement Program Verification

• CDCR Form 7410, Comprehensive Accommodation Chrono

Policy

• California Correctional Health Care Services (CCHCS) shall maintain the highest standards of conduct in the fulfillment of its mission.  CCHCS employees entrusted with state resources must, at a minimum, exercise reasonable care for safekeeping.

• Management is required to ensure that state assets are protected, laws and regulations are followed, financial and management information is reliable, and the organization and programs are operating effectively and efficiently.

• The State of California has adopted the Standards for Internal Control in the Federal Government by the Comptroller General of the United States (Green Book) that provides an overall framework for establishing and maintaining effective policies, procedures, and practices for an effective work place environment.

• CCHCS management shall create an effective work environment in their areas of responsibility and have established policies, procedures, and practices to mitigate, prevent, and detect actual or suspected incidents of fraud, misuse/theft of assets, inappropriate contract/procurement activities, employee misconduct, errors in financial reporting, errors that impact the state fund, and other fiscal irregularities.

• Managers shall take appropriate and immediate action following discovery of an incident outlined within this policy to ensure compliance with the State Administrative Manual (SAM), Section 20080, Notification of Fraud or Error, reporting requirements.  Managers shall not tolerate or condone these types of activities.

Purpose

• To ensure that incidents of actual or suspected fraud, misuse/theft, damage, and fiscal irregularities of state assets and funds are reported to the Policy and Risk Management Services, Internal Audit Program (IAP); California State Auditor (CSA); and Department of Finance, Office of State Audits and Evaluations (OSAE), as required by SAM, Section 20080.

Applicability

• This policy applies to all CCHCS civil service employees.

Reportable Incidents

• The following examples of potential reportable incidents under this policy include, but are not limited to:

• Illegal or fraudulent acts involving state property, including cash.

• Forgery or alteration of state documents including, but not limited to, checks, timesheets, payroll documents, drafts, purchase orders, invoices.

• Misappropriation of state funds, supplies, or any other state asset.

• Theft, destruction, or disappearance of state records, equipment, or other assets.

• Misrepresentation of information on state documents (e.g., travel reimbursement related documents, purchase orders, or false entries).

• Authorizing or receiving state payment for goods not received or services not performed.

• State financial reporting misrepresentation.

• Fraud in securing an appointment to a state position.

• Tampering with or inappropriate use of information technology, unauthorized disclosure of confidential or proprietary information, personal information or medical information.

• Accepting bribes (e.g., contracting, subcontracting).

• Working on incompatible activities using state resources.

• Errors that are unusual and have a fiscal impact to the state fund.

• Employee misconduct that is not subject to adverse action but may result in an informal discipline, letter of instruction, or counseling memorandum.

Filing an Incident

• Headquarters, regional offices, and institution reporting:

  • Upon discovery of an incident, the employee (staff or management) shall document the incident using an Actual or Suspected Fraud, Errors, and Improper Governmental Activities Report (herein referred to as Report).  Supporting documents (e.g., timesheets, forms, relevant emails) provided should support the alleged incident. 

  • The Report shall be documented in clear and concise statements that describe how the alleged incident was discovered, a description of the incident, sequence (chronology) of events, internal controls compromised (e.g., any action inconsistent with policy, improper approval), and any statutes, regulations, procedures or rules violated (e.g., Government Code, Penal Code, State Administrative Manual, Department Operations Manuals).

  • The employee shall scan and immediately email the Report to the Chief, IAP, at CCHCSIAP@cdcr.ca.gov.  The employee shall share the report with the employee’s supervisor prior to submission, unless the supervisor is involved in the subject of the report or unless the employee fears retaliation if the employee were to share the report with the supervisor.

  • If complete information is not available following discovery of the incident, IAP shall either reject the Report or request additional information.

  • IAP shall determine whether this incident is reportable under SAM, Section 20080, and address as appropriate.

  • IAP shall reject Reports submitted anonymously.

  • IAP shall determine if CSA and OSAE are to be notified of reported incidents.  For incidents that require reporting to external agencies, other than CSA and OSAE, IAP shall first review the matter with appropriate management and CCHCS’ Office of Legal Affairs. 

  • Once IAP determines material or substantive information exists to support the incidents and activities alleged, the Chief, IAP, shall follow SAM, Section 20080, procedures to notify and follow up with OSAE and the CSA no later than 30 calendar days following the discovery of the incident.

    • Updated reports are required every 180 days until the incident is resolved.

    • Incidents are resolved when corrective action is taken or a referral is made to the proper authority (e.g., the Attorney General, California Highway Patrol, outside law enforcement).

  • IAP shall notify the reporting employee when the incident is received.  IAP shall notify the reporting hiring authority of incidents reported and when incidents are resolved. 

  • Each reporting employee has an obligation to exercise sound judgment to avoid baseless allegations of incidents. Reporting employees may not be notified on how reported incidents are resolved.

• The following incidents do not apply to this policy and will not be reviewed by IAP:

  • Incidents that have been first reported to external agencies (e.g., California State Auditor Whistleblower, State Personnel Board, Office of Inspector General, or the Attorney General’s Office) unless directed by external agencies.

  • Bargaining Unit (Union) specific grievances and complaints.

  • Complaints regarding harassment and unlawful discrimination.

Whistleblower Protection Act and Employee Retaliation

• The California Whistleblower Protection Act authorizes CSA to receive complaints from state employees and members of the public who wish to report an improper governmental act.  All employees and members of the public may file a Whistleblower complaint directly with CSA.  For instructions on filing a Whistleblower complaint, refer to CSA’s website at https://www.auditor.ca.gov/whistleblower/.

• Labor Code, Section 1102.5, prohibits an employer from retaliating against an employee who discloses information that would result in a potential violation or noncompliance of statute or regulation to a governmental or law enforcement agency, to a person with authority over the employee, or another employee who has the authority to investigate.  The Labor Code also protects employees who refuse to participate in an activity that would result in a potential violation or noncompliance of statute or regulation.

Training

• All CCHCS civil service employees are required to complete the read and sign training via the online Learning Management System upon hire and annually thereafter.

Policy

• The California Correctional Health Care Services (CCHCS) shall ensure all staff comply with the requirements outlined in the Disability Placement Program (DPP) and the Developmental Disability Program (DDP) by maintaining a process to report, log, track, and initiate inquiries into allegations of non-compliance with the DPP and DDP and ensure corrective action where applicable.

Responsibility

• The Chief Executive Officer (CEO) or designee of each institution is responsible for the implementation and monitoring of this policy.

Procedure

• Reporting Allegations

  • All staff are responsible for identifying and reporting allegations of staff non-compliance with the DPP or Armstrong Remedial Plan, DDP or Clark Remedial Plan, or any subsequent court orders associated with the Armstrong or Clark litigation, even if the non-compliance was unintentional, unavoidable, done without malice, done by an unidentified staff or subsequently remedied.

  • All allegations shall be reported via written report (e.g., memorandum, e-mail, audit results) and include any supporting documentation.

  • Allegations may be identified through, but not limited to:

    • Internal audits

    • Staff observation

    • Health care grievances

    • Reasonable modification or accommodation request

    • Third party (e.g., Release of Information Log, advocacy letters, monitoring tour reports)

• Tracking Allegations

  • Allegations of staff non-compliance require placement into the Allegation Log Tracking System (ALTS) if:

    • The patient is a participant in the DPP or DDP, has a learning disability, verified or unverified, or requires accommodation based on a reading level score of 4.0 or lower, which includes zero or no reading score.

    • The patient claims denial of equal access to programs, activities or services, or claims a discriminatory or retaliatory action based on the patient’s disability.

    • The allegation involves a staff member or contracted employee.

  • Allegations of non-compliance that do not require placement within ALTS are:

    • Effective Communication (EC) is not appropriately documented pursuant to EC procedures, but is documented elsewhere (e.g., progress notes, physician’s orders, and chronos).

    • Allegations regarding lost or misplaced Durable Medical Equipment as a direct result of a community ambulance transport.

    • Entries in the Electronic Health Records System not matching entries in the Strategic Offender Management System. Inconsistent entries shall be resolved as appropriate.

    • With the exception of patients with DPW or DPO codes, if a patient arrives at an institution after hours and is placed in a bed that does not meet their Americans with Disabilities Act needs, but the patient is moved to an appropriate bed the following calendar day.

• Allegation Inquiry

  • There shall be an inquiry into all allegations of staff non-compliance regardless of whether the allegation contains the name of staff members.

  • In rare instances where the date of discovery is 16 months or older, the allegation shall be discussed with the California Department of Corrections and Rehabilitation (CDCR), Office of Legal Affairs to determine whether the incident is too old to initiate an inquiry.

  • Initiation of a timely inquiry is necessary to ensure allegations are reviewed while memories are fresh, the facts surrounding the allegations are still in existence, and the violation can be remedied.

    • The inquiry shall be assigned to an appropriate supervisor or manager and initiated within ten business days of being discovered or reported to staff.  The inquiry shall be completed within 30 business days of being assigned.

    • The inquiry shall include a review of all information necessary to determine whether the allegation is “confirmed” or “not confirmed” or “entered in error”.

    • The inquiry shall include a mandatory interview with the affected patient with the following exceptions:

      • Instances regarding EC where it is determined that EC was not appropriately documented (check boxes not completed or EC documented elsewhere [EC documentation error]).

      • When an allegation is raised via a CDCR 602 HC, Health Care Grievance, a CDCR 1824, Reasonable Accommodation Request, or a third party and, as a result of that process, a patient interview is conducted that meets the inquiry requirements.

    • The inquiry shall be conducted at the institution where the allegation occurred. If the patient transfers prior to completion of the inquiry and an interview is required, the assigned supervisor or manager shall contact the patient’s new institution and arrange an interview.

    • The inquiry shall include an interview with the employee against whom the allegation is made unless investigation determines that the allegation has no merit.

    • The outcome of the inquiry shall be documented as “confirmed”, “not confirmed” or “entered in error”.

  • The Health Care Compliance Analyst shall forward allegations and all supporting documentation to the appropriate institution or hiring authority where applicable.

• Written Report of the Inquiry

  • The inquiry shall result in a written report containing the following:

    • Date of discovery

    • Type of allegation

    • Name and title of person conducting the inquiry

    • Patient interview

    • Summary of findings

    • List of all sources of information relied upon (including any staff interviews)

    • Other allegations of non-compliance discovered at the time of the inquiry

    • Conclusion: Confirmed or Not Confirmed

  • The completed inquiry form and all corresponding supporting case documents shall be uploaded and retained within ALTS.

• Progressive Discipline

  • The CEO shall determine whether to initiate corrective action, or to submit a confidential request for investigation or approval for direct adverse action to the Office of Internal Affairs for an employee found in non-compliance.  The following factors shall be considered:

    • Number of prior violations in relation to the overall number of encounters

    • Serious harm occurred or could have occurred to the patient

    • Culpability of the employee

    • Systemic issue

  • The CEO shall discipline employees consistent with the Employee Disciplinary Matrix set forth in the CDCR, Department Operations Manual, Chapter 3, Article 22, Employee Discipline and the California Code of Regulations, Title 15, Section 3392, Employee Discipline.

• Disclosure

  • Corrections Services staff shall collect, aggregate, analyze, and submit the statewide ALTS logs to Plaintiffs on a monthly basis.

  • The statewide ALTS, DDP, and DPP logs shall be reported separately.

  • Staff names shall be omitted.

• Continuous Process Improvement

  • The Statewide Quality Management Committee shall:

  • Periodically evaluate ALTS data to identify systemic themes that may pose quality and patient safety risks, and

  • Prioritize and initiate process improvement activities, as necessary or appropriate.

Policy

• California Correctional Health Care Services (CCHCS) shall provide Non-Paragraph 7 (Non-P7) responses that address Prison Law Office (PLO) questions and concerns regarding issues not covered under the patient-specific Paragraph 7 (P7) process, pursuant to the Plata Stipulation for Injunctive Relief, dated June 13, 2002. CCHCS shall ensure timely response to the PLO’s inquiry within 30 calendar days of receipt.  Responses shall be provided by the responsible program, region, or institution and vetted through CCHCS Office of Legal Affairs (COLA) and Office of Legal Affairs (OLA), California Department of Corrections and Rehabilitation, prior to release to the PLO. Issues addressed via the Non-P7 process shall include the following:

  • Systemic health care issues identified by the PLO through P7 cases, tours, or other sources of information.

  • Significant institution compliance issues requiring headquarters attention and intervention.

Responsibility

• The Health Care Compliance Support Section (CSS) is responsible for facilitating the Non-P7 process and providing formal responses to PLO inquiries.  CSS is responsible for soliciting and maintaining a current listing of point of contact designees for each program area.

• Headquarters program managers, institution leadership, or regional executives are responsible for providing comprehensive responses to CSS within the timeframes specified, and appointing a designee and back-up from their program area to be the point of contact for any follow-up questions.  It is the responsibility of headquarters program managers, institution leadership, or regional executives to ensure any corrective actions included within a formal response to the PLO are implemented, monitored, and sustained.

• The Associate Director (AD), Risk Management Branch (RMB), Deputy Director (DD), Policy and Risk Management Services (PRMS), Director, Health Care Policy and Administration, Director, Health Care Services, COLA, and OLA, as well as appropriate program leadership or designees (when applicable), are responsible for reviewing responses to ensure accuracy, completion, and appropriate corrective actions (if applicable) prior to releasing to the PLO.

• The DD, PRMS, or designee, upon approval from COLA and OLA, has authority to release responses and shall ensure departmental compliance with this policy.

Non-P7 Database Tracking

• CSS shall utilize a designated database for tracking each Non-P7 inquiry and response.  Appropriate documentation of timeframes and status updates shall be input timely by designated CSS staff.

Reporting Requirements

• The AD, RMB, or designee, shall email a weekly status report of open Non-P7 inquiries to COLA and OLA, and applicable headquarters Directors, program managers and designees, institutional leadership, and regional executives.

Policy

• California Correctional Health Care Services (CCHCS) shall maintain a health care grievance (grievance) process to provide an administrative remedy to patients under health care’s jurisdiction (medical, mental health, and dental) for review of complaints of applied health care policies, decisions, actions, conditions, or omissions that have a material adverse effect on their health and welfare.  Any grievance which contains allegations against health care staff behavior or activity which would constitute staff misconduct if true, must be processed as a health care staff complaint (staff complaint).

Purpose

• To maintain the integrity of CCHCS and the Division of Health Care Services through fair, objective, and effective review of the patient’s complaints; provide for the resolution of a grievance at the lowest possible administrative level with timely responses to the patient; provide the patient intervention as deemed medically necessary by health care staff to address an identified health care issue and/or staff complaint; and afford the patient an avenue for the exhaustion of administrative remedies prior to initiation of a court action.

Responsibilities

• All health care staff involved in the grievance process shall be responsible for the effective operation of the grievance process and ensure that every grievance and staff complaint is reviewed thoroughly and answered appropriately in accordance with California Code of Regulations (CCR), Title 15, Division 3, Chapter 2, Subchapter 2, Article 5, Health Care Grievances, and applicable rules, regulations, and policies.

• Institutional Level

  • The Chief Executive Officer, or designee, is responsible for the institution’s grievance process, ensuring it operates effectively and consistently and is the institutional level reviewing authority.

  • Each institution shall have a Health Care Grievance Office (HCGO) and assigned staff, including a Health Care Appeals Registered Nurse and a Health Care Grievance Coordinator, responsible for the processing of all grievances and staff complaints.

  • Health care staff with supervisory authority over the subject of a staff complaint is responsible for conducting the confidential inquiry.

• Headquarters’ Level

  • The Chief, Health Care Correspondence and Appeals Branch (HCCAB), and the Deputy Director, Policy and Risk Management Services, are responsible for oversight of the statewide grievance process, ensuring it operates effectively and consistently. 

  • The Chief, HCCAB, is the headquarters’ level reviewing authority.

  • HCCAB shall have assigned staff, including licensed clinical staff, responsible for the processing of all health care grievance appeals and staff complaints.

Procedure

• Institutional Level

  • Grievances and staff complaints are subject to an institutional level review. 

  • HCGO staff shall process all grievances and staff complaints, prepare a response for each accepted grievance or staff complaint, and route the prepared response to the reviewing authority for review and signed approval. 

  • Completed grievances and staff complaints shall be mailed/delivered to the patient within 45 business days of receipt, unless processed as an expedited health care grievance pursuant to CCR, Title 15, Section 3999.233(b). 

  • Additional information related to institutional level grievance procedures are outlined in the Health Care Grievances Operating Standards: Correspondence and Appeals Branch – HCG-Complete.pdf – All Documents (sharepoint.com).

• Headquarters’ Level

  • Grievances and staff complaints may receive a headquarters’ level review, if requested by the patient.

  • HCCAB staff shall process all grievance appeals and staff complaints, prepare a response for each accepted grievance appeal or staff complaint, and route the prepared response to the reviewing authority for review and signed approval. 

  • Completed grievance appeals and staff complaints shall be mailed/delivered to the patient within 60 business days of receipt, unless processed as an expedited health care grievance appeal pursuant to CCR, Title 15, Section 3999.233(b). 

  • A headquarters’ level grievance appeal disposition exhausts administrative remedies.

  • Additional information related to headquarters’ level grievance appeal procedures are outlined in the Health Care Grievances Operating Standards: Correspondence and Appeals Branch – HCG-Complete.pdf – All Documents (sharepoint.com)

Training and Resources

• HCGO and HCCAB staff shall complete grievance and staff complaint process training via the online Learning Management System upon hire and annually thereafter. 

• Supervisory staff who conduct staff complaint confidential inquiries shall complete staff complaint training for supervisors.

• Health care staff involved in the grievance process shall utilize the Health Care Grievances Operating Standards and Standard Grievance Language resource documents available on the Department intranet.

Policy

• The Health Care Correspondence and Appeals Branch (HCCAB) shall maintain a Compliance and Support Team (CAST) to assist Health Care Grievance Offices (HCGO) statewide to ensure compliance with California Code of Regulations, Title 15, Division 3, Chapter 2, Subchapter 2, Article 5, Health Care Grievances; court mandates; and departmental policies and procedures related to the health care grievance (grievance) process; efficient grievance processing at the institutional and headquarters’ levels; and a meaningful administrative remedy process for patients. 

Purpose

• To maintain the integrity of the grievance process by promoting accountability through compliance reviews and provision of assistance and/or training; tracking and monitoring of action items, Corrective Action Plans (CAP), and recommendations; identifying and implementing processes to increase efficiencies and mitigate risk; and compiling and reporting compliance review findings, CAST activities, and key performance metrics and trends.

Responsibilities

• The Chief, HCCAB, and the Deputy Director, Policy and Risk Management Services (PRMS), are responsible for:

  • The oversight and management of the statewide grievance program and implementation of this policy and procedure, and the Health Care Grievances Operating Standards, Section 4.1, Compliance and Support Team.

  • Approving requests and referrals for CAST Support.

  • Issuing Compliance Review Exit Memorandums.

  • Compiling and issuing CAST metrics as appropriate.

• The Chief Executive Officer (CEO) is responsible for:

  • Compliance with this policy and procedure at the institution level.

  • Responding to the Compliance Review Exit Memorandum and taking corrective action to resolve identified non-compliance issues.

• All California Correctional Health Care Services and Division of Health Care Services staff involved in the grievance process are responsible for the efficient operation of the grievance process and supporting CAST activities to ensure compliance with applicable regulations, court mandates, and departmental policies and procedures.

Procedure

• Compliance Review

  • Prior to a compliance review site visit, CAST shall utilize the Compliance Review Tool to conduct a preliminary assessment consisting of a review of grievances and staff complaints closed in the Health Care Appeals and Risk Tracking System (HCARTS) in the most recent three months to identify applicable areas of non-compliance and general grievance processing issues.

  • During the site visit, CAST shall discuss the results of the preliminary assessment, interview HCGO staff to complete the questions in the Compliance Review Tool that require on-site responses, and review hard copies of staff complaint packages selected during the preliminary assessment.

  • Upon return from the site visit, CAST shall draft a Compliance Review Exit Memorandum, which shall:

    • Be addressed to the CEO, with copies to the appropriate headquarters and institution chain of command.

    • Outline the observations, compliance ratings for the quantifiable indicators, action items, and/or CAP, if applicable.

    • Be routed for HCCAB management review within ten business days.

    • Be emailed with the completed Compliance Review Tool to the addressees within 15 business days.

    • Request a response from the CEO to address the action items and/or CAP within 25 business days of receipt.

  • Within 25 business days of receipt of the Compliance Review Exit Memorandum, the CEO shall prepare a memorandum confirming each action item has been implemented and/or completed, including a CAP, if applicable, and email the signed response to CAST.

• CAST Support

  • CAST shall assist in the development and implementation of effective training curriculum and utilize appropriate training methods to deliver onboarding and ad-hoc training to institution and headquarters staff involved in the health care grievance process.

  • HCGO Support

    • Upon identifying the need for CAST Support, the HCGO or HCCAB staff shall complete and submit a CAST Support Request and Referral Form to HCCAB management for approval.

    • The Chief, HCCAB, and the Deputy Director, PRMS, shall review requests and referrals for approval within ten business days of receipt.

    • Upon approval of a request or referral for CAST Support, CAST shall review monitoring data and may use applicable sections of the Compliance Review Tool to conduct a spot check consisting of review of grievances and staff complaints closed in HCARTS in the most recent three months to identify risks, trends, training needs, and process improvement opportunities.

    • While on-site in the HCGO, CAST shall:

      • Observe HCGO operations to analyze training needs, develop customized training plans, identify process improvement opportunities, and provide guidance in the development of local operating procedures.

      • Provide assistance and/or training and recommendations to HCGO staff and other institutional staff, as necessary.

    • CAST shall provide ongoing support to HCGO staff as deemed necessary by CAST management and the Chief, HCCAB.

CAST Reporting

• Metrics Report

  • CAST management shall generate the Metrics Report by the tenth day of the month after the end of the reporting period for issuance to the Chief, HCCAB.  The Metrics Report shall consolidate the previous month’s CAST activities and performance information across key areas of the grievance process.

• Regional Report

  • CAST management shall generate the Regional Report by the tenth day of the month after the end of the fiscal year for issuance to headquarters executives and the Regional Health Care Executives.  The Regional Report shall consolidate CAST activities and performance trends identified in the previous fiscal year’s Metrics Reports.

Policy

• The California Whistleblower Protection Act protects all state civil service employees and applicants for state employment who make a protected disclosure in good faith from suffering retaliation. It is illegal for state officers and employees to retaliate against a state civil service employee or applicant for state civil service appointment for informally or formally reporting improper governmental activities or for refusing to obey an illegal order.

• California Correctional Health Care Services (CCHCS) and the California Department of Corrections and Rehabilitation (CDCR) shall protect whistleblowers from retaliation by reviewing complaints of whistleblowers, notification of incidents of fraud or errors, harassment, discrimination, and retaliation and investigate as appropriate.

Purpose

• To ensure all CCHCS state civil service employees and applicants for state employment are protected from retaliation.

Applicability

• This policy and procedure applies to all CCHCS state civil services employees.

Retaliation Complaint Procedure

• Internal

  • Complaints of retaliation shall be resolved at the lowest level.

  • Hiring authorities have the responsibility to protect all employees who report misconduct from retaliation by ensuring that all necessary measures are taken to protect whistleblowers during the investigation process as well as after the case has been adjudicated.

  • Labor Code, Section 1102.5, prohibits an employer from retaliating against an employee who discloses information that would result in a potential violation or noncompliance of statute or regulation to a governmental or law enforcement agency, to a person with authority over the employee, or another employee who has the authority to investigate. The Labor Code also protects employees who refuse to participate in an activity that would result in a potential violation or noncompliance of statute or regulation.

  • Allegations of retaliation shall be forwarded by the hiring authority to the Office of Internal Affairs (OIA) via a CDCR 989, Confidential Request for Internal Affairs Investigation/Notification of Direct Adverse Action, when a reasonable belief of misconduct occurred and the alleged misconduct, if proven true, would result in adverse action as defined in the CDCR’s Department Operations Manual, Chapter 3, Article 22, Adverse Personnel Actions.

• External

  • This policy does not alter the ability or right of employees to file retaliation complaints directly, even if there is no formal complaint filed with the OIA, or other state agencies including, but not limited to, the following:

  • The State Personnel Board Appeals Division within 12 months from the most recent act of reprisal: https://www.spb.ca.gov/appeals/general_information.aspx.

  • California Department of Human Resources: http://www.calhr.ca.gov/state-hr-professionals/Pages/appeals-and-grievances.aspx.

  • The Office of the Inspector General: https://www.oig.ca.gov/pages/about-us/how-to-file-a-complaint.php.

  • The Public Employee’s Relations Board: https://www.perb.ca.gov/UPCByMail.aspx.

  • Worker’s Compensations Appeals Board:  https://www.dir.ca.gov/dlse/dlseRetaliation.html.

  • The Department of Fair Housing and Employment: https://www.dfeh.ca.gov/complaint-process/.

Discipline and Liability

• In accordance with the provisions of Penal Code, Section 6129(c)(2), any employee of CDCR found to have engaged in retaliatory acts shall be disciplined by, at a minimum, a suspension without pay for 30 days.

• Pursuant to Government Code, section 8547.8(c), in addition to all other penalties provided by law, any person who intentionally engages in acts of reprisal, retaliation, threats, coercion, or similar acts against a state employee or applicant for state employment for having made a protected disclosure shall be liable in an action for damages brought against him or her by the injured party.  Punitive damages may be awarded by the court where the acts of the offending party are proven to be malicious.  Where liability has been established, the injured party shall also be entitled to reasonable attorney’s fees as provided by law.  However, any action for damages shall not be available to the injured party unless the injured party has first filed a complaint with the State Personnel Board pursuant to subdivision (a), and the board has issued, or failed to issue, findings pursuant to Section 19683.

Training

• All CCHCS civil service employees are required to complete the read and sign training via the online Learning Management System upon hire and annually thereafter.

Policy

• California Correctional Health Care Services (CCHCS) headquarters (HQ) operations and processes are reviewed periodically by external audit agencies. When an external audit agency initiates an audit, investigation, or compliance review, herein referred to as an audit, CCHCS shall cooperate fully and ensure timely and comprehensive responses. The CCHCS’ Internal Audit Program (IAP) may serve as the audit liaison between external audit agencies and CCHCS HQ program areas. The IAP responsibilities may include coordination and collaboration between the external auditor and CCHCS HQ program areas including scheduling entrance and exit conferences, assisting in obtaining documentation and ensuring all responses are accurate, within scope, and submitted timely. The IAP shall retain a copy of all documentation that is created, sent, or received in connection with external audits as required by policy, regulation, or statute.

Purpose

• To define the role of the IAP and CCHCS HQ program areas during an audit performed by an external audit agency, including, but not limited to, the review of processes, written policies and procedures, products, services, systems, and employees.

Responsibility

• The Deputy Director (DD), Policy and Risk Management Services (PRMS), or designee, is responsible for departmental compliance with this policy.

• The IAP Senior Management Auditor, or designee, is responsible for the monitoring and evaluation of this policy.

• CCHCS HQ program area DDs are responsible for ensuring:

  • Requested documentation and inquiry responses are provided timely to the IAP or the external audit agency as agreed upon prior to the start of an external audit.

  • A copy of the final audit report is provided to the IAP.

  • The implementation and monitoring of any Corrective Action Plan (CAP) in compliance with the external audit.

Applicability

• This policy applies to any audits of CCHCS HQ operations and processes performed by an external audit agency with proper authority and jurisdiction. This policy does not apply to:  

• Medical inspections performed by the Office of the Inspector General who is responsible for reviewing and reporting on the delivery of the ongoing health care provided to incarcerated persons in the California Department of Corrections and Rehabilitation.

• Reviews conducted by court order or for purposes of litigation (e.g., Prison Law Office Plata Tours).

Procedure

• Initial Contact from an External Audit Agency

  • Any CCHCS HQ program contacted by an external audit agency regarding an appraisal shall immediately notify the IAP via email at CCHCSInternalAudits@cdcr.ca.gov.

• Entrance Conference

  • The IAP shall coordinate all entrance conferences and invite CCHCS HQ program staff.

• Roles and Responsibilities During the External Audit

  • Following the entrance conference, the IAP and the CCHCS HQ program area DD, or designee, shall meet to determine the IAP’s specific role and responsibilities for the external audit The IAP’s responsibilities may include, but are not limited to:

    • Collecting and reviewing relevant and required documents.

    • Facilitating the timely submission of documentation.

    • Communicating with the CCHCS HQ program area and the external audit agency throughout the duration of the external audit.

    • Maintaining a list and electronic copies of information and documentation received from and provided to the external audit agency.

  • The IAP shall email their agreed upon audit-specific role and responsibilities to the CCHCS HQ program area DD and the DD, PRMS.

• During the Audit

  • If the IAP serves as the audit liaison with the external audit agency and the CCHCS HQ program area, the CCHCS HQ program area shall:

    • Submit any documentation requested from an external auditor for audit activities to the IAP at CCHCSInternalAudits@cdcr.ca.gov. Any documents provided to the IAP, which are deemed to be legally privileged or protected, shall not be released to an external auditor.

    • Provide the IAP with a list of any requested information or documentation which the program is unable to provide and include a justification of why the information or documentation is unable to be provided.

    • Discuss any potential issues identified by an external auditor with the IAP.

  • If the IAP does not serve as the audit liaison with the external audit agency and the CCHCS HQ program area, the CCHCS HQ program area shall:

    • Submit any documentation requested from an external auditor for audit activities directly to the external audit agency and copy the IAP at CCHCSInternalAudits@cdcr.ca.gov.

    • Not submit any documents deemed to be legally privileged or protected to an external auditor.

    • Ensure the IAP is invited to the exit conference.

• Closure of an External Audit

  • If the IAP served as the audit liaison with the external audit agency and the CCHCS HQ program area during the external audit, the IAP shall ensure:

    • All issues identified by the external audit agency are communicated to appropriate CCHCS leadership via email.

    • Responses are provided by the CCHCS HQ program area DD to the IAP within the deadline specified.

    • All requested documentation is submitted to the external audit agency timely.

  • If the IAP did not serve as the audit liaison with the external audit agency and the CCHCS HQ program area during the external audit, the CCHCS HQ program area DD shall ensure the IAP receives a copy of the external audit agency’s final audit report.

• External Audit Follow-ups and CAPS

  • If the IAP served as the audit liaison with the external audit agency and the CCHCS HQ program area during the external audit then:

    • The IAP shall remain as the liaison between the external audit agency and the CCHCS HQ program area throughout the follow-up process.

    • The CCHCS program area shall ensure all follow-up inquiries from external audit agencies are referred to the IAP via email at CCHCSInternalAudits@cdcr.ca.gov.

    • If a CAP is required, the IAP shall coordinate the completion of the CAP, and if requested, provide assistance to the CCHCS HQ program area to ensure issues are accurately addressed. Assistance may include, but is not limited to:

      • Recommending to CCHCS HQ program areas to incorporate issues into active improvement projects, when appropriate.

      • Negotiating timeframes with external audit agencies to allow CCHCS HQ program areas sufficient time to complete CAP activities.

      • Referring CCHCS HQ program areas to Quality Management for consultation if the program needs assistance in determining improvement strategies, models, or techniques.

    • The IAP shall be responsible for submitting the CCHCS HQ program areas responses to the external audit agency.

  • If the IAP did not serve as the audit liaison with the external audit agency and the CCHCS HQ program area during the external audit, the CCHCS HQ program area DD shall ensure:

    • The CAP, if required, is complete and all issues are accurately captured and responded to.

    • Upon completion, the CAP, if required, is submitted to the external audit agency and IAP.

• External Audit Retention

  • The IAP shall retain a copy of all documentation that is created, sent, or received, in connection with external audits as required by policy, regulation or statute.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services (DHCS), California Department of Corrections and Rehabilitation (CDCR) must ensure that employees are compensated in accordance with the applicable Bargaining Unit (BU) Memorandum of Understanding (MOU) provisions (rank and file employees) or California Department of Human Resources (CalHR) policy (excluded employees), for On-Call/Standby assignments and/or Callback time.

• Not all BU MOUs have negotiated the same provisions regarding On-Call/Standby and Callback.  This policy serves to clarify the differences and similarities of the individual MOUs and provides guidance for excluded employees associated with the applicable BUs.  The On-Call/Standby Provisions and Compensation matrix (Appendix 1) and the Callback Provisions and Compensation matrix (Appendix 2) are attached to identify which provisions are applicable to each BU referenced in this document.

• Effective upon release of this policy and procedure On-Call/Callback hours may be compensated either in cash or accrued Compensating Time Off (CTO) provided the accrual of CTO does not exceed the established cap.  The decision to allow cash compensation will be reviewed annually in March and will be determined based on the fiscal status of the Department.

Procedure

• On-Call/Standby Assignment General Guidelines

  • When there is a requirement that an employee be available during specified off-duty hours to receive communication regarding a requirement to return to work and be fit and able to return to work, if required, this time is considered On-Call/Standby.  The requirement to carry an electronic device or respond when contacted does not necessarily entitle the employee to On-Call/Standby compensation

  • Employees scheduled for On-Call/Standby assignments at a Correctional Treatment Center (CTC) (Appendix 3) are expected to return to the worksite in a reasonable amount of time.  Please refer to the BU MOU for specific requirements.

  • For BUs that contain a Work Week Group (WWG) not authorized to receive overtime compensation (e.g., E and SE), but include a provision to compensate for On-Call/Standby, compensation shall be paid in cash or CTO provided the accrual of CTO does not exceed the established cap. Any accrual of CTO that will cause the balance to exceed the cap shall be paid in cash.

  • Additionally, CalHR Personnel Management Liaisons 2002-040 specifically states that excluded employees in WWG E (e.g., Chief Medical Executive [CME] and Regional Medical Executive [RME]) are not eligible for On-call/Standby compensation.

• On-Call/Callback Assignment for BU 16

  • For BU 16 employees (Dentists, Physicians, Podiatrists, and Psychiatrists), On-Call and Callback are defined as (BU 16, MOU Section 7.9 On-Call/Callback Assignment):

  • On-Call Assignment

    • On-call assignment is defined as a work-shift which is performed in addition to the Unit 16 employees’ regularly scheduled workweek in which the Unit 16 employee is:

      • Available by telephone or electronic paging device at all times; and

      • Normally immediately available to return to the facility for any required medical support deemed necessary by the employee.  If the State deems it necessary, the State shall issue a Unit 16 employee an electronic paging device during an on-call assignment.

    • Those employees completing an on-call assignment of seven days shall receive eight hours CTO or eight hours compensation at management’s discretion for each on-call assignment.

    • Unit 16 employees who complete on-call assignments of less than seven days shall receive pro-rata CTO or pro-rata pay.

  • Callback Assignment

    • Unit 16 employees who are required to return to the institution for a work shift in addition to the Unit 16 employees’ regularly scheduled workweek shall receive hour for hour credit (CTO) with four hours guaranteed.  In addition to the hour for hour credit, and four hours guaranteed, Unit 16 employees shall be compensated for one hour (CTO) for travel time.  If funds are available for cash compensation, the State may choose cash instead of CTO.  It is at the State’s discretion whether cash is paid or CTO is accumulated.  Returns to the institution shall be documented.

  • NOTE:  Physician and Surgeons scheduled for On-Call/Standby assignments at CTCs are expected to return to the worksite within one hour of receiving telephonic communication.  At non-CTCs, employees are expected to return within a reasonable length of time, relative to the patient’s illness or injury.

• On-Call Assignment for Excluded Employees Affiliated with BU 16

  • Excluded employees in WWG SE affiliated with BU 16 (Chief Physician and Surgeon [CP&S], Supervising Dentist, Chief Psychiatrist, etc.) may be eligible to receive On-Call compensation.  For example, when such an employee is acting as the treating physician because a rank and file physician is not available or a Physician Assistant (PA) or Nurse Practitioner (NP) is On-Call, the On-Call compensation will apply.  The same conditions, restrictions, and definitions for On-Call compensation that apply to rank and file employees in BU 16 also apply to excluded employees affiliated with BU 16.

• Callback Time for BU 18

  • For BU 18 (Psychiatric Technician and Senior Psychiatric Technician), Callback is defined as (NOTE: The BU 18 MOU has no provision for On-Call Assignments):

  • BU 18 MOU Section 5.3 Callback Time

    • An employee who has completed a scheduled work shift, or an employee on an authorized day off, when ordered back to work shall be credited with a minimum of four hours work time at the employee’s appropriate rate of pay provided the call back to work is without having been notified prior to completion of the work shift and the work begins more than two hours after the completion of the scheduled work shift.

• Standby/Callback Assignment for BU 19

  • For BU 19 (Health and Social Services/Professional) employees who are covered by the Fair Labor Standards Act (FLSA), Standby and Callback are defined as:

  • BU 19, MOU Section 6.3 Standby

    • For covered employees, standby is defined as the express requirement that an employee be available during specified off-duty hours to receive communication regarding a requirement to return to work.  It shall not be considered standby when employees are contacted or required to work but have not been required to be available for receipt of such contact.

    • Each department, or designee, may establish procedures with regard to how contact is to be made and with regard to response time while on standby.

    • An employee who is required to be on standby status will be compensated in the following manner: for every four hours on standby, an employee shall receive one hour of compensating time off.  For every hours on standby or major fraction thereof (30 minutes or more), an employee shall receive fifteen minutes of compensating time off.

    • No standby credit will be earned if the employee is called back to work and receives callback credit during any given four-hour period.

    • Standby and CTO credited as a result of standby shall be considered time worked for purposes of qualifying for overtime.

    • At the discretion of the State, CTO credited as a result of standby may be paid in cash to the employees.

  • BU 19, MOU Section 6.2 Voluntary Callback

    • For employees who are covered by the FLSA, the State will credit a Unit 19 employee with a minimum of four hours regular work time for an authorized callback when an employee is called back to work after completion of his/her regularly scheduled work shift and has left the work premises.

    • Callback credit will commence when the employee begins work and will terminate when the employee stops working.  However, hours worked which are contiguous to an employee’s regular working hours, which may include a meal period after completion of a regular work shift, will not be considered callback.

    • At the discretion of the State, callback credit may be paid in cash to the employee.

• BU 19 Exception

  • On-Call/Callback Assignment for BU 19 Specific WWG E Employees

  • Per the MOU side letter signed September 3, 2014, for BU 19 FLSA-excluded employees (Psychologist – Clinical, Correctional Facility [CF]; Sr. Psychologist, CF [Specialist]; and Clinical Social Workers [Health/CF]-Safety), On-Call and Callback are defined as:

    • On-Call Assignment

      • On-Call Assignment is defined as a work-shift which is performed in addition to the Unit 19 employees’ regularly scheduled workweek in which the Unit 19 FLSA exempt employee is:

        • Available by telephone or electronic paging device at all non-work times; and

        • Normally immediately available to return to the facility for any required mental health duties deemed necessary by the employer.

      • If the State deems it necessary, the State shall issue a Unit 19 employee a cell phone or electronic paging device during an on-call assignment.

      • Unit 19 employees will receive eight hours CTO or eight hours of compensation, at managements’ discretion, for each completed on-call assignment of seven days.

      • Unit 19 employees who complete an on-call assignment of less than seven days shall receive prorated in either cash or CTO, at the employer’s discretion.

      • NOTE: Excluded employees covered under the side letter agreement referenced above are not subject to the requirement to return to the institution within one hour of receiving a call that requires them to do so.

    • Callback Assignment

      • Unit 19 exempt employees who are required to return to the institution for a work shift in addition to the Unit 19 employees’ regularly scheduled workweek shall receive hour for hour credit (CTO) with four hours minimum work guaranteed.  The four hours begins when the employee arrives at the institution.

      • Unit 19 employees called back to an institution, under the provisions of 6.XA, and who then leave and are called back again within the same four hour period, shall only be compensated for additional hours worked beyond the four hour call back guarantee.

      • In addition to the hour for hour credit, and four hour minimum, Unit 19 employees shall be compensated one hour for travel time.  Compensation shall be either CTO or cash, at the employer’s discretion.  Returns to the institution shall be documented.

      • Unit 19 employees called back to an institution during a holiday shall receive either pay or CTO in accordance with Section 8.1 (Holidays), paragraph (I).

      • NOTE: Compensation for on-call/call back assignment shall not exceed 24 hours in any one-day period.

• Standby/Callback Assignment for BUs 1, 4, 11, 15, 17, and 20

  • For BUs 1 (Administrative, Financial, and Staff Services), 4 (Office and Allied), 11 (Engineering and Scientific Technician), 15 (Allied Services), 17 (Registered Nurse) and  20 (Medical and Social Services), Standby and Callback are defined as:

  • BUs 1, 4, 11, 15, 17, and 20 MOU Section 19.12 Standby Time

    • “Standby” is defined as the express and absolute requirement that an employee be available during specified off-duty hours to receive communication regarding a requirement to return to work, and be fit and able to return to work, if required.  It shall not be considered standby when employees are contacted or required to return to work but have not been required to be available for receipt of such contact.

    • Each department, or designee, may establish procedures with regard to how contact is to be made (e.g., electronic paging device, phone) and with regard to response time while on standby.

    • An employee who is required to be on standby status will be compensated in the following manner: for every eight hours on standby, an employee shall receive two hours of CTO, which may be prorated on the basis of fifteen minutes CTO for each one hour of standby.  Standby may not be scheduled in less than one-hour increments.

    • No Standby credit will be earned if the employee is called back to work and receives call back credit.

    • Standby and CTO credited as a result of standby shall not be considered time worked for purposes of qualifying for overtime.

  • BUs 1, 4, 11, 15, 17, and 20 MOU Section 19.11 Callback Time

    • An employee who has completed a normal work shift, when ordered back to work, shall be credited with a minimum of four hours work time provided the call back to work is without having been notified prior to the completion of the work shift, or the notification is prior to completion of the work shift and the work begins more than three hours after the completion of that work shift.

• On-Call Assignments for Mid-Level Practitioners

  • PAs and NPs may be scheduled to provide On-Call services.  PAs, NPs, and rank and file physicians shall be scheduled on an equal basis with no individual or group receiving preferential treatment.

  • Because there is a requirement that the PA or NP be supervised by a physician, when a PA or NP is placed On-Call, a CP&S, CME, or the RME is required to be On-Call as well.

• Compensation

  • The employee can elect to receive pay or CTO; however, if the receipt of CTO will result in exceeding the established cap, the portion exceeding the cap must be paid and not accrued.  Callback compensation shall be at the straight time hourly rate.  Exception to this policy for BU 19 FLSA-excluded employees refer to BU 19 compensation.

  • NOTE: Employees in WWG E and SE are not eligible for Callback compensation unless specifically stated in the BU contract.

• BU Matrix Headquarters and Field

  • The Bargaining Unit Matrix Headquarters and Field guide (Appendix 4), outlines the BUs, unions, classifications, and WWG for the BUs referenced in this policy.

• On-Call and Callback Authorization form (CCHCS SB01)

  • All employees who are on authorized On-Call/Standby and Callback status are required to complete the Call/Standby Authorization form (CCHCS SB01A).

  • Prior to the On-Call/Standby start date, the manager/supervisor assigning the On-Call/Standby must complete sections 1 through 9, and sign and date sections 11 and 12 of the CCHCS SB01A.  At the completion of the assignment(s), the employee must complete Section 10 of the CCHCS SB01A and both the manager/supervisor and the employee will sign and date sections 13 through 16 of the CCHCS SB01A.

  • In addition to the CCHCS SB01A, the Callback Authorization form (CCHCS SB01B) must be completed by the employee for Callback assignments and submitted to the manager/supervisor. The manager/supervisor is responsible for the review and approval of all Callback assignments documented by the employee on the CCHCS SB01B.

  • Employees are responsible for ensuring that all approved On-Call/Standby and Callback time documented on the CCHCS SB01A and CCHCS SB01B are accurately reflected on the CDCR 998-A, Employee’s Record of Attendance.  Managers/supervisors are responsible for verifying that On-Call/Standby and Callback hours reflected on the CCHCS SB01A and CCHCS SB01B are accurately documented on the CDCR 998-A.  Managers/supervisors are also responsible for approving and signing the CDCR 998-A once the information has been verified.  If the hours documented on the CDCR 998-A do not reflect the On-Call/Standby and Callback hours as documented on the approved CCHCS SB01A and CCHCS SB01B, the CDCR 998-A shall be returned to the employee for correction.

  • At no time should the manager/supervisor approve On-Call/Standby or Callback hours that are not accurately reflected on the CCHCS SB01A and CCHCS SB01B, and CDCR 998-A.

  • The manager/supervisor and the employee shall keep a copy of the CCHCS SB01A and CCHCS SB01B, and the originals shall be submitted with the CDCR 998-A.

Policy

• It is the policy of California Department of Corrections and Rehabilitation (CDCR) to recruit, hire, and assign all employees on the basis of merit and fitness in accordance with civil service statutes, rules, and regulations.  This policy is intended to uphold the merit principle of civil service by preventing and prohibiting preferential treatment or bias due to personal relationships.  Nepotism is antithetical to a merit-based personnel system and staff shall not use their personal relationships to aid or hinder others in the employment setting.  CDCR reserves the right to initiate mandatory reassignments, employee transfer, or take other administrative action to avoid or correct situations where the potential for employment decisions based on nepotism exists.

Procedure

• Exception Request

  • The hiring manager or supervisor shall prepare the exception request in memorandum format (refer to the Nepotism and Fraternization Exception Request Memorandum Template).  The memorandum shall clearly identify the personal relationship of the employees in question and how an exception, if granted, will contribute to the operational needs of the organization and mitigated within the reporting structure.

• Submission of Exception Request

  • The local Hiring Authority (HA), shall review mitigating factors of the exception request:

    • If the HA is a Chief Executive Officer, the exception request shall be forwarded to the Regional Health Care Executive (RHCE). RHCE shall review and provide their recommendation within three business days.

    • The exception request shall be forwarded to the Chief, Classification and Pay (C&P) and Transactions & Benefit Services (TBS) or the Regional Personnel Administrator (RPA).

  • The Chief, C&P/TBS or RPA shall review the exception request pursuant to California civil service laws and rules and other factors that may impact the exception decision and provide a written recommendation to the Deputy Director (DD), Human Resources (HR). The Chief C&P/TBS or RPA shall provide their recommendation within two business days.

  • The DD, HR, shall review and provide a final recommendation to CCHCS Office of Legal Affairs (COLA) within two business days.

  • COLA shall review and provide a final written determination to approve or deny the exception request to the DD, HR within five business days. After receiving the final determination from COLA, the DD, HR, or designee, shall provide a written response to the HA within one business day.

  • The HA shall ensure a copy of the response is retained in the candidate’s interview folder or forward a copy to the local Personnel Specialist for filing in the employee’s Official Personnel File (OPF).

    • If the exception request is approved:

      • The HA shall also ensure a copy of the approval is provided to the candidate or employee.

      • The supervisor and employee shall have memorandums documented in the OPF indicating their understanding of the conflict to DOM Section 33010.25 and methods which are being instituted to mitigate.

    • If the exception request is denied, an alternative means of resolving the policy conflict shall be implemented, including reassignment of one of the affected employees (if both are current employees), or selecting an alternate candidate.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services (DHCS), California Department of Corrections and Rehabilitation (CDCR) shall ensure that all prospective employees, contractors, and volunteers have cleared a criminal record check, which includes Live Scan fingerprinting requirements. California law authorizes certain governmental agencies/departments to conduct Criminal Offender Record Information (CORI) checks on individuals applying for a license/certification, employment, or as a contractor/volunteer within law enforcement agencies/departments.

• All prospective employees and contractors responsible for patient care shall have a cleared CORI check prior to beginning employment. All other contractors and volunteers shall have a cleared CORI check prior to entering an institution to provide services.  All prospective institution and headquarters (HQ) employees not responsible for patient care shall have a CORI check conducted upon appointment.

• All offers of employment or other invitations to provide services for anyone providing patient care are tentative until Live Scan fingerprinting requirements are met and approved by Human Resources (HR).

• An exception may be granted for patient care providers (both employees and contractors) to access an institution for the purposes of obtaining classroom training and/or orientation; however, Live Scan clearance must be obtained before providing patient care.

• CCHCS employees designated to perform Live Scan fingerprinting functions, and who may have access to confidential CORI, shall abide by all laws, policies, and training requirements set forth in applicable California Penal Code sections, California Government Code sections, Department of Justice (DOJ), and CDCR/CCHCS policies.  Each CCHCS employee designated to operate Live Scan fingerprinting systems and equipment and/or access CORI, shall read and complete a California Department of Justice, Employee Statement, Use of Applicant Criminal Offender Record Information form.

Purpose

• To outline Live Scan fingerprinting requirements within CCHCS and DHCS for those conducting Live Scan fingerprinting, applying for employment, or providing services within CCHCS/CDCR facilities.

Applicability

• Live Scan fingerprinting submissions are required in the following instances:

  • Non-Sworn Personnel: Employees in non-sworn classifications; those who are paid by the State.

  • Peace Officer Auxiliary: Employees in peace officer classifications including retired annuitants and those applying to become Peace Officers.

  • Contractor/Volunteer: Prospective CCHCS contractors, sub-contractors, volunteers, and interns.

  • Retired Peace Officer (RPO): RPO submissions for a Carry Concealed Weapon (CCW) permit and any peace officer employees retiring and requesting a CCW endorsement on their retired identification (ID) card.

  • CCHCS/DHCS Employees: Prospective employees who must obtain or renew a state license/certification to perform their job duties (e.g., Licensed Vocational Nurse, Pharmacist).

  • Retired Annuitants/Reinstatements: Prospective employees reinstated after a permanent break in state service.

  • Transfers from outside CDCR/CCHCS: Prospective employees applying to transfer from another State agency/department.

• Exceptions

  • An applicant who lives out-of-state and cannot travel to California may submit a manual FD-258 Fingerprint Card. Alternatively, the exception process may be requested allowing the applicant to complete the Live Scan process at the assigned institution or HQ upon arrival in California.

• Employee Transfers

  • When an employee is transferring from one CDCR office, institution, etc., to another, including a transfer from the Division of Juvenile Justice (DJJ) to Division of Adult Institutions (DAI) or DAI to DJJ, the hiring manager/supervisor shall contact the appropriate HQ or Regional Live Scan Analyst who shall coordinate with the Office of Peace Officer Selection (OPOS), via the Live Scan Unit email at CDCRLiveScan@cdcr.ca.gov, to verify that the employee has a Live Scan fingerprint record on file and shall initiate the No Longer Interested process with the appropriate personnel office.  Another Live Scan submission shall be necessary.

Procedure

• Prior to Scheduling a Live Scan Fingerprinting Appointment

  • CCHCS HQ program Personnel Liaison (PL)/Regional Human Resources Office (RHRO)/ Regional Human Resources Field Liaison (RHRFL) staff shall ensure each prospective employee, contractor, or volunteer completes and signs a:

    • CDCR 1951, Supplemental Application for All CDCR Employees. Disclosure of prior arrests or convictions by a prospective employee, contractor, or volunteer, as noted on the CDCR 1951, must be compared with the results of the Live Scan.  If there are discrepancies, the candidate may be disqualified for the position.

    • CDC 1199, Applicant Notification and Acknowledgement. Applicants acknowledge notification of being fingerprinted for the purpose of obtaining a CORI check from DOJ, and if subsequently arrested or convicted of any violations of the laws, the applicant must promptly notify the hiring manager/supervisor.

  • Contractors and Volunteers

    • All communication with contractors and volunteers shall be conducted through the CCHCS HQ PL/institution’s contract analyst. 

    • Contractors and volunteers shall be accompanied to the Live Scan fingerprinting appointment by the CCHCS HQ PL/RHRO staff. 

    • ID cards shall not be issued, and services may not be commenced, until the contractor or volunteer’s Live Scan fingerprinting results are received and cleared by HR.

    • NOTE: The exception process noted herein shall be utilized for contractors and vendors that have not obtained or are pending Live Scan clearance.

• Scheduling Live Scan Fingerprinting

  • The following outlines procedures for requesting LiveScan fingerprinting at CCHCS HQ/institutions:

  • HQ Staff

    • CCHCS HQ HR Reception Unit staff shall schedule and perform Live Scan fingerprinting for all prospective CCHCS/DHCS employees, contractors, and volunteers assigned to work at HQ.

    • The program PL or manager/supervisor shall notify CCHCS HQ HR Reception Unit staff of the need for Live Scan fingerprinting via email to CCHCSLiveScanIDAppts@cdcr.ca.gov.

    • Live Scan fingerprinting shall not be completed unless the identity of the prospective employee, contractor, or volunteer is verified via a state-issued driver’s license/ID card.

  • Institution Staff

    • RHRO staff shall schedule and perform Live Scan fingerprinting for all prospective CCHCS/DHCS employees, contractors, or volunteers assigned to work at an institution.

    • The contract analyst shall coordinate a date and time with the prospective contractor or volunteer, and RHRO staff to complete the Live Scan process.

• DOJ/Federal Bureau of Investigation (FBI) Live Scan Applicant Response Results

  • DOJ/FBI provides Live Scan fingerprint results to the hiring authority or designee that submitted the request. 

  • HR shall complete the CDCR 2164, Live Scan Response Form DOJ/FBI/Firearms.

• Exception Process for Patient Care Providers

  • Circumstances may arise when CORI results are not obtained timely and a need is identified for a provider, either employee or contractor, to begin working.  Upon approval, via the Receiver’s Freeze Exemption Request process, authorization may be granted for an employee or contractor responsible for patient care to begin work for purposes of obtaining classroom training and/or orientation; however, Live Scan clearance (CORI) must be obtained before providing patient care.

  • Civil Service Employees
    The following procedures shall be followed if the exception process is approved for civil service employees.

    • Employee Pre-Employment

      • The patient care provider shall have a Live Scan fingerprint completed as soon as possible after a tentative offer is made.

      • The patient care provider shall complete and sign the CDCR 1951 and the Live Scan Acknowledgment form.

      • The Chief Executive Officer (CEO) shall approve all hires utilizing this process by approving the Live Scan Acknowledgment Form.

    • Tracking Live Scan Clearance

      • The RHRFL shall monitor and track all outstanding Live Scan clearances.

      • Upon receipt of Live Scan results, which may include Record of Arrests and Prosecutions (commonly referred to as a RAP sheet), the RHRFL shall compare the results with the CDCR 1951 completed by the employee.  If there are no discrepancies, the RHRFL shall notify the CEO and program manager by email, indicating the Live Scan results have been received and the employee is cleared.

      • If there is a discrepancy between the Live Scan results and the CDCR 1951, the RHRFL shall immediately notify the CEO to begin the review and determination process.

        • A copy of the CDCR 1951, CDCR 2164, Live Scan Acknowledgment Form, and RAP sheet shall be packaged and sent to the CEO for review.

        • A duplicate package shall also be prepared for the Warden’s review and acknowledgment.

      • If the outcome of the review and determination process results in a failure to clear the employee for continued employment, the CEO shall contact the assigned Health Care Employee Relations Officer (HCERO) and initiate termination of employment.

  • Contract Providers
    The following procedures shall be followed if the exception process is approved for contract providers responsible for patient care.

    • Contract providers shall have a Live Scan fingerprint completed as soon as possible after approved for placement.

    • Contract providers shall also complete the Gate Clearance process. This will ensure the provider is approved to access the institution in compliance with CDCR policy.

    • Contract providers may attend classroom training and/or orientation prior to Live Scan results being received and approved

    • Contract providers may not provide patient care until Live Scan results are received and approved.

    • The Health Care Contracts Section Manager or designee shall monitor and track Live Scan clearance.

    • The Health Care Contracts Section Manager or designee shall notify the CEO and program manager by email to advise if the contract provider was cleared to provide patient care.

• DOJ/FBI CORI Subsequent Arrest Notification

  • Once a prospective employee, contractor, or volunteer has been fingerprinted for Live Scan, DOJ forwards a Subsequent Arrest Notification to CCHCS’s HR Reception Unit if/when an individual is arrested.  DOJ/FBI CORI Subsequent Arrest Notifications are maintained by the HR Reception Unit.

  • The Associate Director, HR, or designee shall review the Subsequent Arrest Notification and forward it to the HCERO, Performance Management Unit (PMU), CCHCS via the PMU Program Manager.

  • The HCERO shall determine if the employee notified CCHCS of the arrest, and if applicable, contact the Hiring Authority to determine the appropriate disciplinary action. 

  • Copies of a DOJ/FBI CORI Subsequent Arrest Notification and/or firearm denial/prohibition shall be provided by the Associate Director, HR, or program Section Chief to an affected employee, contractor, or volunteer upon request. 

  • Requests shall be placed in a sealed envelope (marked “Confidential”), and the employee, contractor, or volunteer is to obtain the notification in person.

  • CORI information may also be provided by the Associate Director, HR, or program Section Chief to other offices within the Department that are responsible for handling employee investigations and discipline (e.g., Office of Internal Affairs, PMU).

  • HQ HR Reception Unit staff shall track via the California Correctional Health Care Services Human Resources Headquarters – Subsequent Arrest Notification log, when and to whom a copy of CORI information was provided in the event of a DOJ audit.

  • HR Regional staff shall track via the California Correctional Health Care Services Human Resources Regional – Subsequent Arrest Notification log, when and to whom a copy of CORI information was provided in the event of a DOJ audit.

• No Longer Interested Notification

  • Once an employee separates (regardless of the type of separation), or when a contractor’s or volunteer’s services are terminated or no longer needed, CCHCS has no legal authority to continue receiving Subsequent Arrest Notification information on the individual.  The OPOS 11T, No Longer Interested Notification shall be submitted to DOJ by CCHCS HQ Personnel Specialist/Institutional Personnel Office staff for any of the following:

  • Employees who have separated from CDCR/CCHCS. 

  • NOTE: An OPOS 11T should not be sent to DOJ for retired employees.

  • Contractors, volunteers, vendors, or other service providers whose services are no longer required/terminated.

  • Civil service applicants who were fingerprinted but not hired by CDCR/CCHCS.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services (DHCS), California Department of Corrections and Rehabilitation (CDCR) may only authorize Administrative Time Off (ATO) pursuant to the parameters outlined below, California Government Code (GC), California Labor Code, California Code of Regulations (CCR), California Department of Human Resources (CalHR) policy, and/or Bargaining Unit (BU) Memorandum of Understanding (MOU) provisions.

Procedure

• Authority to Approve Administrative Time Off

  • All requests for placing an employee on ATO shall be approved for up to five working days through the Hiring Authority (HA) chain of command with concurrence from the respective CCHCS/DHCS program Director/designee or Regional Health Care Executive (RHCE) as outlined in Approval Authority for Administrative Time Off (ATO).

  • After receiving approval from the respective Director/designee or RHCE, the requesting HA shall immediately notify the Health Care Employee Relations Officer (HCERO), Performance Management Unit, CCHCS.  The HCERO shall assist with writing the Notification of Administrative Time Off (ATO).

  • Once completed, with the assistance of the HCERO, the HA shall provide the Notification of ATO to the affected employee.

• Administrative Time Off Exceeding Five Working Days

  • The information below summarizes the process for the approval for ATO exceeding five working days, as outlined in the Approval Authority for Administrative Time Off (ATO):

  • 6 – 30 Days of ATO

    • The HA shall contact his/her respective CCHCS/DHCS program Director/designee or RHCE prior to the employee’s fifth working day on ATO to request to continue an employee on ATO beyond five working days.

    • For requests to continue an employee on ATO beyond ten working days, the HA shall contact his/her respective CCHCS/DHCS program Director/designee or RHCE prior to the employee’s tenth working day on ATO.

    • If it is determined that an employee should be continued on ATO beyond 15 working days, the HA shall contact his/her respective CCHCS/DHCS program Director/designee or RHCE prior to the employee’s 15th working day on ATO.

    • If it is determined that an employee should be continued on ATO beyond 30 calendar days, the respective CCHCS/DHCS program Director/designee or RHCE shall notify the Receiver/designee prior to the employee’s 25th working day on ATO.

    • The HA must notify the HCERO of the approval or denial of an employee’s continued ATO use.

  • 31 Days or More of ATO

    • A justification from the HA establishing good cause for maintaining an employee on ATO in excess of 30 calendar days, shall be provided to the HCERO for submission to CalHR.

    • CalHR Extension Request Process

      • Requests to extend ATO for longer than 30 calendar days must be submitted, in writing, to CalHR, Personnel Services Branch, Labor Relations Division, via the CCHCS HCERO at least five working days prior to the expiration of the ATO. The HCERO is responsible for seeking approval in advance from CalHR in 30 calendar day increments. The Request for Approval – Administrative Time Off Extension memorandum must be labeled “Confidential”.  The following information must be included in the ATO extension request:

      • Employee Information:

        • Employee name.

        • Collective bargaining identifier.

        • Classification and job/working title.

        • Peace Officer (Yes or No).

        • Initial date ATO commenced.

        • Length of extension, if less than 30 calendar days is requested.

      • Reason ATO is needed:

        • Explain why ATO is the best alternative under the circumstances.

        • Explain why the employee cannot return to work.

        • A temporary reassignment was considered instead of ATO.

        • If a temporary assignment is rejected, state the reason why.

        • The employee cannot perform any work remotely while on ATO.

      • Projected Date for Termination of ATO:

        • Date the investigation or a Fitness for Duty Evaluation is expected to conclude.

        • If the original deadline needs to be extended, explain why.

      • HA or Designee Contact Information:

        • Name.

        • Email.

        • Phone number.

      • The extension request must be signed by the HA.

        • NOTE:  If an investigation is underway, the HA does not need to describe specifics about the investigation, but should explain the potential harm that might arise from returning the employee to work (e.g., “Investigating allegations of child molestation; employee’s job duties include the supervision of children,” or “Investigating allegations of theft; employee’s job duties involve unlimited access to funds and no ability to secure the funds.”).

    • CalHR Extension Decision

      • CalHR will notify the HCERO regarding approval or denial of the ATO extension request.

      • If the request is approved, CalHR will specify the expiration date.

        • NOTE:  Approvals are typically for only 30 calendar days.

      • If the request is denied:

        • CalHR will explain the reason for the denial.

        • CalHR will work with the HCERO to determine if reconsideration of the ATO extension request is merited, or the employee must return to work.

          • NOTE:  If CalHR denies the ATO extension request, the employee must return to work.

• Consultation with the Office of Internal Affairs Prior to Administrative Time Off due to Misconduct

  • Prior to granting ATO due to suspected misconduct, the Office of Internal Affairs (OIA) Central Intake Unit (CIU) must be consulted.

  • When a HA determines that ATO may be necessary, the HA shall consult with one of the following CDCR staff prior to placing the employee on ATO:

    • OIA Special Agent In-Charge

    • OIA CIU Chief

  • The purpose of the consultation is to ensure that no investigative protocol is compromised and for CIU to consider the case for expedited processing.

  • If an employee is placed on ATO after a case has been referred to OIA, immediately notify OIA of the action.

  • Referrals to OIA shall be made via the CDCR 989, Confidential Request for Internal Affairs Investigation/Notification of Direct Adverse Action. The HA shall request a blank copy of the CDCR 989 from the OIA.

    • NOTE:  For priority processing, the CDCR 989 may be faxed to CIU, with a copy of the Notification of ATO memorandum.

• Criminal Conduct

  • ATO may be approved when a CCHCS/DHCS employee:

  • Has been charged with a felony.

  • Is suspected of committing any serious violation of the CCR.

• Misconduct

  • ATO may be approved when a CCHCS/DHCS employee:

  • Is suspected of smuggling contraband.

  • Has demonstrated unacceptable familiarity with incarcerated persons.

  • Has seriously jeopardized the security of the institution.

  • Has been served with a Notice of Adverse Action in which the penalty is dismissal or has been served a Notice of Rejection During Probation.

    • NOTE:  ATO arising from dismissal or rejection during probation shall conclude on the effective date of the Notice of Adverse Action or Notice of Rejection During Probation.

• Injury or Illness

  • ATO related to injury or illness:

  • Shall be approved for time lost on the date of a work-related injury or illness, even if the claim has not been approved for Worker’s Compensation benefits.

  • May be approved where an employee has a medical condition(s) and the Disability Management Unit has determined that a Fitness for Duty Evaluation is required.

• Medical-Legal Evaluation

  • While a Worker’s Compensation claim is pending, an employee may be asked to attend a Medical-Legal Evaluation with an Independent Medical Evaluator (e.g., Qualified Medical Evaluator or Agreed Medical Evaluator) pursuant to California Labor Code, Sections 4060, 4061, or 4062.  The employee shall be placed on ATO for any time lost from work as a result of attending a Medical-Legal Evaluation.

  • NOTE:  If an employee is currently absent from work and is receiving Worker’s Compensation temporary disability benefits or checks from the State Compensation Insurance Fund, the employee will not be placed on ATO.

• State Personnel Board Hearing

  • An employee shall be granted ATO to attend a meeting of the Department or State Personnel Board concerning a matter specifically affecting the employee’s position/classification in which the employee has requested to be heard.  Refer to the applicable BU MOU for details.

• Governor-proclaimed State of Emergency

  • ATO may be granted for up to five working days during a state of emergency pursuant to the following criteria set forth in CCR, Section 599.785.5:

  • The employee works or resides in a county where a state of emergency has been proclaimed by the Governor and the HA determines at least one of the following conditions exists:

    • The employee’s normal place of business is closed temporarily during the employee’s normal work shift due to the effects of the emergency.

    • The emergency effectively precludes the employee’s ability to find reasonable routes of transportation from the employee’s normal residence to the work place.

    • The emergency presents an immediate and grave peril to the employee’s own safety, that of an employee’s immediate family member, or the employee’s principal residence.

    • The employee is actively involved in a formal, organized effort to protect the health and safety of the general public, such as where the employee is a member of the auxiliary fire or police department, or the employee is asked by local authorities to assist with sandbagging efforts.

    • The employee needs to take time off to apply for disaster assistance from the Federal Emergency Management Agency, because the employee is unable to apply for assistance before or after the employee’s normal work shift.

  • The employee is preregistered with and providing volunteer service to a state agency carrying out its responsibilities under the Governor’s Executive Order D-25-83.

    • The employee is required to notify the HA of the employee’s affiliation with the volunteer services and establish prior arrangements regarding notification of the HA in the event the employee is asked to participate in the State disaster response.

    • The HA shall release the employee to provide volunteer service when an emergency occurs, unless there is a critical departmental operating reason that prevents such a release.

  • Paid ATO shall not exceed five working days without prior approval; CalHR shall grant approval of paid ATO in excess of five working days if it finds that one of the aforementioned criteria continues to be met.

  • NOTE:  Employees called into service as specified in GC, Section 19844.5 (refer to Section (b)(10) below), are excluded from the aforementioned standards.

• California Emergency Management Agency Service

  • Pursuant to GC, Section 19844.5, an employee called into service by California Emergency Management Agency (CalEMA)to engage in a search and rescue operation, disaster mission, or other life-saving mission conducted within the State is entitled to ATO. 

  • Only volunteers participating in the following organizations qualify:

    • California Explorer Search and Rescue Team

    • Drowning Accident Rescue Team

    • Wilderness Organization of Finders (also known as “WOOF” or Wilderness Finders Search Dog Teams)

    • California Rescue Dog Association

    • California Wing of the Civil Air Patrol

  • The employee shall be released to engage in the aforementioned activities at the Department’s discretion. However, leave shall not be unreasonably denied.

  • The period of duty shall not exceed ten calendar days per fiscal year, including the time involved in going to and returning from the duty.

  • A single mission shall not exceed three working days, unless an extension of time is granted by CalEMA and the Department.

  • If the employee receives a request to serve:

    • During normal working hours – The employee contacts the immediate supervisor regarding release.

    • Outside normal working hours – The employee contacts the immediate supervisor or designee regarding release.

    • NOTE:  An employee serving in the aforementioned capacity shall receive ATO for the time taken. However, the employee shall not receive overtime compensation while on ATO.  Furthermore, the Department is not liable for disability or death benefit payments in the event the employee is injured or killed in the course of CalEMA service.  However, the employee remains entitled to any benefits currently provided by the employee’s agency.

• Participation in State Civil Service Examinations

  • Upon notice to the employee’s immediate supervisor, employees shall be approved to participate in any State civil service examination conducted during the employee’s work hours, including employment interviews for positions within State service, in which the employee could be hired from an eligible list as part of the examination process.

  • Impacted employees in layoff status shall be granted reasonable time to attend State-sponsored job interviews, job fairs, and apply for open positions in agencies as noted in the relevant BU MOU.  Such requests shall not be unreasonably denied.

  • NOTE: The employee may be required to provide substantiation for the request.  Refer to the applicable BU MOU for details.

• Organ or Bone Marrow Donation

  • An employee who has exhausted all available sick leave shall be granted the following leave(s) with pay:

  • An absence not exceeding 30 working days in any one-year period to any employee who is an organ donor.

  • An absence not exceeding five working days in any one-year period to any employee who is a bone marrow donor.

• Blood and Blood Product Donation

  • Based on an applicable BU MOU and State policy, ATO may be approved for blood, plasma, platelets, and other blood product donations to a certified donation center.

• Court Appearances

  • Based on an applicable BU MOU and State policy, ATO may be approved for court appearances and/or subpoenas, which compel the employee’s presence as a witness, and the employee is not a party to the legal action or an expert witness.

• Precinct Board Member Service on Election Day

  • An employee appointed as a member of a precinct board who takes time off to serve as a member of that precinct board on Election Day shall receive payment of his/her regular wages or salary for that day. The time off shall be recorded as ATO for time keeping purposes.

  • Employees are entitled to retain any compensation they receive for service as a precinct board member.

  • Eligibility is subject to approval by the employee’s supervisor.

  • Any officer, deputy, or employee selected or appointed by an elected State Officer is excluded from the provisions of GC, Section 19844.7.

• Restricted Access while on Disciplinary Administrative Time Off

  • When an employee is on ATO after being served with a Notice of Adverse Action, a Rejection During Probation, or while under investigation, the HA shall restrict the employee’s access to work-related facilities and/or electronic or computer systems as necessary. 

  • During the leave period, the employee is relieved of all duties, rights, and powers arising out of CCHCS/DHCS employment.

  • While on ATO, the employee shall be available by telephone during normal business hours (8:00 a.m. to 5:00 p.m.).  The employee shall be accessible during normal business hours and must be able to report to his/her regular work location as directed.

• The employee shall request approval from the designated supervisor to attend medical appointments or utilize leave credits during ATO and shall be charged and reflect the appropriate leave credits on the CDCR 998-A, Employee’s Record of Attendance.  Upon receiving a request from an employee on ATO to use leave credits, the HCERO shall consult with the HA to obtain approval or disapproval.

• Returning From Administrative Time Off

  • Employees are required to return to work at the end of their ATO expiration/termination date.  Any employee who is absent without leave (commonly known as AWOL) after receiving notice to return to work shall be separated pursuant to GC, Section 19996.2, which provides that absences, whether voluntary or involuntary, for five consecutive working days shall constitute automatic resignation from State service.

Policy

• California Correctional Health Care Services (CCHCS) provides patients with timely access to safe, effective, and efficient medical care and integrate the delivery of medical care with mental health, dental, and disability programs.  CCHCS and the Division of Health Care Services (DHCS), California Department of Corrections and Rehabilitation (CDCR), may enter into agreements with accredited health care educational entities to provide broader clinical and educational experiences to students.

• This policy provides guidance regarding the laws, rules, and processes related to the Educational Rotation Program for CCHCS and DHCS.  This policy applies only to unpaid educational rotations.  Residencies and other situations in which compensated health care services are provided are handled via a health care services agreement that CCHCS’ Medical Services Section solicits and are not governed by this policy.

Benefits to Students

• An educational rotation provides benefits to students which include, but are not limited to:

• Providing an opportunity to fulfill clinical requirements necessary to graduate.

• Providing clinical experiences that integrate education, career development, and public service.

• Providing the opportunity to apply knowledge and skills in a professional setting while still in school.

• Enhancing the students’ resumes.

• Providing networking and job reference opportunities.

• Exposing students to health care in a correctional setting.

• Increasing self-confidence.

Benefits to Employees

• An educational rotation provides benefits to CCHCS and DHCS employees which include, but are not limited to:

• Exposing employees to new ideas, viewpoints, and energy.

• Fostering positive public relations.

• Serving as a recruitment tool.

• Providing opportunities to engage in clinical training.

• Allowing CCHCS, DHCS, and educational entities to build and strengthen relationships.

Request Process

• Educational entities contact the Educational Rotation Program Contract Liaison (CL) (i.e., program-designated analyst at headquarters [HQ]) for CCHCS and/or DHCS. If contacted by an educational entity, Workforce Development Unit (WDU) and/or the program should refer the educational entity representative to the CL.  Furthermore, when a student contacts HQ or an institution directly, the CL must work with the student’s educational entity representative (i.e., Contractor’s Designated Faculty Member [CDFM]) to formalize educational rotation participation.

• The Educational Entity Representative contacts the CL to request educational rotation participation.

• The CL:

  • Confirms the educational program’s accreditation status and other details (e.g., public, private, or for-profit college).

  • Confirms the nature of the educational experience in terms of:

    • Type of program

    • Number of student participants

    • Amount of time students will spend on-site

  • Confirms the program’s desire to participate in educational rotations for the specific course of study.

  • Confirms collective support for the program from program/institutional executives, including, but not limited to:

    • Chief Executive Officer (CEO)

    • Chief Medical Executive (CME)

    • Chief of Mental Health

    • Supervising Dentist

    • Other executives or program directors based on the type of program request being made

      • NOTE:  A HQ Mental Health Training Unit, DHCS, review must be completed prior to Mental Health programs participating in any educational rotations.

  • Ensures the program/institution has the clinical support for conducting the proposed program with:

    • Adequate space and equipment for the educational student population

    • Appropriate staff participation

    • On-site time requirements for the participants without negatively impacting program operations

  • Coordinates with nearby institutions and/or regional or statewide executives for rotations that would be appropriate for multiple institution participation.

  • Begins preparation of the scope of work (SOW) for the interagency agreement (IA) or contract.

  • Notifies WDU of the pending educational rotation details by providing a copy of the IA or contract.

Procurement/Contracting Requirements

• Although CCHCS’ educational program agreements are zero dollar ($0.00) contracts, educational rotation programs must go through the procurement/contracting process to establish an IA or a contract.  While these agreements are not contracts for services, compliance with these requirements mitigates legal risk to CCHCS and DHCS.

• An IA or contract primarily consists of an SOW and several exhibits that are attached to the SOW that define essential features or terms of the agreement including, but not limited to:

  • Business Associates Agreement (HIPAA)

  • Patient Privacy Regulations and Non Redisclosure Agreement

    • NOTE:  Health Insurance Portability and Accountability Act (HIPAA) language cannot be waived for private, for-profit, or out-of-state colleges.  In the case of California State or University of California colleges, a Non Redisclosure Agreement can be used in lieu of the HIPAA language.  The HIPAA Agreement and/or Non Redisclosure Agreement should be retained for three years.

  • Insurance requirements for schools and students

  • California Code of Regulations, Title 15, disclosures

  • Indemnification issues

Procurement/Contracting Process

• The procurement/contracting process for educational rotation programs is as follows:

• NOTE:  Edits to the related exhibits must be routed and approved by HQ and the CCHCS Office of Legal Affairs (COLA) and/or Department of General Services, depending on the contract changes (e.g., insurance requirements, indemnification issues).

• The Procurement Contract Analyst guides relevant program/institution and educational entity staff through the contracting process.

• The Host Program/Institution Educational Leadership (e.g., CEO/CME):

  • Writes a draft SOW that defines the following core features:

    • Activities

    • Requirements

    • CLs

    • Proposed on-site activity in terms of how many students may participate over what time period

  • Submits the draft SOW to the CL.

• The CL submits the draft SOW to the CDFM for review, comments, and proposed revisions.

  • NOTE:  CCHCS and/or the CDFM may revise the draft SOW until it is suitable to both parties.

• The CDFM reviews the SOW and provides comments and proposed revisions to the CL.

• The CL:

  • Submits the SOW agreed upon by CCHCS and/or the CDFM to the Procurement Contract Analyst.

  • Completes and submits a CDCR Form 886B, Contract Request Form to the Procurement Unit.

• The Procurement Contract Analyst:

  • Adds the required exhibits.

  • Prepares and forwards the complete IA or contract, including all necessary exhibits, to the CDFM for review.

• The CDFM reviews the IA or contract.

  • NOTE:  Any requested changes must be routed back to the Procurement Contract Analyst.

• The Procurement Contract Analyst:

  • Reviews the IA or contract changes requested by the CDFM, if applicable. 

  • When necessary (i.e., edits to the exhibits), forwards the requested IA or contract changes to COLA for review.

  • When the IA or contract is acceptable to all parties, completes the STD Form 213, Standard Agreement. 

  • Provides a copy of the final IA or contract to WDU.

• COLA:

  • If consulted, reviews, suggests changes, or considers proposed changes to the IA or contract.

  • Notifies the Procurement Contract Analyst of the recommendation.

• The Procurement Management/Educational Entity Officials executes the IA or contract.

• The WDU monitors the overall progress of the Educational Rotation Program.

• NOTE:  While the current contract is still in progress, requests may be initiated to extend or modify the educational rotation.  In such cases, a STD Form 213A, Standard Agreement Amendment is processed via the Program Contract Analyst.

Program Coordination

• The tactical decisions and activities related to having students on-site are as follows. 

• NOTE: The coordination efforts may occur concurrently with the procurement/contracting process (see above), or the CL and CDFM may wait until the contract is fully executed before beginning the coordination efforts

• The CDFM:

  • Determines the exact calendar schedule.

    • The schedule is especially critical for those programs where a cohort class of multiple students will be on-site for a number of days each week over an instructional period.

    • For programs where a single student/intern/resident/master’s candidate will be on site, the student typically contacts the school’s CDFM regarding a correctional educational rotation.  In such cases, the CDFM will coordinate with the CL or connect the student with the CL to make arrangements.

  • Ensures students meet the tuberculosis (TB) testing requirement no earlier than 30 days prior to the start of on-site activities.

  • Ensures the CL receives the appropriate TB documentation on all participants.

  • Provides the CL with detailed information (e.g., background check) and signed Non Redisclosure Agreement on every student who will be involved in the program, including the information necessary to conduct future LiveScan processes.

    • NOTE:  Each student is individually accepted or rejected by the CL or designee as authorized by the program Director or CEO

• The CL provides WDU with contact information on all student participants.

  • NOTE:  The information will be used to track and ultimately recruit students

• The CL/CDFM (in collaboration with each other) ensures every student is provided onboarding/orientation that introduces the student to the relevant aspects of interacting with incarcerated persons in an institutional setting prior to arrival on-site.

• The CL:

  • Ensures access details are confirmed prior to the student/faculty arrival to the institution, including, but not limited to:

    • Background check (e.g., LiveScan)

    • Signed Non Redisclosure Agreement

  • Notifies the Warden and/or other appropriate correctional personnel of the need to admit and escort students to and from the program clinical settings.

Training

• The designated program/institution staff will:

• Establish a training program that provides clear expectations for students, including the basis for evaluation.

• Allow students to participate in appropriate activities and meetings.

• Instruct the students on specific skill development tasks.

• Facilitate active learning by explaining, clarifying, and encouraging the students to ask questions at appropriate times.

• Provide experiences that offer a broad overview of the work and organization.

Selecting Educational Program Preceptors and Contacts

• Any institution that participates in an educational program must have a designated on-site Educational Program Preceptor who is responsible for providing orientation of students and faculty and who oversees the educational experience of the students.

• The designated on-site Educational Program Preceptor shall be available to students and faculty on a regular basis and shall possess expertise in the clinical area in which the student will rotate.

• Even if the student will rotate through various units to gain broad-based experience, there should be a single overall Educational Rotation Program Contact who oversees the educational rotation as a whole.

• When choosing an Educational Program Preceptor and/or Educational Rotation Program Contact, it is important to select a staff member who:

  • Is interested in working with college students.

  • Has time to invest in the educational rotation.

  • Possesses qualities such as leadership, strong communication skills, and patience.

    • NOTE:  An employee may not be required to participate in the Educational Rotation Program.

Educational Program Preceptor Responsibilities

• The Educational Program Preceptor has the following responsibilities:

• Ensure students and faculty complete the Health Care On-Site Medical Student/Resident Orientation Self Certification module prior to beginning the educational rotation, and retains the signed Self-Certification Form(s). 

  • NOTE:  The Self-Certification Form is located at the end of the module and should be retained for one year following the educational rotation period ending date.

• Oversee and assign the students’ tasks.

• Identify the different expectations between the clinical site and school to help students make a successful transition to the clinical environment.

• Establish regular one-on-one meetings to:

  • Communicate goals, objectives, and expectations

  • Review progress on assignments

  • Provide clinical guidance

  • Provide feedback, guidance, and support

  • Discuss successes, areas for improvement, and overall performance

  • Maintain open, two-way communication

• Track and submit students’ time to the CDFM, if requested.

• Submit student evaluations to the CDFM, if requested

• Ensure students return any departmental property and that electronic accesses (e.g., Electronic Unit Health Record [eUHR], Electronic Health Record System [EHRS], Mental Health Tracking System [MHTS]) are cancelled at the conclusion of the educational rotation.

• May provide students with a letter of recommendation, if requested.

Student Responsibilities

• Students have the following responsibilities:

• Adhere to departmental policies, procedures, and rules governing professional behavior.

• Report to the clinical site on time and prepared to complete the required number of hours agreed upon by the educational program.

• Notify the Educational Program Preceptor if he/she is unable to report when scheduled.

• Behave and dress appropriately for the institutional clinic environment.

• Respect the confidentiality of the institutional clinic environment, employees, and patients.

• Execute a Non Redisclosure Agreement prior to participation.

• Discuss any problem with his/her Educational Program Preceptor and, if necessary, the CDFM.

Student Rights

• Students have the same legal rights as State employees regarding protection against discrimination and harassment.  Students are not employees of the State, CCHCS, or CDCR, and do not have the same rights as State employees in other areas, including workers’ compensation, unemployment compensation, participation in the Public Employees Retirement System, civil service employee disciplinary procedures, or any other rights afforded to State employees based on civil service employment.

Student Schedule

• Schedules shall be flexible depending on the individual educational requirements and Educational Program Preceptor’s schedule and availability.

Student Evaluations

• Evaluation of performance is important to the student’s development, and should be provided throughout the entire rotation.

• Regularly scheduled evaluations help avoid:

  • Miscommunication

  • Misunderstanding of clinical responsibilities

  • Failure to achieve specific goals and objectives

Educational Rotation Completion

• An educational rotation should have a clearly stated end date that is identified before the educational rotation begins.

• At the end of the educational rotation, the Educational Program Preceptor may:

  • Provide clinical students with a letter of recommendation, if requested

  • Provide evaluations to the students’ educational program (e.g., evaluations required for academic credit), if requested

• The Educational Program Preceptor ensures clinical students return any departmental property and that electronic accesses (e.g., eUHR, EHRS, MHTS) are rescinded.

• The Educational Program Preceptor notifies WDU when the educational rotation is completed.

• WDU retains the clinical students’ contact information in order to notify students about potential job opportunities.

Recruitment of Student Graduates

• Candidates who have participated in a correctional educational rotation provide an important recruitment and retention opportunity for CCHCS and DHCS, since such candidates have already been introduced to experiences unique to the correctional health care environment.  To take advantage of the opportunity to recruit these student graduates, WDU shall:

• Maintain an up-to-date roster of all programs and students, including student contact information.

  • NOTE: The roster information shall be provided by the CL to WDU prior to any rotation.

• Survey student via e-mail approximately one to two weeks after the end of the students’ educational rotation to better understand how the students reacted to the experience (e.g., what the students liked and did not like).  Survey Educational Program Preceptors, and other clinical leaders who observed educational rotation students, via e-mail approximately one to two weeks after the end of the students’ educational rotation.

  • All surveys will be administered using available survey tools (e.g., Survey Monkey).

  • Survey results will be assessed by WDU to ensure efficacy of the program.

  • Data will be compiled and shared with the relevant CCHCS management, enabling CCHCS to improve the education programs.

• Create a talent pool within the CCHCS and DHCS, Applicant Tracking System.

• Remain in contact with students as part of CCHCS’ and DHCS’ recruitment efforts.

• Share student hiring data and feedback with stakeholders.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services (DHCS), California Department of Corrections and Rehabilitation (CDCR) shall comply with California Government Code (GC), Sections 19991.1 through 19991.13, State rules and regulations, and Bargaining Unit (BU) Memorandum of Understanding (MOU) provisions regarding leave of absences (LOA) for health care employees.

Purpose

• To provide resources and procedures to ensure consistent application of the GC, State rules and regulations, and MOUs relating to LOAs.

Eligibility

• Eligibility criteria can differ depending on the type of leave being requested, applicable GC or California Code of Regulations (CCR) Sections, State rules and regulations, and BU MOUs.  Statutes occasionally have different eligibility requirements and provide different levels of leave benefits for the same type of leave.  Human Resources (HR) may be contacted for assistance with eligibility verification information.

• For assistance with eligibility verification information, headquarters (HQ)/regional office health care employees should contact their Senior Personnel/Personnel Specialist (hereafter referred to as Personnel Specialist [PS]), and institution health care staff should contact the Regional Human Resources Field Liaison (RHRFL) at their institution.

• When determining a rank and file employee’s eligibility for any LOA, the BU’s MOU shall be followed.  If the MOUs do not provide a provision for LOA, then the GC and CCR shall apply.  If the MOU is in conflict with the GC and CCR, the provisions of the MOU shall be followed for rank and file employees.

• Excluded employees (managers, supervisors, and confidential designations) are governed by GC and California Department of Human Resources policies.  MOU provisions cannot be applied to excluded employees.

• The following criteria must be considered when determining employee eligibility:

  • Tenure (e.g., permanent, limited term, temporary).

  • Employee Designation (rank and file, managerial/supervisory, confidential).

  • BU provisions (rank and file employees).

  • Length of State service.

Ineligibility

• Pursuant to CCR, Title 2, Section 599.781 and respective MOUs, an LOA is prohibited for any employee who:

• Is accepting another position in State service.

• Is leaving State service to enter other employment, except as permitted in the GC.

• Does not intend to, nor can reasonably be expected to, return to State service on or before the expiration of the leave.

Formal Discretionary LOA

• A discretionary LOA may be granted upon the employee’s request, eligibility verification, and appropriate approval by the program Deputy Director, Regional Health Care Executive (RHCE), Chief Executive Officer (CEO), or authorized designee, hereafter referred to as Hiring Authority (HA).  Employees shall provide written substantiation to support the request for a discretionary LOA.  Requests for an LOA shall not be unreasonably denied.  A discretionary LOA may be granted by the HA for the following reasons:

  • Adoption or parental leave (up to one year).

  • To attend to personal or family matters.

  • Civilian volunteer during a military emergency.

  • Education.

  • Employee is loaned to another governmental agency (for performance of a specific assignment), non-profit organization, or a recognized college/university upon the request of CCHCS, DHCS, CDCR, or the receiving entity.

  • Medical reasons.

  • To run for public office.

  • To seek or accept other employment during a layoff situation or otherwise lessen the impact of an impending layoff.

  • Union leave.

  • Other acceptable reasons.

• Employees who have exhausted paid leave may be eligible for a discretionary unpaid LOA for a period not to exceed one year.

Formal Mandatory LOA

• A mandatory LOA shall be granted upon the employee’s request, eligibility verification, and appropriate approval by the HA for the following reasons:

  • Adoption (up to 12 weeks).

  • To attend training or education covered under Veteran’s benefits.

  • Bone marrow donor (limited to five days in any one-year period for this purpose).

  • Pregnancy, childbirth, and recovery (up to four months).

  • To care for a newborn child (up to 12 weeks).

  • Military leave.

  • Organ donor (if the donor employee has exhausted all sick leave; this leave is limited to 30 days in any one-year period for this purpose).

  • While receiving permanent disability payments and obtaining re-training services after a work related injury.

• All of the above provide a lesser amount of time off than GC, Section 19991.1 permits, and to the extent permitted by law, shall run concurrently with the discretionary one-year unpaid LOA permitted under GC, Section 19991.1.

Hiring Behind an Employee on LOA

• If a manager/supervisor requests to fill behind an employee on an LOA, the position must be filled on a limited-term basis. The Classification and Pay (C&P) Analyst/RHRFL shall work with the manager/supervisor to fill the position.

• In instances where the LOA is for a short duration (i.e., 60 days or less), the department head or designee may consider utilizing an Out-of-Class (OOC) assignment.

Employee Responsibilities

• It is the employee’s responsibility to submit a Request for Leave of Absence form to the respective manager/supervisor within a reasonable amount of time before the effective date of the LOA, when practical.

• The request must contain the following information:

  • Beginning and end dates of the LOA, not to exceed one year (any change to the length of the LOA must be approved by the program Deputy Director, RHCE, CEO, or authorized designee).

  • The specific reason for the LOA (e.g., medical or parental).

  • Pertinent documentation supporting the LOA request.

Manager/Supervisor Responsibilities

• When an employee requests an LOA, the manager/supervisor shall:

  • Verify the employee’s eligibility.

    • For HQ/Regional Office staff, contact the PS.

    • For institution staff, contact the RHRFL.

  • Provide a recommendation for approval or denial of the LOA.

  • Forward the request package through the chain of command to the program Deputy Director, RHCE, CEO, or authorized designee.

  • Notify the employee in writing when the LOA has been approved or denied.

  • Notify assigned C&P Analyst:

    • That the employee has been granted an LOA, and provide the commencement/return dates so that the program’s organizational chart may be updated.

    • If the program will be hiring behind the employee while on LOA.

• Sixty days prior to the expiration date of the LOA, the manager/supervisor shall:

  • Contact the employee to verify the return date and obtain any necessary documentation (e.g., licensing, credentials, tuberculosis test clearance, and medical release).

  • Coordinate any training needs upon the employee’s return.

PS/Regional C&P Analyst/RHRFL Responsibilities

• At HQ/Regional Offices:

  • The PS shall work with the employee, manager/supervisor, HR Transactions Manager, and/or designee, to assist in obtaining information and documents for the LOA.  The PS shall address HQ employee’s concerns, and the Regional C&P Analyst shall address Regional Office employee’s concerns.

• At Institutions:

  • The RHRFL shall act as the liaison for the employee, manager/supervisor, Institution Personnel Officer (IPO), and/or designee to assist in obtaining information and documents for the LOA.  The RHRFL shall work with the IPO and/or designee to address the employee’s concerns.

HQ and Regional C&P Analyst/RHRFL Responsibilities

• Upon an employee’s return from LOA, the HQ or Regional C&P Analyst, or RHRFL shall generate a Request for Personnel Action (RPA) to return the employee to a funded position.

Extensions

• Pursuant to GC, Section 19991.1, any extension of an LOA may be granted by the HA or designee.  Extensions beyond the original LOA may be requested by the employee using the Request for Leave of Absence form with additional substantiating documentation.

• Consistent with the aforementioned provisions, requests for LOA extensions which exceed the one year limitation may only be considered with sufficient written substantiation and must be approved as follows:

  • For HQ Employees:  By the program Deputy Director, after receiving a recommendation from the HR Transactions Manager and Disability Management Unit (DMU) if applicable.

  • For Regional Office Employees:  By the program Manager/RHCE, after receiving a recommendation from the Regional Personnel Administrator and DMU if applicable.

  • For Institution Employees:  By the CEO, after receiving a recommendation from the Regional Personnel Administrator and DMU if applicable.

    • NOTE:  In all cases, an extension must be requested 30 days prior to the expiration of the original LOA.

LOA Denial

• Per GC, Section 19991.1, discretionary LOAs are permissive and not an absolute right.  However, many MOUs state LOAs shall not be unreasonably denied.  The specific MOU that applies in any given situation shall be consulted when an employee requests an LOA.

Termination of an LOA

• Pursuant to MOUs and CCR, Title 2, Section 599.782, an LOA may be terminated:

• Upon the expiration of the approved LOA.

• By the Department, prior to the expiration date, with written notice (see applicable MOU to determine the required notification).

• By the employee, prior to the expiration date with the approval of the HA or designee.

LOA Request Process

• The procedure for processing a request for an LOA and the responsibilities of all individuals/units involved are as follows:

• Employee

  • Contact assigned PS at HQ, Regional C&P Analyst at Regional Offices, or RHRFL at institutions to review alternatives to LOA, impact to State service and pay, and continued health premium payments prior to requesting an LOA.

  • Consult with the PS at HQ, PS at Regional Offices, or RHRFL at institutions regarding any necessary attendance records and paycheck release arrangements while on an LOA.

  • Complete and submit a Request for Leave of Absence form along with any supporting documentation to respective manager/supervisor.  The request must include the beginning and ending dates of the LOA (for a period not to exceed one year).

  • If approved, consult with the PS at HQ, PS at Regional Offices, or RHRFL at institutions regarding any necessary attendance records and paycheck release arrangements while on an LOA.

  • Contact immediate manager/supervisor 30 days prior to expiration of an LOA regarding return date.

  • Contact Benefits Unit at HQ, the PS at Regional Offices, or the RHRFL at institutions 30 days prior to expiration of LOA to discuss reinstatement of benefits (if applicable).

  • If an extension is needed, contact manager/supervisor 30-days prior to the end of an LOA, and complete and submit a new Request for Leave of Absence form with supporting documentation.

• Manager/Supervisor

  • Review applicable MOU to ensure compliance with eligibility and limitations.

  • Consult with appropriate personnel representative regarding LOA eligibility questions:

    • HQ/Regional Offices:  Contact the Transactions Manager/Regional C&P Analyst.

    • Institutions:  Contact the RHRFL

  • Consult with appropriate personnel representative to discuss coverage options and/or initiate recruitment behind the employee:

    • HQ/Regional Offices: Contact the C&P Analyst/Regional C&P Analyst.

    • Institutions:  Contact the RHRFL

  • Submit for processing the LOA request:

    • HQ:  Forward the request package to the PS for personnel and payroll processing and forward a copy to the HR Transactions Manager for tracking purposes.  Forward the LOA request package, along with a recommendation to approve/deny, through the chain of command to the program Deputy Director/CEO, or designee.

    • Regional Offices:  Forward the request to the Regional C&P Analyst who will retain a copy and prepare a recommendation to approve/deny, and route through the chain of command to the program Deputy Director/RHCE, or designee for approval.

    • Institutions:  Forward the request to the RHRFL who shall retain a copy and prepare a recommendation to approve/deny, and route through the chain of command to the CEO, or designee for approval.

• Program Deputy Director/RHCE, CEO, or Designee

  • Approve/deny the recommendation and document decision on the Request for Leave of Absence form.

  • For HQ, the program Deputy Director shall consult with HR Transactions Manager or designee to assist with the decision process.

  • For Regional Offices, the program Deputy Director/RHCE shall consult with the Regional Personnel Administrator to assist with the decision process.

  • For institutions, the CEO shall consult with the Regional Personnel Administrator to assist with the decision process.

  • Once approved/denied, return request package to the employee’s manager/supervisor.

• Manager/Supervisor

  • Notify and provide the employee a copy of the Request for Leave of Absence form with the documented decision.  If approved:

    • HQ:  Forward the request package to the PS for personnel and payroll transaction processing, and notify the Benefit Services.

    • Regional Offices:  Forward the request package to the Regional C&P Analyst, who shall retain a copy and forward to the PS for personnel and payroll transaction and benefit processing.

    • Institutions:  Forward the request to the RHRFL who shall retain a copy and forward the original to the IPO or designee for processing.

  • If denied, the manager/supervisor must provide a written response to the employee and retain a copy in the employee’s supervisory file and forward a copy as follows:

    • HQ:  Forward a copy to the PS.

    • Regional Offices:  Forward a copy to the Regional C&P Analyst.

    • Institutions:  Forward a copy to the RHRFL.

• RHRFL

  • Once the RHRFL receives the final LOA approval, the RHRFL shall:

  • Forward request to the IPO or designee for processing.

  • Email the Position Control Analyst to flag the employee’s position number and indicate “LOA” (include length of time, if known) on the position master roster.

  • Forward a copy of the LOA to the Regional C&P Analyst and Regional HR Manager.

  • Notify appropriate DMU representative of the approved LOA when related to pregnancy or for medical issues.

  • Ensure all Master Position, Vacancy, and Recruitment reports are updated to reflect the approved LOA information.

• HQ C&P Analyst

  • Consult with the employee’s manager/ supervisor to ensure adequate coverage while the employee is on an LOA.  If coverage is needed, the types of coverage may be contingent upon the length of the LOA.

  • Prepare appropriate documentation [e.g., OOC, Receiver’s Freeze Exemption Request (RFER), and RPA].

  • Prior to the employee’s return, the C&P Analyst will generate the RPA to return the employee to their position number, if necessary.

• Regional C&P Analyst

  • Email the Position Control Analyst to flag the employee’s position number and indicate “LOA” (include length of time, if known) on the position master roster.

  • Forward a copy of the LOA to the PS and HR Transactions Manager for processing.

  • Notify appropriate DMU representative of the approved LOA when related to pregnancy or for medical issues.

  • Ensure all Master Position, Vacancy, and Recruitment reports are updated to reflect the approved LOA information and initiate recruitment efforts.

  • Consult with the employee’s manager/ supervisor to ensure adequate coverage while the employee is on an LOA.  If coverage is needed, the types of coverage may be contingent upon the length of the LOA.

  • Prepare appropriate documentation (e.g., OOC, RFER, and RPA) and initiate recruitment efforts.

  • Prior to the employee’s return, generate the RPA to return the employee to their position number, if necessary.

• PS

  • Review applicable MOU or other laws and regulations to ensure compliance with eligibility and limitations.

  • Complete the appropriate transaction to update employee’s employment history to reflect the LOA.

  • Email the Position Control/C&P Analyst and personnel liaisons when applicable, to inform of the employee’s effective date of LOA to update reports, documents, or data systems in accordance with local office procedures.

  • Inform the Benefit Services Analyst to notify employee of the options to continue medical/dental benefits, if necessary.

    • NOTE: In Regional offices, the PS notifies the employee of the option to continue medical/dental benefits, if necessary.

  • Create a standardized memorandum reminding manager/supervisor 60 days prior to expiration date.

  • Create a standardized memorandum reminding HQ C&P Analyst/RHRFL 30 days prior to expiration date.

  • Upon the employee’s return, process the appropriate documentation to update employment history to return the employee to active status.

• HQ Benefits Analyst/ Regional Office PS/Institution PS

  • Provide employee on unpaid LOA with Direct Payment Authorization (PERS-HBD-21) form for health care premium information.

  • Provide Family Medical Leave Act (FMLA)/California Family Rights Act health care coverage information when leave is related to FMLA qualifying events.

• Selection Services Analyst

  • Employees returning from Military Leave are afforded certain rights to retain placement on employment eligibility lists.

  • The Selection Services Analyst is responsible for providing those services detailed in the Military Leave Handbook.

Policy

• California Correctional Health Care Services (CCHCS) shall comply with California Department of Human Resources’ (CalHR) requirements for preparing duty statements and organizational charts as applicable.

Purpose

• To provide the duty statement and organizational chart requirements within CCHCS, inform CCHCS staff of CalHR’s requirements, and ensure compliance with Government Code Sections 12926–12926.1 and 12940.

Applicability

• This policy sets forth the requirements for Human Resources (HR) offices located at headquarters (HQ) and regions (for regional offices and institutions) to develop duty statements and organizational charts as required in retaining delegated authority for position allocation.  CalHR requires all departments to submit a complete set of organizational charts annually and prior to any major reorganization pursuant to Personnel Management Liaison Memorandum 2007-026. In compliance with the current Delegation Agreement with CalHR, HR shall submit a complete set of organizational charts for CCHCS by January 1 of each calendar year.

Procedure

• Duty Statement

  • HR and the program shall coordinate the development and modification of duty statements.  A duty statement is a written description of the job responsibilities assigned to a specific position.  Job responsibilities are based on the approved State Personnel Board classification specifications and allocation guidelines (if guidelines exist for the classification).  The duty statement shall include the following:

    • A complete and detailed information header (e.g., program name, position number, unit, classification, working title, and assigned location).

    • A standardized statement summarizing CCHCS’ commitment to building and maintaining a culturally diverse workplace and working as a team.

    • A primary domain (Information Technology classifications only).

    • A general statement describing the program/division and/or position overview.

    • A detailed account of essential functions required to perform in the position. 

    • The knowledge, skills, and abilities; desirable qualifications, special requirements, or continuing education requirements, etc. found in the classification specification, if applicable.

    • A detailed description of the work conditions and environment.

    • A location for the employee’s and supervisor’s signature and date on the duty statement.

  • Every employee shall review and sign a duty statement prior to or upon hire.  Managers/supervisors shall review the duty statement with each employee, obtain the employee’s signature, and sign the duty statement to verify that the duties have been discussed with the employee. 

  • The original signed duty statement shall be placed in the employee’s Official Personnel File (OPF) and a copy placed in the employee’s supervisory file for reference as needed for periodic review with the employee.  The employee may also retain a copy. 

  • Duty statements shall be reviewed and/or updated any time a vacancy occurs or as duties change, whether resulting from a reclassification or organizational restructuring.  Any revisions to a duty statement shall require HR’s review and approval. Upon approval, the employee and the manager/supervisor shall sign the revised duty statement, submit a signed copy (wet or electronic) to HR for placement in the employee’s OPF, and retain a copy in the supervisory file.

• Standardized Duty Statements

  • In collaboration with HQ programs, HQ Classification and Pay (C&P), regional management, and institution Subject Matter Experts (SME), HR develops standardized duty statements for selected classifications. Standardized duty statements are duty statements written for positions within the same classification that are assigned the same function and general duties regardless of the location of the assignment.

  • Standardized duty statements shall be used for selected classifications. 

  • The standardized duty statements replace all existing duty statements in the selected classifications.  Standardized duty statements shall be used for processing appointments in these classifications. 

  • Any proposed change to a standardized duty statement, establishment of new assignments within the selected classifications, or development of standardized duty statement for a newly selected classification shall be approved by the Deputy Director (DD), HR, CCHCS, following HR’s established process for requesting personnel actions.

  • In the event a new program is established that authorizes positions with standardized duty statements, a review shall be conducted by the appropriate HR office to determine if standardized duty statements shall be developed and a recommendation provided to the DD, HR, for consideration.  In all instances (i.e., proposed change, new assignment within the classification, or new program), revision or development of duty statements shall be coordinated by the appropriate HR office in collaboration with the appropriate HQ program, HQ C&P, regional management, and SME(s).

• Human Resources Responsibilities

  • The DD, HR, CCHCS has overall responsibility for the implementation and oversight of this policy. HQ and Regional C&P Analysts and Field Liaisons shall be responsible for:

  • Disseminating approved duty statements to the appropriate program, regional office, or institution.

  • Coordinating distribution of duty statements to the appropriate manager/supervisor.

  • Collecting duty statements signed by both employee and manager/supervisor.

  • Ensuring a signed copy is forwarded to the HQ HR, Regional HR, and Institution Personnel Office for filing in the OPF.

  • Tracking the receipt of signed duty statements for all affected employees.

• Organizational Charts

  • Each unit, program, section, and branch within CCHCS shall have an official, current organizational chart.  The purpose of an organizational chart is to reflect the management structure and reporting relationships of subordinate staff.

  • Organizational structures shall be developed in accordance with classification specifications and allocation guidelines. 

  • Organizational charts shall serve as a point-in-time reflection of vacancies, temporary positions, approved exceptional allocations, Training and Development assignments, Out-of-Class assignments, and pending hires; organizational charts shall be updated for each request for personnel action that is processed.

  • HQ C&P and Regional HR offices maintain the official organizational charts.  Programs may maintain their own working charts; however, any formal changes to the organizational structure shall first be approved by the DD, HR, CCHCS.

  • On an annual basis, the Receiver and Undersecretary, Health Care Services, and each Director, DD, Assistant DD, Regional Health Care Executive, and Chief Executive Officer shall review their organizational chart and certify the accuracy of their organizational structure by signing the organizational chart.  This process shall be coordinated by HQ HR and conducted in October each calendar year.

Policy

• California Correctional Health Care Services (CCHCS) shall ensure that the public, including those who are non-English speaking or limited-English proficient, is provided equal access to the available services and information of CCHCS pursuant to the provisions of the Dymally-Alatorre Bilingual Services Act (DABSA).

Purpose

• To maintain a process that CCHCS shall follow to comply with the DABSA to ensure equal access to available services and information.

Responsibility

• All CCHCS employees are responsible for ensuring that the public is treated with dignity and respect, identifying the language needs, and utilizing available bilingual resources to assist non-English speaking/limited-English proficient members of the public, when needed.

Procedure

• Bilingual Language Survey

  • CCHCS is mandated to conduct a biennial Bilingual Language Survey and report their results to the California Department of Human Resources (CalHR) by October 1 of every even-numbered year. CCHCS Disability Management and Support Services (DMSS), shall conduct the mandatory biennial Bilingual Language Survey at a specified physical address and geographic location for testing every even-numbered year during any ten days identified by CDCR.

  • The CCHCS Bilingual Testing Coordinator (BTC) shall assume the duties of the Language Survey Coordinator and coordinate the Language Survey process.

  • The Assistant Deputy Directors, Regional Personnel Administrator, or designee shall assign the staff to perform the duties of the Language Survey Liaison and coordinate the Language Survey process within their respective institutions/programs.

  • The Language Survey Coordinator shall:

    • Obtain current survey instructions through CalHR.

    • Coordinate with the CalHR Bilingual Services Program to ensure the survey is conducted in accordance with the instructions issued.

    • Coordinate the biennial Bilingual Language Survey.

    • Conduct training for the Language Survey Liaisons.

    • Conduct monitoring and respond to questions regarding the Language Survey process.

    • Receive all completed survey information, review for accuracy, make corrections, and compile summary data for all units/institutions.

    • Submit the results of the Bilingual Language Survey to CalHR by October 1 of every even-numbered year.

  • The purpose of the Bilingual Language Survey is to determine:

    • The number of:

      • Public contact employees at each location.

      • Certified bilingual employees in direct public contact at each location and the languages they speak, other than English.

      • Additional qualified bilingual public contact employees needed to reach compliance as determined by CalHR.

      • Anticipated vacancies in direct public contact positions.

    • The number and percentage of non-English speaking members of the public served by each location, by native language.

    • The use of alternative options for interpretation services.

    • All required translated materials that have been translated and the language into which they were translated.

    • A list of all translated materials that are required to be accessible to non-English speaking/limited-English proficient members of the public.

• Implementation Plan

  • The Implementation Plan is the plan of action of a state agency regarding their bilingual programs, and the progress made in correcting any deficiencies found in the language survey.

  • By October 1 of every odd calendar numbered year, the BTC shall submit a bilingual language implementation plan to CalHR.

  • The implementation plan shall:

    • Gather information related to the services provided to non-English speaking/limited-English proficient members of the public.

    • Address deficiencies in bilingual staffing and/or translated written materials identified in the language survey.

• Performance and Service Standards

  • CCHCS shall achieve effective communication with non-English speaking/limited-English proficient members of the public by providing bilingual interpreters, translated written materials, and bilingual services.

  • Bilingual Interpreters

    • For each non-English speaking group that represents a minimum of five percent of the public served by a CCHCS office, that office shall employ an appropriate number of certified bilingual employees or arrange for suitable alternatives as permitted by the DABSA.

    • To be certified bilingual, a state employee must have passed an oral or written fluency examination in a non-English language and been certified in that language for the purpose of verbal or written communication.

  • Translated Written Materials

    • The CDCR Office of Personnel Services, Quality Management, shall maintain a list of materials that have been translated, and the languages into which they have been translated, and shall distribute all translated materials to offices statewide so that they are available to the public upon request.

    • Where appropriate, each CCHCS office shall make available translated materials that:

      • Solicit or require the furnishing of information from an individual.

      • Provide the individual with information.

      • Describe information that may affect the individual’s rights, duties, or privileges.

  • Bilingual Services

    • The CCHCS contracts with telephonic or other interpreter services to ensure it has qualified bilingual interpreters for languages which it does not employ certified bilingual staff.

    • All interpreters utilized by CCHCS shall be qualified and certified to perform the services requested for the language(s) in which they are proficient.

    • The BTC shall maintain instructions for utilizing the Language People Interpreting and Translating Service (telephone interpreter) to provide effective telephonic communication between staff and non-English speaking/limited-English proficient members of the public when a CCHCS bilingual interpreter is not available to provide effective face-to-face communication in their native language.

  • Public Contact Employees shall:

    • Participate in the biennial Bilingual Language Survey and be informed on how to conduct a meaningful language survey.

    • Provide effective telephone and face-to-face communication between staff and non-English speaking/limited-English proficient members of the public.

    • Receive access to guidelines for providing services to non-English speaking/limited-English proficient members of the public.

    • Identify non-English speaking/limited-English proficient people as early as possible during the initial contact.

    • Contact a qualified interpreter as soon as possible to ensure that no significant delay in service takes place.

    • Ensure that translated documents, translation guides and ads are available at all offices that serve non-English speaking/Limited-English proficient members of the public. Where translated documents are not available, a qualified interpreter shall be provided to explain the information in question.

• Questions or Assistance

  • CCHCS employees who require assistance with non-English speaking/limited-English proficient members of the public can seek the assistance from any CCHCS certified bilingual employee.  Additionally, public contacts or telephone calls with non-English speaking/limited-English proficient members of the public can be handled through telephonic language interpreters.

• Complaints

  • Complaints about interpreter/translation services are to be filed by utilizing the Language Access Complaint Form.

  • The completed form may be submitted to CCHCS_EEO@cdcr.ca.gov.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services, California Department of Corrections and Rehabilitation (CDCR) shall provide permanent and limited-term employees who are voluntarily separating from CCHCS/CDCR (e.g., transfer to another state agency, resignation, retirement) or laterally transferring to a different CDCR facility or CCHCS program, the opportunity to participate in the CCHCS Exit Survey and Exit Interview (ESEI) process. 

• The ESEI process is voluntary. Employees are not required to participate in any aspect of the process, but are encouraged to do so. Employees may choose to only complete the online Exit Survey or only participate in an Exit Interview.  Participation in one aspect of the process does not mandate participation in the other.

Overview

• Employee turnover can be one of the greatest financial costs to an organization in addition to the operational costs, as remaining staff are impacted with increased workload and the potential loss of valuable knowledge. The benefits of determining the cause(s) of employee turnover and increasing employee retention are evident on both a strategic and practical level.

• The ESEI shall provide CCHCS information on those factors that most commonly predict attrition and retention (i.e., the work environment, organizational culture, applicability of processes and systems, and quality of management). The ESEI process is generally seen by existing employees as a sign of a positive organizational culture. The process is designed to discover the causes behind employees’ separating or transferring, share the information with executive leadership and ultimately result in improvement to the organization.

• The ESEI process shall provide the separating or transferring employee an opportunity to:

  • Provide feedback;

  • Leave the organization, CDCR facility or CCHCS program feeling valued; and

  • Potentially create a path for return in the future.

• The ESEI process offers both a quantitative process, one of data points and anonymity and a qualitative process, one of communication and engagement. Together, they are designed to target the way individuals choose to convey information. The ESEI process is designed to create a multi-targeted assessment of the underlying causes of employee turnover. As such, all employees who engage in the Exit Interview are encouraged to complete the online Exit Survey so that all necessary data points can be captured.

Purpose

• The data from the ESEI process, combined with other human resources metrics (e.g., vacancy rates, length of vacancies, employee movement within CCHCS), will provide executive leadership with an understanding of employment trends and employee needs so that CCHCS can create mechanisms to improve recruitment and retention strategies aimed at addressing employee issues.

Procedure

• In order to ensure all employees are given the opportunity to participate in the ESEI process, upon notification of an employee voluntarily separating or laterally transferring, the employee’s manager/supervisor, designee, or assigned Personnel Liaison shall initiate the ESEI process no later than two weeks before the employee’s last day of physical work.

• The employee’s manager/supervisor shall access the CCHCS Service Portal via the Lifeline intranet page, then click on the Employee Separation tab under Human Resources to report the details of the employee separation or transfer to initiate the ESEI process. The CCHCS Service Portal shall auto-generate an email notification of the employee’s separation to the Workforce Development and Talent Management (WD&TM) Section via the ESEI inbox at CCHCSExitSurvey@cdcr.ca.gov.

• Exit/Transfer Survey

  • The WD&TM Section shall send an email to the separating or transferring employee upon receipt of the CCHCS Service Portal notification. The email shall contain a link to either an Exit Survey or a Transfer Survey, depending on the separation type and an option for the employee to express their interest in participating in an Exit Interview by responding to the email.

  • Employees shall have access to the electronic Exit or Transfer Survey during their last two weeks at work.

  • Employees shall be allowed sufficient state time and use of a state computer to complete the survey prior to their last day of work.

• Exit Interview

  • Difficult to Recruit Classifications

    • Upon receipt of a separation notification for those classifications deemed difficult to recruit, the assigned WD&TM Section Manager shall automatically schedule an Exit Interview, although participation remains voluntary.

    • Difficult to recruit classifications include:

      • Nurse Practitioner

      • Physician Assistant

      • Physician and Surgeon

      • Staff Psychiatrist

      • Psychiatric Nurse Practitioner

  • Employee Requested

    • The Exit Interview shall be conducted by the assigned WD&TM Section analyst/manager during the last week of employment and should take approximately 30 minutes to conduct. The employee’s direct supervisor shall not attend.

    • The Exit Interview shall be scheduled at a mutually convenient time for the separating or transferring employee and the WD&TM Section analyst/manager.

    • If an employee declines an Exit Interview but communicates verbally or in writing the reasons for the decision to separate or transfer directly to their supervisor/manager, the supervisor/manager shall document this information in an email and send to CCHCSExitSurvey@cdcr.ca.gov. If the information was relayed in a written format, the written document from the separating or transferring employee shall also be sent directly to CCHCSExitSurvey@cdcr.ca.gov.

• Reporting

  • The WD&TM Section provides a quarterly Exit Survey Interview report for Human Resources leadership and executives to review outcomes and reported trends. Any potential legal issues or concerns identified shall be addressed via a separate formal reporting method, which includes the sharing of high-level results of the ESEI process with Directors/Deputy Directors when a concern has been identified. Reported concerns will not be associated with individual survey data, and all anonymity shall be protected.

Policy

• Appointments and promotions shall be made on the basis of merit and fitness within state civil service.  California Correctional Health Care Services (CCHCS) shall comply with California laws and rules governing civil service appointments.  All Merit Issue Complaints filed with CCHCS shall be immediately reviewed, investigated, and resolved at the lowest possible level.

Purpose

• To describe the process for filing and responding to Merit Issue Complaints within CCHCS.

Procedure

• Types of Merit Issue Complaints

  • Merit Issue Complaints may be filed for reasons including, but not limited to, the following:

  • Interference with promotional opportunities.

  • Disputes regarding the effective dates of appointments or promotions.

  • Applicability of alternate salary ranges.

  • Denial of Merit Salary Adjustments

  • Interference with a person’s access to any State Personnel Board appeals process

  • The designation of managerial positions pursuant to California Government Code Chapter 10.3. State Employer-Employee Relations, Section 3513.

  • An employee who believes they have been discriminated against within the state civil service because of political affiliation or opinion.

• Filing a Merit Issue Complaint

  • CCHCS employees shall file their Merit Issue Complaint in writing with the respective personnel office (either regional or within headquarters [HQ], Human Resources [HR]) within three years of the alleged violation of State Personnel Board’s (SPB) regulation or policy in the hiring and selection process.  The personnel office shall be contacted regarding the time for filing a Merit Issue Complaint and the department’s levels of review.  No particular form is required; however, the SPB Appeals/Complaint Form may be used.

  • The employee filing the complaint shall provide enough factual information, detail and any substantiating documentation for CCHCS to ascertain the nature of the complaint.

  • All Merit Issue Complaints shall be submitted to the attention of the Deputy Director (DD), HR.

• Responding to a Merit Issue Complaint

  • CCHCS HR shall respond within 90 calendar days of the date of receipt of the Merit Issue Complaint. The personnel office shall inform employees or applicants, by certified or regular mail and by email (with read receipt), at the time the complaint is received, of their right to challenge the department’s denial of the complaint or failure to respond by filing a complaint with the SPB Appeals Division and the timeframe for filing. The following outlines the procedures for responding to a Merit Issue Complaint:

  • HR shall inform the employees or applicants at the time the complaint is received.

  • HR shall obtain and review all relevant documents (e.g., job advertisements; screening criteria forms; state applications; information regarding members of the interview panel; interview questions, notes, and scores; hiring documents) and contact the relevant program for additional information if needed.

  • Based on their review of all relevant documents, HR shall draft a proposed response to the complaint. 

  • The DD, HR, or designee shall review and forward the signed response to the complainant by certified or regular mail and email (with read receipt).

• Appealing a Merit Issue Complaint

  • An employee may appeal to the SPB Appeals Division within 30 calendar days after:

    • CCHCS’ written response denying the complaint.

    • CCHCS’ failure to respond to the employee’s written complaint within 90 calendar days.

  • Additional information regarding filing an appeal with the SPB’s Appeals Division may be accessed at: http://www.spb.ca.gov/appeals/appeals_procedures.aspx.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services, California Department of Corrections and Rehabilitation (CDCR) shall uniformly and consistently apply the Institutional Worker Supervision Pay (IWSP) Differential program, as set forth in the CalHR Pay Differential 67 Institutional Worker Supervision Pay (IWSP) Differential.  Institutional worker supervision shall include “active supervision of the conduct and work” including, but not limited to, on-the-job training and work performance evaluations of at least two incarcerated workers who substantially replace civil service employees for a total of 173 or 120 hours per pay period.

Eligibility Criteria

• Designated rank and file employees in the Bargaining Units (BU) listed below and the excluded classifications aligned with those BUs are eligible to receive the IWSP Differential if they meet any of the following criteria:

• Bargaining Unit Criteria

  • BU R01, R19, S01, and S19 only:  Employees must have regular, direct responsibility for work supervision, on-the-job training, and work performance evaluation of at least two incarcerated workers who substantially replace civil service employees for a total of at least 173 hours per pay period.

  • BU R04, R15, S04, S15, and S17 only:  Effective April 1, 2017, employees must have regular, direct responsibility for work supervision, on-the-job training, and work performance evaluation of at least two incarcerated workers who substantially replace civil service employees for a total of at least 120 hours per pay period.

    • The pay differential shall only be included in overtime calculations for Fair Labor Standards Act eligible classes.

    • The pay differential shall not be included to calculate Nonindustrial Disability Insurance or lump-sum vacation, sick leave, and excess hours due to fluctuating work schedules.

  • This pay differential may also apply to employees having direct supervisory responsibility over incumbents who meet the conditions stated in Sections (b)(1)(A) and (B) above.

  • Employees in all BUs listed above shall have a valid and approved STD. 610, Health Questionnaire (With Physician’s Report), on file in accordance with the Personnel Management Policy Procedures Manual, Section 375 (Medical Clearance).

• Movement to Another Classification

  • Upon movement to another classification in State service, whether through promotion or transfer, employees receiving IWSP shall move from their IWSP combined salary rate (base salary plus IWSP) to compute the appointment rate.

Institutional Worker Supervision Procedures

• Initial Institutional Worker Supervision Pay Request

  • The initial IWSP Differential request and supporting documentation must be submitted to the appropriate Regional Human Resources Field Liaison (RHRFL) by the supervisor of the employee requesting IWSP Differential.  The request consists of the following documents and is maintained in the employee’s Official Personnel File (OPF) under the pay history section:

  • Approved STD. 610 (placed in a sealed envelope at the back of the OPF).

  • Employee Duty Statement reflecting direct incarcerated worker supervision.

  • Employee organizational chart reflecting the incarcerated worker supervision.

  • CCHCS Supervisor’s Certification of Eligibility for Pay Differential form

  • Inmate Job Description.

• Roles and Responsibilities

  • Once an employee has met all criteria and the Regional Human Resources (HR) Manager has approved the IWSP Differential, the following obligations apply: 

  • Each employee participating in the IWSP Differential program shall:

    • Be aware of IWSP Differential program requirements.

    • Maintain current and updated Inmate Job Descriptions.

    • Provide incarcerated workers on-the-job training.

    • Notify the appropriate custody staff when an incarcerated worker does not appear for work.

    • Review and sign incarcerated worker timesheets.

    • Ensure that all required monthly documentation is completed.

    • Notify his/her supervisor/Institutional Personnel Office when no longer eligible for IWSP Differential (Refer to Section (b) Eligibility Criteria).

    • Maintain incarcerated worker work performance evaluations.

    • Retain copies of all documentation pursuant to CDCR Department Operations Manual (DOM), Section 13030.32, Retention and Destruction of Personnel Information.

  • Each manager/supervisor shall:

    • Become familiar with IWSP Differential program requirements.

    • Review the Inmate Job Description to ensure it includes duties and responsibilities which substantially replace the duties and responsibilities of a civil service employee.

    • Review the CDCR 998-A, Employee’s Record of Attendance.

    • Review the CDCR 1697, Inmate Work Supervisor’s Time Log, to ensure the employee meets the criteria.

    • Complete a Monthly IWSP Certification form for employees each pay period.  The Monthly IWSP Certification form is available at the Institutional Personnel Office.

    • Submit the completed Monthly IWSP Certification form with the employee’s CDCR 998-A and CDCR 1697 to the Institutional Personnel Office by the third work day of the following pay period.

    • Immediately notify the RHRFL and Institutional Personnel Officer (IPO) using the Monthly IWSP Certification form when the employee is no longer eligible for IWSP Differential.

  • BU 15 Food Administrators shall certify that Food Service Operations staff meet IWSP Differential criteria by using the Monthly IWSP Certification form and attaching an STD. 671, Miscellaneous Payroll/Leave Actions form listing all eligible employees.

  • It is the responsibility of the IPO or designee to:

    • Review the employee’s CDCR 998-A, Monthly IWSP Certification form, and CDCR 1697(s) to confirm eligibility requirements have been met.  Upon verification, sign the Monthly IWSP Certification form.

    • Notify the employee in writing by the fifth work day of each month if he/she is no longer eligible to receive IWSP Differential.

    • Notify the employee when an IWSP Differential overpayment has occurred and shall be collected in accordance with the appropriate BU Memorandum of Understanding and California Government Code, Section 19838.

  • The RHRFL shall:

    • Verify the employee has met initial eligibility requirements to receive IWSP Differential. 

    • Provide the IWSP Differential pay request documentation approved by the Regional HR Manager to the Institutional Personnel Office.

    • Retain copies of the request and all supporting documentation pursuant to CDCR DOM, Section 13030.32, Retention and Destruction of Personnel Information.

Institutional Worker Supervision Pay Audits

• Quarterly Regional Audits

  • The Regional Human Resources Office (RHRO) shall:

    • Conduct quarterly internal IWSP program audits.

    • Document findings of non-compliance and coordinate with Institutional Personnel Office staff to ensure any IWSP salary overpayments identified as part of the audit are established and collected.

    • Maintain a Quarterly IWSP Audit Log in the RHRO for a period of three years.

• Annual Audits

  • CDCR HR may conduct an annual audit of the IWSP Program.

• Audit Results

  • CCHCS RHRO shall:

  • Request the audit results from the RHRFL for health care employees to track and confirm compliance with policy.

  • Work with Institutional Personnel Office staff to ensure any IWSP salary overpayments identified as part of the audit are established and collected.

  • Document findings of non-compliance and conduct on-the-job-training for staff on identified errors.

Policy

• California Correctional Health Care Services (CCHCS) adheres to the rules and regulations adopted by the California State Personnel Board (SPB) and the California Department of Human Resources in the application and administration of special pay differentials (Pay Diff) and/or alternate range criteria (ARC).  Employees in designated health care classifications may be entitled to receive a special Pay Diff and/or a higher ARC placement for possessing a valid certification as described in their respective SPB Classification Specification, Pay Diff, or ARC.

• Employees who do not maintain their certification are no longer entitled to receive the Pay Diff and/or ARC placement and shall be moved into the pay range which corresponds to their current certification status.

Purpose

• To identify the actions required when an employee fails to maintain their certification, including the processes for either:

• Removing a Pay Diff.

• Adjusting ARC placement.

• NOTE:This policy does not address expiration of any license/certification that is required as a condition of employment.  Refer to Administrative Policy 2.11, Expired License, Certification, or Registration Policy and Procedure for additional information.

Responsibility

• The headquarters (HQ) Human Resources (HR) Classification and Pay (C&P) Non-Punitive Termination Analyst (NPTA) and Regional NPTA shall:

  • Monitor employee certification status and expiration dates, in coordination with the Credentials Verification Unit (CVU), which shall provide a monthly Certification Status Report to HQ HR Executives, Regional Personnel Administrators (RPA), and identified HQ/Regional personnel managers.

  • Coordinate removal of any Pay Diff or movement to a lower ARC placement with the applicable HQ/Regional Transactions Unit or Institution Personnel Office.

• The NPTA’s Staff Services Manager I shall conduct monthly certification audits, and the RPA/Associate Director (AD), C&P/Transactions and Benefit Services (TBS), HQ HR or designee, shall conduct quarterly certification audits to ensure compliance with the expired certification process.

• Employees shall provide their manager/supervisor, the CVU, and the appropriate C&P NPTA or Regional NPTA/Regional HR Field Liaison, with any correspondence from the respective certification authority that changes the status of their certification (e.g., denials, expirations, restrictions, revocations, or suspensions).

Procedure

• Pay Differential Removal/Movement To Lower Alternate Range Criteria Placement Package

  • If an employee’s certification, for which they were receiving a Pay Diff or higher ARC placement, lapses for any reason, the NPTA shall prepare the appropriate Pay Diff removal package or movement to a lower ARC placement which shall contain the following documents:

  • Lapsed Certification Transmittal

  • Lapsed Certification Notice

  • Copy of employee’s most recent certification information

  • Personnel Information Management System history (with Social Security number redacted)

• Lapsed Certification Notice To Recipients

  • The NPTA shall obtain the appropriate Chief Executive Officer (CEO)/AD, C&P/TBS, HQ HR’s signature and disseminate the Lapsed Certification Notice as follows:

  • Original to employee

  • Copies to:

    • CVU

    • Employee’s Official Personnel File

    • Employee’s manager/supervisor

    • Personnel Specialist (PS) via the HR Transactions Manager/Institutional Personnel Officer (IPO)

• Pay Differential Removal And/Or Movement To A Lower Alternate Range Criteria Placement Package Recipients

  • The NPTA shall disseminate the Pay Diff removal package and/or movement to lower ARC placement package as follows:

  • CEO (institutions only)

  • RPA (institutions/regions only)

  • AD, C&P/TBS, HQ HR

  • PS via the HR Transactions Manager/IPO

• Renewing Eligibility For Special Pay Differential And/Or Movement To Higher Alternate Range Criteria Placement

  • If an employee has provided acceptable proof of renewal of their certification, or if CCHCS has otherwise independently verified that the certification has been renewed, the NPTA shall:

    • Notify CVU staff via email to CredentialsVerificationUnit@cdcr.ca.gov of the renewal of certification.

    • Notify the employee’s manager/supervisor of the renewal of certification.

    • Forward a copy of the proof of renewal to the PS/HR Transactions Manager/IPO with direction to process the transaction to add the Pay Diff and/or movement to higher ARC placement. 

    • Update the Licensing/Certification Tracking Log to reflect the renewal of certification and new expiration date.

    • Review the employee’s employment history to confirm the renewal of certification information, Pay Diff and/or movement to the higher ARC placement is updated.

  • If the employee’s employment history is not updated within 30 calendar days from the date the proof of renewal of certification was provided to the PS/HR Transactions Manager/IPO, the NPTA shall elevate the item to the HR Transactions Manager/RPA/IPO for follow-up.

Policy

• Employees in classifications that require licenses, specified certifications, or registrations as a condition of employment are required to maintain a current and active license, certification, or registration for continued employment. An employee who does not maintain the required license, certification, or registration as described in the applicable State Personnel Board Specification shall be subject to Non-Punitive Termination for failure to meet conditions of employment in accordance with California Government Code (GC) Section 19585. Such employees shall not be placed on an unpaid leave of absence, demoted, transferred, redirected to a non-patient care assignment, or be required to use leave credits. 

• NOTE: Not all certifications expire. Only certifications with an expiration date are required to be current and active.

Purpose

• The purpose of this policy is to outline the processes that shall be followed when an employee’s license, certification, or registration is due to expire, or when the employee fails to renew a required license, certification, or registration including, but not limited to:

• Tracking license, certification, or registration expiration dates.

• Sending courtesy reminders to affected employees.

• Serving a Non-Punitive Termination.

• Withdrawing a Non-Punitive Termination (if necessary).

Responsibility

• Headquarters/Regional Human Resources

  • The headquarters and Regional Non-Punitive Termination Analysts are responsible for the following processes:

    • Tracking/monitoring employee license, certification, or registration expiration dates in coordination with the Credentials Verification Unit (CVU).

    • Ensuring employee licenses, certifications, or registrations are current and active.

    • Monitoring changes in an employee’s license, certification, or registration status affecting their ability to provide patient care.

    • Sending courtesy reminders to affected employees.

    • Serving Non-Punitive Termination notices.

    • Withdrawing a Non-Punitive Termination (if necessary).

    • Monitoring employee certification status and expiration dates, and conducting monthly audits with the assistance of Management Information Retrieval System reports which Position Control provides to Human Resources (HR) personnel staff and managers monthly.

  • The Staff Services Manager I who manages the Non-Punitive Termination Analyst (NPTA) is responsible for reviewing the monthly audits conducted by the NPTA.

  • Regional Personnel Administrators and the Associate Director, Classification and Pay/Transactions and Benefit Services, or designees, are responsible for conducting quarterly audits to ensure compliance with the expired license, certification, or registration and the certification process.

• Licensed/Certificated Employees

  • Licensed/certificated employees affected by this policy are responsible for providing proof of current and active license/certification at time of appointment and, thereafter, timely license/certification renewal.

    • NOTE: Failure of CCHCS HR staff to provide a license/certification expiration courtesy reminder to an employee does not relieve the employee of the obligation to maintain a current and active California license/certification.

  • All licensed/certificated employees are responsible for notifying the Hiring Authority and CVU, if applicable, of any license/certification status change (e.g., denial, expiration, revocation, suspension, probationary status, restrictions).

    • NOTE:  Employees whose license/certification expired while on long-term sick leave receive a Return from Leave License Expiration Notice, indicating they are required to renew their license/certification before returning to work.  If an employee is on approved leave, CCHCS Office of Legal Affairs shall be consulted about whether it is appropriate to serve a Non-Punitive Termination.

Permissive Reinstatement After Non-punitive Termination

• An employee who is non-punitively terminated is eligible for permissive reinstatement pursuant to GC, Section 19140, if the employee obtains the required license, certification, or registration for employment. Reinstatement is subject to Re-employment and State Restriction of Appointments laws, rules, and policies.

Policy

• California Correctional Health Care Services (CCHCS) and Division of Health Care Services (DHCS), California Department of Corrections and Rehabilitation (CDCR) shall comply with Family and Medical Leave Act (FMLA), California Family Rights Act (CFRA), Fair Employment and Housing Act (FEHA), Code of Federal Regulations, California Government Code (GC) Section, California Code of Regulations, Bargaining Unit (BU) Memoranda of Understanding (MOU) provisions, and state policy regarding leave of absence (LOA).  State employees are eligible for various types of LOA pursuant to GC, respective MOU (if subject to collective bargaining), and federal and state laws.  This policy supplements the Health Care Department Operations Manual, Section 5.2.6, Leave of Absence, and provides more detailed information regarding job protections and benefits afforded by the FMLA, CFRA, and Pregnancy Disability Leave (PDL) pursuant to the FEHA.

Purpose

• To ensure consistent application of laws, regulations, and BU MOUs relating to FMLA, CFRA, PFL, and PDL.

Procedure

• The coordination of leave entitlements afforded to a state employee can be very complex; therefore, employees are advised to contact their Human Resources office for assistance.

• FMLA, CFRA, PFL, and PDL Eligibility Criteria

  • To be eligible for FMLA and CFRA job protection and benefits, a state employee shall:

    • Have worked for the state for at least 12 months.

      • NOTE: The 12 months of employment do not have to be consecutive.

    • Have physically worked at least 1,250 hours during the 12-month period immediately preceding the commencement of the leave.

      • NOTE:  Overtime, Military Leave, Administrative Time Off (ATO), and hours restored pursuant to GC, Section 19584, any administrative order, and a settlement agreement in any court or administrative forum are considered time worked for FMLA and CFRA qualification purposes.  Time off utilizing leave credits (e.g., vacation, sick leave, furlough) are not considered time worked for FMLA and CFRA qualification purposes.

  • To be eligible for PFL, a state employee shall:

    • Be covered by SDI.

    • Have earned at least $300 in the past 5 to 18 months.

    • Submit PFL claim within 41 days from the date the family leave begins.

      • NOTE: Do not file before the first day of leave.

    • Only claim 8 weeks of benefits per 12-month period.

  • All employees who are disabled due to pregnancy and childbirth are entitled to PDL. Unlike FMLA and CFRA, there is no 1,250 minimum hours worked or length of employment eligibility requirement for PDL.

• FMLA,CFRA, and PDL Entitlement

  • An FMLA and CFRA leave eligible employee may take up to a total of 12 work weeks of unpaid leave during any 12-month period for one or more of the following reasons:

    • The birth and care of a newborn child of the employee within one year of birth.

    • The placement of a child for adoption or foster care with the employee and to care for the newly placed child within one year of placement.

    • Care for a family member (spouse, child, parent, registered domestic partner, grandparents, grandchildren, and siblings as well as for the child of a domestic partner) with a serious injury or illness in accordance with CFRA expansion.

      • NOTE: Parents who are both employed by the state are each entitled to 12 workweeks of family leave for a., b., c. above.

    • A serious health condition that makes the employee unable to perform the essential functions of their job.

    • A qualifying exigency arising out of the fact that the employee’s spouse, domestic partner, child, or parent is a covered military member on “covered active duty” or a reservist who faces a recall to active duty, if a “qualifying exigency exists.”

    • Caring for a spouse, child, parent, or next of kin who is a “covered service member” injured while serving in the military. Employees are eligible for up to 26 weeks of military caregiver leave to care for a covered service member with a serious injury or illness.

  • An employee disabled by pregnancy or childbirth is entitled to up to 4 months of PDL. PDL is paid for the first four weeks before the baby is born, then six weeks after the birth. Upon exhaustion of the paid benefit, the employee shall use PFL, if eligible.

  • PDL runs concurrently with FMLA leave; however, it is a separate entitlement from leave taken pursuant to CFRA.

• Notice Requirements

  • Employees applying for FMLA, CFRA, or PDL job-protected leave are required to provide a 30-day advance notice to their manager or supervisor of their need to take FMLA, CFRA, or PDL leave, when the need is foreseeable and such notice is practicable.  If 30 days’ notice is not foreseeable (e.g., not knowing when leave will be required to begin, a change in circumstances, or a medical emergency), employees shall give as much notice as possible of their need for leave.

• Medical Certification Requirements

  • Employees who request leave for themselves or to care for a family member shall provide written certification for the eligible individual with a serious health condition. If the leave is for the employee’s own serious health condition, the certification shall include a statement that the employee is unable to work at all or is unable to perform the essential functions of their position.

  • Employees shall be required to provide updated certification each time the certification on file is expired based on the dates provided by the health care provider or as often as every six months in conjunction with an absence.

• Use of Leave Credits

  • An eligible employee may use their paid accrued leave (e.g., vacation, annual leave, personal leave), during a qualified FMLA, CFRA, or PDL event with no limitation; however, sick leave may only be used in accordance with the applicable collective BU MOU agreement or applicable civil service laws, rules, and state policies.  Whether an employee chooses to use paid accrued leave credits during their FMLA, CFRA, or PDL-qualifying absence or not, CCHCS shall count this leave against the employee’s protected leave entitlements under the law.

  • If the leave is FMLA, CFRA, or PDL-qualifying, no limitation shall be placed on the employee’s use of accrued vacation, annual leave, or personal leave credits.

  • CCHCS is responsible for designating an employee’s use of leave credits as qualifying FMLA, CFRA, or PDL leave, based on information received from the employee.

• Maintenance of Health Benefits

  • FMLA and CFRA

    • The state shall maintain health, dental, and vision insurance coverage under “any group plan” for an employee on FMLA and CFRA-qualifying leave whenever such insurance was provided before the leave was taken, and on the same terms as if the employee had continued to work.

    • Accounts receivables shall be established for the employee’s share while the employee is on unpaid leave and collected upon the employee’s return. In some instances, the employer may also recover the employer’s share of the premiums paid to maintain health coverage for an employee who fails to return to work for reasons unrelated to the original reason for the leave.

  • PDL

    • The state is required to maintain up to four months of health, dental, and vision insurance coverage for employees who are disabled due to pregnancy, childbirth, or a related medical condition.  The time period that benefits are continued under FMLA and CFRA cannot be used to satisfy this requirement of PDL.  In other words, the benefit continuation requirement under CFRA does not begin until the benefit continuation requirement under FMLA and PDL has been fulfilled.

• Calculation of Leave Usage

  • When an employee takes leave on an intermittent or a reduced work schedule, only the amount of leave actually taken may be counted towards the employee’s leave entitlement.  The actual workweek is the basis of leave entitlement.

  • Where an employee takes leave for less than a full workweek, the amount of leave used is determined as a proportion of the employee’s actual workweek.  Time that an employee is not scheduled to report for work may not be counted towards the leave entitlement.

  • Mandatory overtime hours that are not worked by the employee because of an FMLA, CFRA, or PDL-qualifying reason shall be considered leave (counted) for the purpose of calculating the employee’s remaining leave entitlement.  The PFL benefit amount is calculated from the employee’s highest quarterly earnings over the past 5 to 18 months, before the start of their claim. The Employment Development Department has an online Disability Insurance and Paid Family Leave Calculator.

  • However, if overtime hours are worked on an “as needed basis” and are not part of the employee’s usual or normal workweek, such voluntary overtime hours not worked due to an FMLA, CFRA, or PDL-qualifying reason, shall not be counted.

• Reinstatement Rights

  • Upon return from FMLA, CFRA, and PDL leave, an employee is entitled to be returned to the same or comparable position the employee held when the leave commenced or to an equivalent position with equivalent pay, benefits, and other terms and conditions of employment, except in limited circumstances unrelated to the leave (such as layoffs).

  • As a condition of reinstatement of an employee whose leave was due to the employee’s own serious health condition, which made the employee unable to perform their job, the employee shall obtain and present a fitness for duty certification from the health care provider that the employee is able to resume work. Failure to provide such certification shall result in denial of reinstatement.

• Military Caregiver Leave and Qualifying Exigency Leave Under FMLA

  • Military Caregiver Leave (MCL) and Qualifying Exigency Leave (QEL) expand FMLA rights by providing military families with two additional types of FMLA entitlements.  The law contains provisions regarding:

    • Employer coverage

    • Employee eligibility for the law’s benefits

    • Entitlement to leave

    • Maintenance of health benefits during leave

    • Job restoration after the leave

    • Notice and certification of the need for FMLA leave

    • Protection for employees who request or take FMLA leave

  • The law also requires employers to keep certain records, such as a copy of military orders, copy of a meeting announcement, appointment, or a copy of a bill for service.

• Military Caregiver Leave

  • Eligible employees are entitled to take up to 26 workweeks of unpaid job-protected leave in a 12-month period to care for a covered service member with a serious illness or injury incurred in the line of active duty.  This leave may be taken intermittently or on a reduced schedule basis when medically necessary.

  • Employees who are eligible for MCL include the covered service member’s:

    • Parent

    • Spouse

    • Child

    • Next of kin in the following priority order:

      • Custodial blood relatives

      • Siblings

      • Grandparents, aunts, uncles, and first cousins

      • Family members sharing the same relationship (e.g., siblings) shall all be considered next of kin and each will be entitled to leave for caregiving.  However, a husband and wife who are FMLA-eligible and work for the same employer may be limited to a combined total of 26 workweeks of caregiver leave.

    • MCL is not in addition to the 12 workweeks of FMLA leave normally available to eligible employees but is aggregated with all other types of FMLA-qualifying leave during the applicable 12-month period, provided that the employee may not take more than 12 workweeks of leave for any other FMLA-qualifying reason during this period.  For example, in a single 12-month period, an employee could take 12 weeks of FMLA leave to care for a newborn child and 14 weeks of MCL, but could not take 16 weeks of leave to care for a newborn child and 10 weeks of MCL.

    • The 12-month period begins on the day the employee begins MCL and ends 12 months thereafter.

    • Because MCL is available on a per service member per injury basis, an eligible employee may be entitled to take more than one such leave during the course of their employment to care for different service members or for the same service member with a subsequent injury or illness.  In such circumstances, MCL is still limited to no more than 26 workweeks during the applicable period.

    • A certification form is required to be completed by either:

      • US Department of Defense (DOD) health care provider

      • US Department of Veterans Affairs health care provider

      • DOD TRICARE network authorized private health care provider

      • DOD non-network TRICARE authorized private health care provider

• Qualifying Exigency Leave

  • The military family leave provisions of the FMLA entitle eligible employees of covered employers to take FMLA leave for any “qualifying exigency” arising from the foreign deployment of the employee’s spouse, son, daughter, or parent with the Armed Forces or to care for a service member with a serious injury or illness if the employee is the service member’s spouse, son, daughter, parent or next of kin.

  • QEL may be taken for any qualifying exigency arising out of the fact that a covered military member is on active duty or called to active duty status.  Employees who are family members of a covered military member shall be entitled to take up to 12 workweeks of FMLA leave for “qualifying exigencies” during the 12-month period established by the employer for FMLA leave.

  • Covered active duty means:

    • A member of the Regular Armed Forces, duty during deployment of the member with the Armed Forces to a foreign country; or

    • Members of the Reserve components of the Armed Forces (members of the National Guard and Reserves), duty during deployment of the member with the Armed Forces to a foreign country under a call or order to active duty in support of a contingency operation.

      • NOTE: Deployment to a foreign country includes deployment to international waters.

  • This leave may be taken intermittently or on a reduced leave schedule basis and may be counted against the employee’s 12 workweek FMLA entitlement.  However, because QEL is an FMLA-qualifying reason for leave, an eligible employee may take all 12 workweeks of their FMLA leave entitlement as QEL, or the employee may take a combination of 12 workweeks of leave for both QEL and leave for a serious health condition.

  • If the need for leave is foreseeable, the employee shall provide notice as soon as practicable, regardless of how far in advance the leave is being requested.

  • A separate certification form is used in connection with this leave.  As part of the certification process, the employee is required to provide copies of their military orders or other military documentation, facts regarding the exigency, dates of active duty service, and approximate date on which the qualifying exigency commenced or will commence.

  • QEL is not available to family members of service members who are in the Active Regular Armed Forces.  It is available only to family members of service members of the reserve components (Army National Guard, Army Reserve, Navy Reserve, Marine Corps Reserve, Air National Guard Reserve, Air Force Reserve, and Coast Guard Reserve) or retired service members of the Active Regular Armed Forces or Reserves.

  • An employee is entitled to use QEL for the following purposes (These are further defined in FMLA regulations.):

    • Issues arising from short-notice deployment (i.e., deployment on seven or less days of notice).

    • Military events, official ceremonies, or programs related to active duty or call to activity duty status of a covered service member.

    • Childcare and school activities

    • Financial or legal arrangements

    • Counseling

    • Rest and recuperation leave during deployment. Eligible employees may take up to 5 days of leave for each instance of rest and recuperation.

    • Post-deployment activities (e.g., arrival ceremonies and reintegration briefings)

    • Additional activities agreed upon by the employer and employee

Policy

• California Correctional Health Care Services (CCHCS) staff shall submit an Information Security Incident Report (ISIR) via a Solution Center ticket, to Local Information Technology (IT) staff within three days of identifying a lost or stolen IT asset.

Applicability

• This policy applies to all CCHCS staff, contracted personnel, volunteers, and vendors utilizing IT assets.

Procedure

•  Attempting to Locate Lost IT Assets

  • Staff shall search the surrounding area where the IT asset was last assigned/seen.

  • Staff shall inform their supervisor or manager that the IT asset is missing to determine if others may be aware of the asset being moved to another location. If still unable to locate the IT asset after notifying supervisor or manager, staff shall follow the process as outlined in Section (c)(3), Reporting Lost or Stolen IT Assets.

• Determining IT Asset Disposition

  • Local IT shall:

  • Determine the IT asset disposition by checking all applicable databases and network activity of the IT asset, per the Information Technology Services Division (ITSD) Lost and Stolen IT Assets Procedure.

  • Widen the search of the surrounding area (arrange with California Department of Corrections and Rehabilitation/CCHCS Program Supervisors):

    • Notify the Chief Executive Officer or CCHCS site leadership to perform site-wide CCHCS physical inventory (local IT staff will provide asset information to site leadership and inform them of all activities performed to locate missing asset).

    • If the IT asset is lost/stolen at an institution:

      • Notify the Watch Commander, Investigative Services Unit, and Warden of the missing IT asset

      • Provide the asset tag number and model.

      • CCHCS Local IT staff shall assist program staff with physical inventory of equipment, if needed.

• Reporting Lost or Stolen IT Assets

  • Staff shall obtain a local law enforcement report to complete required notifications for stolen IT assets.

    • In the event an IT asset is stolen on state property, the local law enforcement agency is the California Highway Patrol (CHP). The Department of General Services STD. 99, Report of Crime or Criminally Caused Property Damage on State Property, form is required in the event CHP is involved.

  • Staff shall notify local IT immediately via a Solution Center ticket when an IT asset is determined lost/stolen. Local IT shall assist, as necessary, in documenting the following information within the ticket:

    • If IT Asset is determined stolen:

      • Name of the local law enforcement department reported to.

      • Report number.

      • If crime occurred on state property, complete the STD. 99 and notify the nearest CHP office. Return the completed STD. 99 form to the Information Security Office (ISO).

    • Phone number of the device (if applicable).

    • Model of the device.

    • Serial number of the device.

    • Asset tag number of the device.

    • Last location of the IT asset.

    • Did it contain sensitive, confidential, or Protected Health Information?

    • If capable, was the IT asset password/PIN protected?

    • Include the ISO on the Solution Center ticket. The ISO shall add pertinent information to the ticket.

  • Within three business days, and once determined appropriate to do so, Local IT shall direct staff to complete the CCHCS ISIR, located on the Information Security page of Lifeline under “Information Security Reporting Procedure, How to Report an Information Security Event”.

    • The completed ISIR shall be attached to the Solution Center ticket.

  • Local IT staff shall send notification containing the above information to appropriate parties, per the ITSD Lost and Stolen IT Assets Procedure.

  • For mobile phones, local IT shall attempt to locate the phone per the ITSD Lost and Stolen IT Assets Procedure.

  • If an IT asset was lost/stolen in an institution, the local hot trash custody processes shall be followed for any components that are missing.

• Finding a Lost/Stolen IT Asset

  • If a lost/stolen IT asset is found, local IT shall:

  • Update and resolve the CCHCS Solution Center ticket.

  • Notify all parties involved.

  • Update the IT asset disposition in all applicable locations.

Policy

• California Correctional Health Care Services (CCHCS) staff shall ensure all CCHCS cameras, camera-enabled devices, and video monitoring equipment on state grounds are for health care purposes only including, but not limited to, taking photographs or conducting Telemedicine, Telepsychiatry, or Telepsychology encounters. 

Purpose

• To safeguard confidential information and reduce opportunities for harassment, unauthorized disclosure and distribution, CCHCS regulates the use of electronic equipment used to capture or store images such as smart phones, video equipment, cameras, tablets, handheld scanners, and flash drives.

Responsibilities

• The Hiring Authority, or designee, shall approve the use of state-issued cameras, camera-enabled devices, and video monitoring equipment in advance.

• The CCHCS Deputy Director of Communications and Institution Public Information Officer shall be consulted for the added supervision or security arrangement when media’s use of cameras or video-enabled devices are to be accommodated.

• The Information Technology Services Division is responsible for managing the procurement, architecture, data communication network, implementation, access control, ongoing hardware and software support contracts and licensing for the camera-enabled audio or video systems.

Procedure

• Usage

  • CCHCS authorizes the use of cameras or video-enabled devices for:

    • Conducting state business;

    • Facilitating the delivery of health care related instruction;

    • Providing patients with access to care;

    • Monitoring and improving patient outcomes (e.g., wound care, Root Cause Analysis, Performance Improvement Work Plans).

  • Employees shall not use cameras or video-enabled devices to create or convey offensive, harassing, vulgar, obscene, or threatening images or communications.  Similarly, transmitting sexually oriented messages, videos or images at work using camera-enabled devices is forbidden pursuant to Department Operations Manual (DOM), Section 31010.5, Conduct Violations; and Section 31010.6, Sexual Harassment Violations.  Camera-enabled devices on CCHCS premises or at state-sponsored events shall not be used to defame, embarrass, or disparage the state, employees, patients, customers, or vendors, or be used to video record or photograph privileged or confidential material.

• Guidelines

  • All CCHCS mobile devices (includes laptops and tablets) shall be issued with the camera enabled as the default setting.

  • Any photography or video recording within an institution, where patient images or videos may be captured, shall be handled pursuant to DOM Section 13010.17, Photographs, Films, and Videotapes.

  • Cameras or video-enabled devices with lens covers shall remain closed when the camera is not in use.

  • The staff working in clinical settings shall obtain written consent from the patient being photographed or video recorded.

    • The CDCR 7120, Informed Consent for Clinical Photography/Digital Imaging, shall be completed and scanned into the health record for each patient.

    • If the patient is unable to provide consent, staff shall document that on the CDCR 7225, Refusal of Examination and/or Treatment, for clinical documentation purposes.

  • Employees shall report any violations of this policy to their supervisor in writing.  Any images or videos taken on CCHCS property using CCHCS equipment are considered state property.  Any images or videos found in violation of this policy are subject to confiscation.  Violation of this policy may result in discipline, up to and including termination of employment.

• Unauthorized Disabling or Tampering

  • Unauthorized disabling of or tampering with installed cameras or video-enabled devices shall be cause for disciplinary action.

Policy

• California Correctional Health Care Services (CCHCS) shall maintain standards and requirements regarding approval, distribution, and acceptable use of CCHCS-issued mobile phones.  CCHCS staff and contracted personnel that are issued a CCHCS mobile phone to conduct official state business shall abide by the procedure and guidelines stated herein.

Applicability

• This policy applies to all CCHCS staff and contracted personnel.

Responsibilities

• The hiring authority (HA), or designee, is responsible for approving requests to issue mobile phones and to ensure appropriate usage of the phone.

• The Information Technology Services Division (ITSD) is responsible for issuing mobile phones.

• The ITSD is responsible for managing the procurement, architecture, data communication network, access control, and ongoing hardware and software support contracts for the mobile phones.

Procedure

• Requesting a New Mobile Phone

  • All requests for mobile phones shall be submitted through a Solution Center ticket:

    • By, or on behalf of, the Chief Executive Officer (CEO) or HA, or

    • With an attached email of approval from the CEO or HA.

  • By approving the mobile phone request, the CEO, HA, or designee, acknowledges approval to incur monthly charges for the phone line in their institutional or program budget.

• Transferring a Mobile Phone

  • The CEO or HA may request the transfer of a mobile phone between staff in the same CCHCS institution or program and billing unit by submitting a request through the Solution Center.  The ITSD is responsible for completing the transfer request following the CCHCS IT Asset Transfer Process.

• Deactivating and Returning a Mobile Phone

  • Following the CCHCS Employee Separation Process, when staff with a CCHCS-issued mobile phone separate from CCHCS, the supervisor shall submit a ServiceNow request to deactivate the device prior to the separation date. The supervisor shall ensure the mobile phone is returned to the ITSD.

  • The IT Desktop Support technician shall update the ServiceNow request when the phone is received.

• Security

  • Physical Security

    • CCHCS mobile phone users shall take reasonable steps to prevent damage or loss to the mobile phone.

    • Mobile phones shall not be left unattended and be stored securely in a locked location when not in use.

    • Staff shall follow all applicable regulatory and traffic laws while using the mobile phone.

  • Data Security

    • CCHCS mobile phone users shall:

      • Take reasonable steps to protect the mobile phone from cybersecurity threats and attacks.

      • Use a passcode to protect the mobile phone.

      • Ensure automatic software updates are turned on and mobile phones are updated to the most current software operating system to ensure access to new software patches.

• Lost, Stolen, or Damaged Mobile Phone

  • Staff shall follow the procedure documented in the Health Care Department Operations Manual (HCDOM), Section 5.3.1, Lost and Stolen Assets.

  • Report all possible security incidents (e.g., lost or stolen information or mobile phone) as detailed on the Information Security Office SharePoint site.

  • Staff shall report any damage to their mobile phone immediately by submitting a ticket to the IT Solution Center.

• Usage and Restrictions

  • CCHCS-issued mobile phones shall be used for CCHCS business only pursuant to HCDOM, Section 5.3.15, Acceptable Use.

  • All CCHCS mobile phones are issued with the camera enabled. Mobile phone users shall adhere to the HCDOM, Section 5.3.2, Camera Use, when utilizing the camera.

  • Only CCHCS-approved applications may be downloaded from the CCHCS Catalog on mobile phones.

  • CCHCS mobile phone users shall not change any configurations or standard features.

  • Any unauthorized disabling of or tampering with configuration or installed software shall be subject to corrective or disciplinary action in accordance with CCR, Title 15, Section 3392, et seq. and Department Operations Manual, Chapter 3, Article 22, Employee Discipline, Sections 33030.8, 33030.9, 33030.15.

  • Employees shall report any violations of this policy to their supervisor.

• Shared Usage

  • Mobile phones may be assigned to an individual for use on a shared basis for a designated function by a CCHCS service unit.

  • In the instance a mobile phone is used on a shared basis, it shall be assigned to the person responsible for the group, and this individual shall be accountable for the device.

Policy

• Any use of digital signature technology within California Correctional Health Care Services (CCHCS) must comply with all requirements stated in the California Government Code Section 16.5 and California Code of Regulations, Title 2, Division 7, Chapter 10, Digital Signatures. This information can be reviewed at:   https://www.sos.ca.gov/administration/regulations/current-regulations/technology/digital-signatures/government-code-16-5 and https://www.sos.ca.gov/administration/regulations/current-regulations/technology/digital-signatures.

  • Digital Signature Usage

    • The use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it embodies all of the following attributes:

      • It is unique to the person using it.

      • It is capable of verification.

      • It is under the sole control of the person using it.

      • It is linked to data in such a manner that if the data are changed, the digital signature is invalidated.

  • Authorized Digital Signature Solutions

    • CCHCS authorizes the use of only Public Key Infrastructure (PKI) digital certificate based digital signature technology for the purposes of applying a digital signature to electronic forms or documents.

  • Approved PKI Solutions

    • All PKIs that are used to produce digital certificates to create digital signatures for official CCHCS transactions must be approved by the California Secretary of State.  The approved list of PKI vendors can be found at: https://www.sos.ca.gov/administration/regulations/current-regulations/technology/digital-signatures/approved-certification-authorities/.

  • Approved Digital Certificate Algorithms

    • Digital certificates that are intended to apply digital signatures must comply with FIPS 186-2 standards.  FIPS 186-2 requires that one of the following digital signature (ds) algorithms by employed: Digital Signature Algorithm (DSA), RSA (Rivest, Shamir and Adleman), or ECDSA (Elliptical Curse Digital Signature Algorithm).

Purpose

• This policy is intended to detail the requirements for the developing and/or using digital signature technology with CCHCS systems and data.

Applicability

• This policy applies to all CCHCS Information Technology (IT) assets and/or anyone that accesses or uses any CCHCS IT asset.

Responsibility

• All CCHCS Employees and Contractors are responsible for:

  • Reviewing and understanding this policy as it relates to their job role and responsibilities

  • Complying with all policy provisions

  • Communicating any risks or issues associated with the effectiveness of this policy and/or its enforcement to the CCHCS Office of Information Security (OIS)

  • Immediately reporting any known areas of non-compliance to the CCHCS OIS

• Information Security Officer (ISO) is responsible for:

  • Authoring and enforcing this CCHCS Information Security Policy

  • Developing a performance metric to help articulate the organizational value of this policy and its effectiveness

  • Reporting policy performance metrics to the Chief Information Officer (CIO)

  • Managing the annual enterprise information security policy update process and ensuring tasks are completed effectively and on time

• Organizational Unit Managers are responsible for:

  • Reviewing and understanding this policy as it relates to the objectives and operations of their organizational unit

  • Continually assessing the effectiveness of this policy as it relates to their organizational unit’s objectives and operations and reporting any issues or risks to CCHCS’s ISO

  • Promoting policy awareness, understanding, and compliance within their organizational business unit

  • Immediately reporting any known areas of non-compliance to the CCHCS OIS

• CIOs are responsible for:

  • Reviewing and approving this policy

  • Promoting policy awareness, understanding, and compliance throughout the organization

  • Ensuring necessary resources are provided to support policy development, implementation, and compliance efforts

Procedure

• Digital Certifcates

  • Digital Certificate Storage: CCHCS requires that all digital certificates that will be used for digital signatures must be stored on a FIPS 140-2 certified Smart Card device.  The Smart Card must also be configured to require a  PIN to access the digital certificate stored on the Smart Card.

  • Certificate Revocation Verification: Prior to applying a digital signature to an electronic document, the validity of the digital certificate used to apply the digital signature must be verified by performing a Certificate Revocation List (CRL) lookup.

  • CRL Publishing: Any PKI deployed to support digital signature must update the associated CRL to an Internet accessible HTTP website at least once every 24 hours.

  • Identity Proofing Requirements for Digital Certificate Requests: All CCHCS employees or contractors that require a digital certificate to apply a digital signature for CCHCS transactions must have their identity verified to ensure the requester is who he or she claims to be.   CCHCS requires the verification process to include at least one in-person or face-to-face meeting whereby the requester presents an official U.S. Government, Military, or State identification card to a CCHCS agent authorized to verify identity prior to receiving the digital certificate.  If electronic verification is used as part of the ID proofing process the requester must be assigned a unique username and must be challenged to provide knowledge of a secret password that is known only by the requester.

• Use and Application of Digital Signatures

  • Authorized Users of Digital Signature

    • Only users formally authorized by CCHCS management to use digital signature technology can apply a digital signature to a CCHCS IT asset.  Formal authorization can be achieved by completing a Digital Signature Request form, having it signed by designated CCHCS management, and having it stored on file for audit retrieval purposes.  The Digital Signature Request form is available through CCHCS IT Division.

  • Authorized Usage of Digital Signature

    • Digital signatures can only be used with those IT assets that have been formally authorized by CCHCS management for use with digital signature technology.

  • Applying a Digital Signature

    • When applying a digital signature, controls must be in place to ensure user credentials are valid and verified.  Controls must also be in place to ensure all communications between the application and the Smart Card containing the digital certificate are appropriate secured and encrypted.

  • Lost or Stolen Smart Cards

    • All lost or stolen Smart Cards must be reported to the ISO immediately and no longer than 24 hours from the time it is recognized the Smart Card is missing.

• Enforcement, Auditing, and Reporting

  • Violation of CCHCS’s enterprise information security policies by an employee or contractor may result in immediate revocation of access rights to CCHCS’s IT assets.  Additionally violations of security policies are subject to disciplinary action.  The specific disciplinary action that shall be taken depends upon the nature of the violation and the impact of the violation on the CCHCS’s information and/or data assets and related facilities. A partial list of potential disciplinary actions follows:

    • Written reprimand 

    • Suspension without pay 

    • Reduction in pay 

    • Demotion 

    • Dismissal 

    • Criminal prosecution (misdemeanor or felony, State or federal).

  • CCHCS reserves the right to consider legal remedies, or prosecution, against any person or entity for violations of any Law or regulatory compliance matter.

Review and Approval

• This policy is approved by CCHCS’s CIO and will remain authorized and enforceable until replaced by an updated version.  This policy will be reviewed annually by CCHCS’s ISO to ensure that it stays current.  Changes to this policy will only be applied by CCHCS’s ISO.  All CCHCS employees and contractors may submit suggested changes for the policy to the ISO in writing.  The ISO may use the suggestions as part of the annual policy review and update process.  The primary dissemination vehicle for the CCHCS Information Security Policies will be the CCHCS Intranet.

Resources

• For questions or clarification please contact CCHCS OIS at CCHCS-ISO@cdcr.ca.gov.

Policy

• California Correctional Health Care Services (CCHCS), Information Technology Services Division (ITSD) shall retain all sent and received electronic mail (e-mail) from the CCHCS E-mail System regardless of whether it has been opened or not, for a period of three years.  E-mail messages are subject to federal and state laws.

Purpose

• The purpose of this policy is to establish parameters to effectively capture, manage, and retain e-mail messages.  Policy guidelines cover information that is either stored or shared via e-mail, including e-mail attachments.

Applicability

• This policy applies to all CCHCS staff utilizing the CCHCS E-mail System network.

Responsibility

• CCHCS’s Chief Information Officer shall authorize and enforce this policy.

• Organizational users shall review, understand, and comply with this policy.

• ITSD shall ensure adequate processes and procedures are in place to comply with policy directives.

Control and Maintenance

• If litigation is pending or future litigation is reasonably probable, the law imposes a duty upon CCHCS to preserve all documents and records that pertain to the litigation.  A litigation hold directive overrides any retention policy until the litigation has been cleared.

• This policy specifies the period for which CCHCS ITSD shall retain e-mails but does not supersede the record retention schedule of any area of CCHCS. Each area of CCHCS is responsible for ensuring retention of records in compliance with that area’s own record retention schedule.

• This policy shall be reviewed annually by CCHCS ITSD to ensure compliance with federal and state law. 

• CCHCS employees and contractors may submit inquiries regarding the policy to ITSD by submitting an Information Technology Solution Center ticket.

Policy

• California Correctional Health Care Services (CCHCS) has adopted the following principles to govern information security policy development and maintenance.

  • Risk will be identified, assessed, and managed

  • Risk tolerance levels will be constantly recalibrated

  • Accountability over assets will be established

  • Least privilege principle will be used to determine the degree of access

  • Incompatible responsibilities will be separated

  • Information and system integrity, confidentiality and availability will be maintained

  • Personal privacy will be addressed

  • Ethical behavior will be practiced

  • IT Systems will be compliant with all applicable legal, statutory, and regulatory requirements

Purpose

• Information security policies express CCHCS management’s requirements for appropriately protecting enterprise Information Technology (IT) assets.  Information security policies are meant to address all applicable organizational, business, legal, and regulatory information security requirements that are necessary to help ensure the confidentiality, integrity, and availability of CCHCS’s IT assets.   The objective of this policy is to explain the process used to develop and maintain CCHCS information security policies.

Applicability

• This policy applies to all CCHCS IT assets and/or anyone that accesses or uses any CCHCS IT asset.

Responsibility

• All CCHCS Employees and Contractors are responsible for:

  • Reviewing and understanding this policy as it relates to their job role and responsibilities

  • Communicating any risks or issues associated with the effectiveness of this policy and/or its enforcement to the CCHCS Office of Information Security (OIS)

  • Immediately reporting any known areas of non-compliance to the CCHCS OIS

• ISO is responsible for:

  • Authoring and enforcing this CCHCS information security policy

  • Developing a performance metric to help articulate the organizational value of this policy and its effectiveness

  • Reporting policy performance metrics to the Chief Information Officer (CIO)

  • Managing the annual enterprise information security policy update process and ensuring tasks are completed effectively and on time

• Organizational Unit Managers are responsible for:

  • Reviewing and understanding this policy as it relates to the objectives and operations of their organizational unit

  • Continually assessing the effectiveness of this policy as it relates to their organizational unit’s objectives and operations and reporting any issues or risks to CCHCS’s ISO

  • Promoting policy awareness, understanding, and compliance within their organizational business unit

  • Immediately reporting any known areas of non-compliance to the CCHCS OIS

• CIO is responsible for:

  • Reviewing and approving this policy

  • Promoting policy awareness, understanding, and compliance throughout the organization

  • Ensuring necessary resources are provided to support policy development, implementation, and compliance efforts

Procedure

• Information Security Policy Development

  • By the final business day of January each year, CCHCS CIO will appoint an Information Security Policy Review (ISPR) Committee.  The ISPR Committee must include sufficient members to appropriately represent the enterprise in an effective and efficient manner.  This committee will be accountable for representing and addressing information security policy development and maintenance activities. Each member will be accountable for ensuring their organizational unit’s information security policy requirements are addressed.  CCHCS’s ISO is responsible for managing the information security policy development process.

• Information Security Policy Review

  • The appointed CCHCS ISPR Committee will meet regularly throughout the first half of the calendar year to assess the effectiveness and efficiency of existing information security policies, develop proposed changes to information security policies, and produce final proposed policy changes to the ISO by the final business day in June.  The ISO will review all proposed policy changes and will produce a final set of recommended policy changes to the CIO by the final business day in July.  The CIO will review the recommended policy changes and will provide his or her final approvals to the ISO by the final business day in August.  The ISO will incorporate all approved policy changes into new policy versions and will manage the iterative release cycle.  The iterative release cycle must ensure proper document versioning and change management procedures to capture any policy changes and provide a repository of previous versions. The iterative release process must also include updating any information security policy education and awareness components and effectively communicating any policy changes to the enterprise user population.  This policy review cycle is outlined in the graphic below.
    

• Information Security Policy Implementation

  • Authorized policy version updates will go into effect starting January 1st of each calendar year.

• Information Security Policy Awareness, Understanding, and Accountability

  • All new CCHCS employees and contractors must sign an information security policy statement of compliance and accountability document before accessing any CCHCS IT assets.  The statement of compliance and accountability document is meant to indicate that a signee: a) is aware of CCHCS’s information security policies, b) understands how to comply with CCHCS’s information security policies, and c) is accountable for ensuring compliance with CCHCS information security policies.  In addition to the original signing of the statement of compliance and accountability, all CCHCS employees and contractors must resign the statement of compliance and accountability annually.  Information security policies must be made available to any authorized requestor.

• Enforcement

  • Violation of CCHCS’s information security policies by an employee or contractor may result in immediate revocation of access rights to CCHCS’s IT assets.  Violations of security policies are subject to disciplinary action.  The specific disciplinary action that shall be taken depends upon the nature of the violation and the impact of the violation on the CCHCS’s IT assets and related facilities. A partial list of potential disciplinary actions follows:

    • Written reprimand

    • Suspension without pay

    • Reduction in pay

    • Demotion

    • Dismissal

    • Criminal prosecution (misdemeanor or felony, State or federal)

  • CCHCS reserves the right to consider legal remedies, or prosecution, against any person or entity for violations of any law or regulatory compliance matter.

Review and Approval

• This policy is approved by CCHCS’s CIO and will remain authorized and enforceable until replaced by an updated policy version.  This policy will be reviewed annually by CCHCS’s ISO to ensure that it is current.  Changes to this policy will only be applied by CCHCS’s ISO.  All CCHCS employees and contractors may submit suggested changes for the policy to the ISO in writing.  Upon due consideration, the ISO may use the suggestions as part of the annual review and update of the policy. The primary dissemination vehicle for the CCHCS information security policies will be the CCHCS Intranet.

Resources

• For questions or clarification please contact CCHCS OIS at CCHCS-ISO@cdcr.ca.gov.

Introduction and Overview

• Business functions are highly dependent on secure and stable Information Technology (IT) operating environments. Secure and reliable IT environments are enabled through both maintaining standard configurations and establishing processes and procedures to effectively manage changes to the operating environments.

• The goal of formalized IT change management is to facilitate IT changes as defined in enterprise standards, guidelines, and procedures while minimizing negative impacts to the organization.

• The goal of IT configuration management is to establish, implement, and manage information asset baseline configurations and maintain consistency throughout the system lifecycle.

• This policy establishes California Department of Corrections and Rehabilitation, California Correctional Health Care Services, and California Prison Industry Authority (hereinafter referred to as department) requirement for formal change and configuration management.

Objectives

• The objective for this policy is to establish department requirements for standardized methods and procedures for the management of information asset configurations and changes to department information and technology environments, while integrating security and risk considerations.

Scope and Applicability

• The scope of this policy extends to all State information assets owned and operated by the department, information assets managed by third parties on behalf of the department, and all information assets that process or store department information in support of department services and mission.

• This policy applies to Owners of Information Assets and Information Asset Custodians.

Policy Directives

• The department shall:

• Formally manage all changes to information assets.

• Utilize the Change Control Board, which includes a change advisory board that meets on a regular basis to review changes to information assets.

• Ensure that the change advisory board comprises representation from appropriate stakeholders, and in particular from impacted business areas.

• Ensure that the change advisory board includes formal security representation, and that change management processes formally integrate security evaluations and risk impact assessments in all change activities.

• Establish comprehensive enterprise-wide change management, comprised of supporting processes, workflows, and a centralized repository for all changes, including changes to baseline configurations.

• Establish, implement, and manage department operating baselines for information asset configurations.

• Establish and implement technologies, processes, and procedures to maintain and manage information asset configurations.

• Ensure third parties and contractors are subject to change and configuration management policies, discipline, and practices. Any changes to department information assets proposed by service providers, regardless of whose environment they operate in, shall be governed by department change and configuration management processes.

Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually and updated accordingly. 

  • Is required to audit and assess compliance with this policy at least once every 2 years.

• Department Information Security Officer (ISO):

  • Shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.

  • Shall ensure that data security controls, methods, and processes meet department and applicable regulatory requirements for security.

• Department Owners of Information Assets and Program Management:

  • In collaboration with the Information Asset Custodians shall ensure that this policy and its directives are implemented and enforced.

• Department Information Asset Custodians:

  • Shall implement configuration and change management technology, process, and workflow controls as approved by Owners of Information Assets.

  • Shall maintain change and configuration management records for a minimum period of 12 months. Secure deletion or destruction of these records shall be in accordance with the records retention schedule.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in California Department of Corrections and Rehabilitation, Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal.

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with the State of California Government Code section 11549.3.

Revisions

• The CIO or Designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• Department information assets are often used to conduct business functions internally as well as with other State and non-department persons and devices on the Internet. Devices used for such department business purposes are comprised of servers, network devices, and end user devices including mobile computers, tablets, and smart phones; such devices are collectively called “endpoints” or “endpoint devices.”  Some department information assets are more prone to loss or theft due to their size, mobility, or location of use.

• The department needs to ensure that endpoints are suitably protected to prevent unauthorized access to data and information that may reside on the endpoints.

Objectives

• Objectives for this policy are to define the requirements to protect department endpoints that may routinely interact with unknown or untrusted devices on the Internet, or that are more susceptible to loss or theft.

Scope and Applicability

• The scope of this policy extends to all State information assets owned and operated by the department, information assets managed by third parties on behalf of the department, and all information assets that process or store department information in support of department services and mission.

• This policy applies to Owners of Information Assets and Information Asset Custodians.

Policy Directives

• The department shall ensure that:

• All department endpoints are identified and endpoint asset inventories are documented and continually updated.

• Risks to individual department endpoint device types and the data they access, process, and store are assessed.

• The requisite endpoint protection controls, as referenced in the Statewide Information Management Manual, are implemented and maintained to mitigate risks to each endpoint.

• Endpoint protection controls include people (asset users), processes, and technology controls.

• Endpoint protection controls are continuously monitored.

• Endpoint protection controls are reviewed at least annually.

Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually and updated accordingly. 

  • Is required to audit and assess compliance with this policy at least once every 2 years.

• Department Information Security Officer (ISO):

  • Shall assist Owners of Information Assets and Information Asset Custodians with the identification and selection of endpoint protection controls.

  • Shall ensure that endpoint protection controls meet department requirements for security and privacy.

• Department Owners of Information Assets and Program Management:

  • In collaboration with the Information Asset Custodians shall ensure that the endpoint protection controls are defined, documented, and implemented, and that implementation is reviewed annually.

  • In collaboration with the Information Asset Custodians shall ensure the endpoint protection controls commensurate with the sensitivity or criticality of the asset are implemented for assets under their purview.

• Department Information Asset Custodians:

  • Shall implement the requisite endpoint protection controls based upon the sensitivity or criticality of the assets as defined by the Owners of Information Assets.

  • Shall maintain and update endpoint protection technologies based on best practices.

  • Shall maintain records of endpoint protection controls and ensure proper change management.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in California Department of Corrections and Rehabilitation, Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal.

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with the State of California Government Code section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• Information technology environments that support department business functions and services are complex and dynamic computer network environments, which process, manipulate, and store large amounts of data and information. In order to detect unexpected and suspicious activities and events within such complex networks, it is important to continuously monitor computing environments. Continuous monitoring allows the department to rapidly identify anomalous or suspicious activities and events, analyze these events, and respond accordingly.

Objectives

• The objective for this policy is to define department requirements for continuous monitoring of department networks and information assets for signs of malicious use, anomalies, and unexpected behavior and usage patterns.

Scope and Applicability

• The scope of this policy extends to all State information assets owned or operated by the department, and governs the facilities and information assets owned or operated on behalf of the department by business partners and service providers.

• This policy applies to Owners of Information Assets and Information Asset Custodians.

Policy Directives

• The department shall ensure that:

• A strategy for security analytics and continuous monitoring will be defined, documented, and implemented.

• The strategy will be based on security risk management principles in order to determine optimal monitoring locations, methods, and techniques.

• The department’s security analytics and continuous monitoring strategy will be integrated with the department’s security and event logging and monitoring strategy, threat assessments, and security analytics and event correlation.

• The department’s continuous monitoring is linked to incident response management and other department incident management processes.

Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually, and updated accordingly. 

  • Is required to audit and assess compliance with this policy at least once every 2 years.

• Department Information Security Officer (ISO):

  • Shall assist Owners of Information Assets and Information Asset Custodians with the implementation of this policy.

  • Shall assist Owners of Information Assets and Information Asset Custodians in the analysis and assessment of risks posed by anomalous activities or identified events.

• Department Owners of Information Assets and Program Management:

  • In collaboration with the Information Asset Custodians shall ensure that this policy is implemented and implementation is reviewed annually.

• Department Information Asset Custodians:

  • Shall implement technology and process controls.

  • Shall maintain records of security monitoring controls implemented.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOM Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal.

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with the State of California Government Code section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• This document defines the policy for all servers, physical and virtual, owned or operated by the department.  Effective implementation of this policy minimizes the risk of server vulnerabilities that can result in system unavailability, data corruption, unauthorized access, information and resource misuse, and service disruption.

Objectives

• The objective of this policy is to establish the base configuration of internal server equipment that is owned and operated by the department.  Effective implementation of this policy will minimize unauthorized access to department proprietary information and technology.

Scope and Applicability

• The scope of this policy extends to all information assets owned or operated by the department, including critical infrastructure, as well as information assets owned or operated by third-parties on behalf of the department.

• This policy applies to Owners of Information Assets and Information Asset Custodians.

Policy Directives

• The department shall:

  • Only create server service accounts when necessary.

  • Use the Principle of Least Privileged to limit user access rights to a minimum.

  • Not use administrative accounts (e.g., root, administrator, O365 Global) when a non-privileged account will suffice.

  • Disable/lock/delete all accounts except those required to provide necessary services.

  • Change the default passwords for all accounts and follow password security best practices outlined in Statewide Information Management Manual (SIMM) 5300-A, Org-Defined Standards, (National Institute of Standards and Technology [NIST] IA-5(1)).

  • Limit access to administrative accounts to only those who have operational need and have been authorized.

  • Ensure service accounts are not part of Local Administrators or Domain Administrator accounts.

  • Authorize and document all administrative (privileged) accounts.

  • Encrypt all passwords and all sensitive and confidential data while in transit. Passwords shall adhere to State Org-Defined Policy. (See State Administrative Manual [SAM] 5350.1, SIMM 5300-B and NIST, Special Publications [SP] 800-63B, FIPS 140-2).

  • Authenticate users over encrypted protocols.

  • Log all access to the server and services that are protected through access control methods.

  • Establish and implement controls to ensure that service account functions are authorized using service account credentials only.

• Systems Configuration and Maintenance

  • Servers shall be patched and hardened before attaching them to the network.  Security patches shall be installed on the system not less than monthly. If an intelligence source advises of an imminent threat, patches shall be installed according to documented information technology standards.

  • Servers shall be physically secured in locations accessible only to authorized personnel.

  • Only required services shall be enabled or installed on the server. Services that are not required shall be uninstalled or disabled.

  • Regular back-ups of the server shall be completed according to the back-up and retention policy and tested on a periodic schedule.

• Monitoring

  • The server shall capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes.

  • Security-related events shall be reviewed and investigated. Events include, but are not limited to:

    • Account lockouts

    • Failed user account logins

    • Evidence of unauthorized access to privileged accounts

    • Anomalous occurrences that are not related to specific applications on the server

  • Security incidents shall be handled immediately in accordance with SAM and SIMM and reported to the department Information Security Officer (ISO), the data owners or their designees.

Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually, and updated accordingly. 

  • Is required to audit and assess compliance with this policy at least once every 2 years.

• Department ISO:

  • Shall assist Owners of Information Assets and information asset custodians in the identification of data security controls and processes.

  • Shall ensure data security controls, methods, and processes meet department and applicable regulatory requirements for security.

  • Shall participate in all incidents involving information security.

• Department Owners of Information Assets and Program Management:

  • In collaboration with the Information Asset Custodians, shall ensure that this policy is implemented and implementation is reviewed annually and as appropriate.

  • Shall audit user access rights and privileges to ensure alignment with individual job roles and functions on an annual or more frequent basis as appropriate.

• Department Information Asset Custodians:

  • Shall review accounts with privileged access no less than semi-annually and verify that continued privileged access is required.

  • In collaboration with Owners of Information Assets, shall ensure the information security control measures are commensurate with the sensitivity or criticality of information assets under their purview.

  • Shall assist Owners of Information Assets in identifying data security controls commensurate with the classification of the data.

  • Shall document, implement, monitor, and maintain data security protection controls based upon the sensitivity or criticality of the assets.

  • Shall develop and implement tools, technologies, processes, and procedures to support, monitor, and maintain data security controls.

  • Shall maintain data security records.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in the California Deparmtent of Corrections and Rehabilitation, Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with the State of California Government Code section 11549.3.

Revisions

• The CIO or Designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• Information assets owned by the California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA) are strategic assets intended for official business use, and are entrusted to State personnel and business partners in the performance of their job related duties.

• Access may enable or restrict the ability to do something with a resource. Access control, then, is the selective restriction of these abilities and is comprised of both physical and logical access.

Objectives

• Objectives for this policy are to:

• Enable the development and implementation of a CDCR, CCHCS, and CALPIA (hereinafter referred to as department) identity and access management strategy that comprehensively addresses all access to department information assets.

• Document requirements for the appropriate control and management of physical and logical access to, and the use of department information assets.

• Require the use of appropriate authentication methods based on the type and sensitivity of information assets being accessed.

• Govern the use of privileged access rights, such as those assigned to Administrator and Privileged Accounts.

Scope and Applicability

• This policy applies to all personnel; all information assets owned or operated by the department; and all forms of physical and logical access to department information assets, including using wired, wireless, and remote access network connections. All department personnel shall comply with this policy.

Policy Directives

• Before department Information Technology infrastructure network access, users shall be identified and authenticated.

• Users accessing sensitive or confidential information shall be appropriately provisioned before accessing department owned or operated information assets and associated facilities.

  • In the case of physical access to facilities, where access control is a manual process, authentication shall be accomplished by manual verification of an identity (e.g., photo ID).

• Access to department information assets and associated permissions shall be approved by the respective department information asset owner.

• Records of all user account creations, deletions, and changes to user access and permissions shall be maintained for a period of at least 12 months.

• The department shall develop a comprehensive identity and access management strategy based on statutory and organizational business requirements, including:

  • Supporting unique identification, individual user types and groups, job roles and access methods.

  • Limiting access to information assets and associated facilities to authorized users, processes, or devices, and to authorized activities and transactions.

  • Defining roles and assigning responsibilities pertaining to access control tools, technologies and processes.

  • Developing and implementing standards, technologies and processes to support its access control strategy.

  • Formally defining and documenting user account types and groups, and access use cases, commensurate with employment responsibilities.

  • Employing multi-factor authentication for remote access, and risk-based user authentication methods to accommodate approved logical access use cases.

  • Publicly available or published access and authentication credentials, such as default credentials, anonymous credentials and guest credentials, shall not be re used, and shall be replaced as a matter of standard procedure.

  • Display a notification of system use or security warning banner message on each system that requires affirmative acknowledgement by the user before authentication.

• The department shall ensure that access to non-active personnel is deactivated before or immediately after termination, as appropriate.

• The department shall review and validate user access and associated access permissions and privileges at least every 12 months to ensure alignment with individual job roles and functions.

• Certain department information technology support personnel and network administrators shall require specific privileges to perform their duties.

  • For all Administrators and Privileged Account holders, the department shall:

    • Identify and document all Administrator and Privileged Account holders.

    • Ensure that administrative and privileged accesses are granted to users through established or approved local provisioning processes.

    • Ensure that such users acknowledge the privileges and only use those accounts to fulfill the specific job responsibilities for which the privileges apply.

    • Ensure automated processes including service accounts with privileged access to information systems shall follow established standards for password rotation, limited access and auditing.

    • Review and validate the continued business need for all Administrator and Privileged Accounts on an annual basis or when staffing, resource, or job function changes occur.

• User access and permissions shall be based on the principles of least privilege and separation of duties.

• The department shall define and document all auditable system events related to data and information access that shall be recorded.

• The department shall ensure access control management systems are configured to capture and record audit and security information related to access events.

• Audit and security records shall be securely stored and protected against tampering; audit and security records shall be maintained for the period defined in the records retention schedule.

• Monitoring and alerting of anomalous or suspicious activities and events is most effectively accomplished through automated and real-time reviews of audit and security logs.

• The department shall implement suitable controls to monitor for unauthorized changes to user access. Where feasible, unauthorized changes shall generate automated alerts to notify responsible department individuals.

• In the absence of automated monitoring and alerting, the department Information Security Officer (ISO) shall review access record reports on a quarterly basis.  Access records include: new user account creation requests, user access revocation requests, active user lists, and user termination lists.

Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department Information Assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually, and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two years.

• Department Owners of Information Assets and Program Management:

  • In collaboration with the Information Asset Custodians shall ensure that this policy is implemented and implementation is reviewed at minimum annually.

  • Shall audit and assess user access rights and privileges to ensure alignment with individual job roles and functions on an annual basis.

• Department Information Asset Custodians:

  • Shall implement user access and associated rights and privileges as requested and approved by Owners of Information Assets.

  • In collaboration with Owners of Information Assets, shall periodically review accounts with elevated privileges and verify that continued privilege account access is required.

  • In collaboration with Owners of Information Assets shall ensure access technology and process controls are commensurate with the sensitivity or criticality of information assets under their purview.

  • Shall revoke or modify individual user access rights and privileges upon notification from the Owners of Information Assets.

  • Shall maintain access records consistent with the retention schedule.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible or is technically impossible, if existing policy currently in place already meets these requirements, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variation as defined by the department ISO.

Authority

• This policy complies with California Government Code Section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• Information assets owned by the California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA) (including but not limited to department  data and information, laptops, cell phones, and removable storage devices) are strategic assets intended for official business use, and are entrusted to State personnel in the performance of their job-related duties.

• Inappropriate use of CDCR, CCHCS, and CALPIA (hereinafter referred to as department) information assets could negatively affect the confidentiality, integrity, or availability of the information, information systems, or other information assets of the department and the State of California.  Consequently, it is important for all users to access or use information assets in a responsible, ethical, and legal manner that safeguards department data and information.

• Additionally, the appropriate use of information assets benefits the State and the department by strengthening the protection of the department and its personnel and business partners from illegal or potentially damaging activities.

Objectives

• This policy defines and establishes the requirements for the appropriate use and safeguarding of department information assets.

Ownership of Information

• Data and information in hard copy format and that which is electronically created, sent, received, processed, or stored on information assets owned, leased, administered, or otherwise under the custody and control of the department are the property of the State. Any information, not specifically identified as the property of other parties and that is transmitted, processed, or stored on the department’s and business partner Information Technology facilities and resources (including e-mail, messages, and files) is considered the property of the department.

• Individual access and use of department information assets is neither personal nor private.  As such, department management reserves the right to monitor and log all employee use of department information assets with or without advanced notice.

Scope and Applicability

• The scope of this policy extends to all information assets owned or operated by the department and to all personnel authorized to use these assets.

Policy Directives

• The department shall ensure that users use and protect department information assets in accordance with this policy and applicable information security and privacy policies.

• Department Unacceptable Use

  • The department shall ensure that users do not:

  • Use department information assets to engage in or solicit the performance of any activity that violates laws, regulations, rules, policies, standards, and other applicable requirements issued by the federal government, the State of California, and the department.

  • Use department information assets for personal enjoyment, private gain or advantage, personal gain, political activity, unsolicited advertising, unauthorized fundraising, or an outside endeavor not related to State business.

  • Engage in any activity that attempts to circumvent or alter the function of the department’s security controls (e.g., spoofing email, anonymous proxies, or unauthorized encryption), or other activities that may degrade the performance of information resources, or may deprive an authorized user access to department assets.

  • Share their work-related account(s), passwords, Personal Identification Numbers, security questions/answers, security tokens (e.g., smartcard, key fob), or similar information or devices used for authentication and authorization purposes.

  • Use department information assets to send or arrange to send emails or intentionally access sites that contain pornographic, racist, or offensive material, chain letters or unauthorized mass mailings, and malicious code.

  • Users shall not connect or otherwise attach unauthorized devices or equipment to the department network infrastructure.

Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two years.

• Department Information Asset Users:

  • Shall use and protect department information assets in accordance with this policy and applicable information security and privacy policies.

  • Shall report any security concerns pertaining to department information asset security of which they become aware to the department Information Security Officer (ISO), designee, appropriate security staff or their immediate supervisor. Security concerns with information assets may include unexpected software or system behavior, which could result in unintentional disclosure of information or exposure to security threats.

  • Shall report any suspected or actual activities or events indicating misuse or violation of this policy to the department ISO, designee, appropriate security staff or their immediate supervisor.

  • Shall be aware of and adhere to all department information security and privacy policies.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the department ISO.

Authority

• This policy complies with California Government Code Section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• Network firewalls act as a communications buffer between internal and external devices while simultaneously keeping out unwanted users, viruses, worms, or other malicious programs trying to access the protected network. Firewalls and the technology and procedures that support them help protect internal networks and manage traffic in and out of California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA)’s network.

Objectives

• The objective of this policy is to define how firewalls are to be configured, implemented, and managed within the CDCR, CCHCS, and CALPIA (hereinafter referred to as department).

Scope and Applicability

• The scope of this policy extends to all information assets owned or operated by the department, including mission critical infrastructure and information assets owned or operated by third parties (if applicable) on behalf of the department.

• This policy applies to the department Chief Information Officer or their designee, Information Technology functions, information security sections, owners of critical infrastructure, Agency and Department Information Security Officers, Technology Recovery Plan coordinators, and Information Asset Custodians.

Policy Directives

• The department shall use a multi-layered approach to protect computer resources and assets. Network security design shall include firewall functionality at all places in the network where opportunities exist for outside exploitation. This may include placing a firewall in areas other than the network perimeter to provide an additional layer of security and protect devices that are placed directly onto external networks (i.e. the Demilitarized Zone [DMZ]) or between different trusted and untrusted segments of the network.

• Firewall Configuration

  • The department shall:

  • Implement configurations that restrict all inbound and outbound traffic associated with untrusted wired/wireless networks and hosts.

  • Deny all traffic by default and only allow inbound and outbound traffic thru approved exceptions.

  • Disable unnecessary user accounts and default accounts (e.g. Administrator, Guest, etc.).

  • Disable all unused and unnecessary ports, protocols, and services before deployment into a production environment.

  • Implement a DMZ that limits inbound traffic to the internal trusted network and permits authorized publicly accessible services, protocols, and ports/services.

  • Log all changes to firewall configuration parameters, enabled services, and permitted connectivity paths for a period of one year. The department data retention procedures shall be followed.

  • Physically secure firewalls in a location accessible only to authorized personnel.  The placement of firewalls in an open area within a general-purpose data center is prohibited.

Firewall Administration and Management

• The following firewall management practices shall be utilized:

• Configuration of rulesets and policies shall be managed through an internal change management process.

• Firewall security logs shall be reviewed no less than every six months to detect any unauthorized entry attempts or network anomalies, and shall be retained for a period of one year.

• All enterprise firewall rulesets shall be reviewed according to documented processes and procedures.

• All new inbound and outbound connections requiring firewall rulesets to be applied shall have a valid business justification and the approval of the Information Asset Custodian on behalf of the Information Asset Owner.

• Current security updates, patches, and anti-virus definitions shall be applied in accordance with documented standards, threat intelligence, and product/vendor guidance.

• Administrative access shall be restricted to authorized and approved Information Asset Custodians and designated security personnel.

• Access to management and administrative interfaces shall be available only from locations that are deemed appropriate.

Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two years.

• The department Information Security Officer (ISO) is responsible for the oversight and coordination of entity information security policies and procedures.

• The department Owners of Information Assets and Program Management, in collaboration with the Information Asset Custodians, are responsible for ensuring the protection of information assets under their purview.

• The department Information Asset Custodians:

  • In collaboration with the Information Asset Owners, are responsible for ensuring implementation of this policy and its directives.

  • Shall review firewall security logs in accordance with this policy.

  • Shall notify the department ISO and the asset owner shall a security incident occur.

• The department Firewall Administrators are responsible for managing firewall policies, updates, upgrades, software, installations, as well as other network security solutions.  As access and network requirements change, firewall policies shall be updated to reflect these changes.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the department ISO.

Authority

• This policy complies with State of California Government Code Section 11549.3 and State Administrative Manual-5350 Operational Security.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• Information assets owned by the California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA) (including but not limited to department  data and information, servers, laptops, tablets, cell phones, and removable storage devices) are strategic assets intended for official business use, and they are entrusted to State personnel in the performance of their job related duties.

• Restricting physical access to information assets reduces the potential for their damage and misuse. Implementing and maintaining environmental controls provides optimal operating conditions for information assets that are critical to CDCR, CCHCS, and CALPIA (hereinafter referred to as department) business functions.

Objectives

• Objectives for this policy are to establish physical security and environmental protection control requirements to safeguard department information assets against unauthorized access, use, disclosure, disruption, modification, or destruction.

Scope and Applicability

• The scope of this policy extends to all State information assets owned or operated by the department, and governs physical access to department information assets.

• This policy applies to all department personnel.

Policy Directives

• The department shall define the control requirements for the physical environmental protection of information assets.

• The department shall implement, manage, monitor, and regularly maintain physical security and environmental protection controls to safeguard State information assets for which they have custodianship.

• Personnel identification systems and facility access controls shall be implemented for all personnel and visitors. Access logs shall be reviewed at minimum annually.

• Environmental controls shall be implemented in computer rooms and data centers, including but not limited to, temperature and humidity regulators, fire detection and suppression, and electrical power conditioning.

• Supporting controls, processes, and procedures to control physical access (e.g., security gates), handling digital media, and emergency processes and procedures shall be implemented.

• Service records of periodic maintenance of physical and environmental protection controls (e.g., heating/cooling unit servicing) and results of tests of environmental controls (e.g., power outage) shall be retained for a minimum of six months.

• Security risks shall be identified, remediated, and reported to the department Information Security Officer (ISO).

Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two years.

• The department Owners of Information Assets and Program Management:

  • Shall formally approve and authorize access and revocation of access to information assets.

  • In collaboration with the Information Asset Custodians shall validate access to information assets under their purview on an annual basis, or when staffing, resource or job function changes occur.

  • In collaboration with the Information Asset Custodians shall validate protection requirements for information assets under their purview on an annual basis.

• The department Information Asset Custodians:

  • In collaboration with the Owners of Information Assets shall define protection requirements for information assets under their purview.

  • Shall implement, manage, maintain, monitor, and periodically test physical and environmental protection controls to safeguard State information assets for which they have custodianship and as defined by the respective Owners of Information Assets.

  • Shall track and monitor all access to information assets, including physical access, as defined by Owners of Information Assets, and physical and environmental controls to validate correct operation.

  • Shall maintain all maintenance records and results of periodic tests.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the CDT OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with California Government Code Section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA) is responsible for the integration of information security and privacy within the organization. This includes, but is not limited to, the design and early identification of appropriate security controls in information asset acquisitions, in the design of new systems, or existing systems that are undergoing substantial redesign, including both in-house and outsourced solutions.

• The CDCR, CCHCS, and CALPIA (hereinafter referred to as department) shall ensure its Information Security Officer (ISO) and, where applicable, its Privacy Program Coordinator and Technology Recovery Coordinator, are actively engaged with both the owners of information assets, and any relevant project, procurement, and technical personnel, to identify and implement the appropriate security controls required to manage risk to acceptable levels. Where applicable, the department ISO shall also work with other stakeholders, as appropriate.

Objectives

• The objective for this policy is to establish a documented security assessment and authorization plan.

Scope and Applicability

• The scope of this policy extends to all State and Agency information assets owned or operated by the department.

• This policy applies to the department ISO, Privacy Officer, Privacy Program Coordinator, program management, Owners of Information Assets and Information Asset Custodians.

Policy Directives

• The department shall ensure that a plan for assessing security controls in department information assets is defined and documented. The plan shall include the following:

• Roles and responsibilities for security assessments and authorization.

• Assessments are integrated in life cycle processes and operational assessments, and identify weaknesses and deficiencies early in information asset acquisition, development, and integration processes.

• Essential information needed to make risk management decisions as part of security authorization processes is provided to the defined risk decision makers.

Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually, and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two years.

• The department Information Security Officer (ISO) shall facilitate security assessments and authorizations, and shall provide advice as appropriate.

• The department Owners of Information Assets and Program Management in collaboration with Information Asset Custodians shall:

  • Ensure that this policy is implemented and shall review the policy’s implementation annually.

  • Ensure requisite security controls are implemented in accordance with applicable security requirements and documented authorizations for information assets.

  • Ensure that any security control gaps and residual risks being accepted are formally documented.

  • Ensure that records and results of assessments and risk decisions are maintained.

  • Ensure that records and results of assessments and risk decisions are provided to information security officers in a timely manner.

• The department Information Asset Custodians shall implement the requisite security controls based upon the sensitivity or criticality of the assets as defined by the owners of information assets.

• The department Privacy Officer/Privacy Program Coordinator shall ensure that privacy threshold and privacy impact assessments are completed as part of the security assessment and authorization process.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, The department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with State laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of State information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the department ISO.

Authority

• This policy complies with California Government Code Section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• In order to detect and respond to signs of attack, anomalies, and suspicious or inappropriate activities, California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA), hereinafter referred to as department, requires an audit and security event logging strategy to continuously monitor access and activities conducted using department information assets.

• Information assets owned by the department are strategic assets intended for official business use, and are entrusted to state personnel and business partners in the performance of their job-related duties. Since inappropriate or unauthorized access and use of department information assets could result in harm to the state and to the department, it is important to detect and respond to signs of attack, anomalies, and suspicious or inappropriate activities in a timely and proper manner.

Objectives

• This policy guides the development and implementation of department event logging and continuous monitoring strategy and supporting processes to identify and respond to indicators of attack, anomalies, and suspicious or inappropriate activities.

Scope and Applicability

• The scope of this policy extends to all information assets owned or operated by the department.

• This policy is applicable to department Owners of Information Assets and Information Asset Custodians.

Policy Directives

• Department Owners of Information Assets in collaboration with Information Asset Custodians and the department Information Security Officer (ISO) shall develop and implement an event logging and continuous monitoring strategy of access and activities conducted using department information assets. This strategy shall include, at a minimum, the following items:

• Define and document the audit logging requirements and security events that shall be recorded, monitored, and reviewed.

• Identify and implement controls for audit trails and auditability of events for each system as well as for the internal network, accounting for segregation of duties, as appropriate.

• Perform, at minimum, monthly monitoring of event logs of critical information assets to identify and respond to indicators of attacks, anomalies, and suspicious or inappropriate activities in a timely manner.

• Define secure storage and retention of event logs.

• Clearly define roles and responsibilities for event logging and monitoring.

Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee

  • The CIO or designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • The CIO or designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.

• Department Information Security Officer (ISO)

  • The ISO shall guide the development and implementation of the department event logging and continuous monitoring strategy.

• Department Owners of Information Assets and Program Management

  • Owners of Information Assets in collaboration with Information Asset Custodians are responsible for ensuring the protection of information assets under their purview.

  • Owners of Information Assets shall participate in the development and implementation of an event logging and continuous monitoring strategy.

  • Owners of Information Assets shall ensure assets are independently and continuously monitored based on the criticality of information assets.

• Department Information Asset Custodians

  • Information Asset Custodians shall participate in the development and implementation of an event logging and continuous monitoring strategy.

  • Information Asset Custodians shall implement and maintain the department event logging and continuous monitoring strategy.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in the Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with state laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of state information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with State of California Government Code Section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• The purpose of this policy is to ensure that necessary records and documents are adequately protected and maintained. Records that have reached the records retention maximum lifespan or that are no longer deemed necessary by the California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA), hereinafter referred to as department, are to be destroyed at the proper time and in a secure manner, consistent with records management policies outlined by the Secretary of State’s Office. The policy also describes the obligations of department employees to retain electronic and non‑electronic documents and their proper disposal.

Objectives

• The objective of this policy is to establish the requirements for retaining or disposing of paper and electronic documents including but not limited to:

• E-mails, texts, chats, and instant messages.

• Video, audio, and image files.

• Word processing and spreadsheet files.

• Website activity and history.

• Information posted on social networking websites.

• Voice mails and video mail.

• Computer programming information, system and audit logs, configuration details.

• Physical paper documents, media and artifacts.

Scope and Applicability

• The scope of this policy extends to all state information assets owned or operated by the department, as well as information assets owned and operated by third parties (if applicable) on behalf of the department.

• This policy applies to the department’s Chief Information Officer (CIO) or designee, program management, Owners of Information Assets, Department Information Security Officers, Records Management Coordinators (RMC), Records Management Assistant Coordinators (RMAC), Technology Recovery Plan Coordinators, and Information Asset Custodians.

Policy Directives

• Pursuant to California Government Code Sections 12270-12279, the department shall set records retention schedules to address legal, statutory, and compliance requirements as well as litigation needs, business processes, and data privacy concerns. Storage requirements shall be coordinated with the department RMC to ensure compliance with the State Records Management Act.

• The department shall:

  • Ensure that roles and responsibilities for the identification, classification, and life cycle management of all department data and information assets are defined, documented, and implemented.

  • Ensure that all department information assets, including information and information systems, are categorized according to their criticality to department in accordance with SAM 5305.5, as well as to their sensitivity and susceptibility to inadvertent damage, loss or exposure and corresponding impacts to department.

  • Ensure that methods to protect the confidentiality, integrity, and availability of department data and information assets according to their classification are defined, documented, and implemented.

  • Ensure that conditions for access to and use of department information assets for all personnel are defined and documented.

  • Ensure that all personnel with access to department data and information assets are trained regarding data access and handling according to their roles and responsibilities.

  • Ensure that department data and information assets are used solely for their intended purpose.

  • Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.

  • Ensure regular backups shall be completed based on department back-up and retention policy.

Data Retention Requirements

• Retention procedures shall specify:

  • Steps used to archive information and locations where this information is stored.

  • The appropriate destruction of stored information, electronic or other format, after the identified retention period expires. Such steps shall adhere to the requirements outlined in this policy.

  • Chain of custody and handling of stored information, electronic or other format, when under litigation.

• In certain instances, individual business units have unique record retention requirements outside of documented groups. These requirements shall be documented as part of internal processes and procedures and communicated to the Information Security Officer (ISO), RMC and RMAC. Such requirements may include contractual obligations with customers or business contacts or data retention requirements to maintain business operations. In some instances, departments may need to retain electronically stored information for a historical archive.

• During the appropriate retention period for electronic records, archived data shall be retrievable. Doing so requires the following protocols:

  • As new software or hardware is implemented, appropriate department support staff shall ensure new systems and file formats can read legacy data. This may require that older data is converted to newer formats where possible.

  • Data that is encrypted shall be retrievable. The department shall implement key management procedures to ensure encrypted data can be decrypted when needed.

• When establishing record retention periods, the department shall rely on (in order of precedence):

  • Federal and state laws and statutes and regulations.

  • State guidelines, recommendations, rules, and statutory requirements.

  • Internal department requirements and policies.

Audit Controls and Management

• Documented procedures shall be in place for this policy and reviewed annually and updated as needed. Effective organizational management, audit controls, and employee practices include:

• Documented record retention schedules and archival information of the department.

• Procedures and anecdotal evidence of data migrations to manage electronic record compatibility with newer systems.

• Documented encryption and decryption strategies that allow for retrieval of archival electronic records.

• Employee procedures and documentation of records management and archival processes.

• Direct observation of archival records organization and storage.

Expiration of Retention Period

• Once a record or data has reached its designated retention period date, the Owner of Information Assets shall refer to the department Data Retention Schedule for appropriate action in accordance with the California State Records Management Act.

Sanitization and Destruction

• When no longer usable, hard drives, diskettes, tape cartridges, CDs, ribbons, hard copies, print-outs, and other similar items used to process, store or transmit sensitive or confidential data shall be properly disposed of in accordance with measures established by SAM 5900 and 1600. (See NIST 800-88, Guidelines for Media Sanitization for further assistance.)

  • Physical media (paper print-outs and other physical media) shall be disposed of by one of the following methods:

    • Shredded using department issued cross-cut shredders.

    • Placed in locked shredding bins for third party shredding to come on-site, retrieve bins and securely shred.

  • Electronic/Magnetic media (hard drives, tape cartridges, CDs, printer ribbons, flash drives, printer and copier hard drives, smart devices, etc.) shall be disposed of by one of the following methods: (See NIST 800-88, Guidelines for Media Sanitization, Appendix A for further details.)

    • Clear – applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques.

    • Purge – applies physical or logical techniques that render Target Data recovery infeasible.

    • Destroy – renders Target Data recovery infeasible and results in the subsequent inability to use the media for storage of data.

• IT systems that have been used to process, store, or transmit sensitive or confidential information shall not be released from the department’s control until the equipment has been sanitized and all stored information has been cleared using one of the above methods.

Suspension of Record Disposal in Event of Litigation Hold

• Preservation of data is a response to issues involving litigation, legislation, and requests for data pursuant to public records requests. The department shall comply with multiple federal and state laws, legal proceedings, state regulations and standards for the proper preservation and delivery of relevant physical and electronically stored information (ESI) in a timely and reliable manner. Legal counsel shall take such steps as necessary to promptly inform all staff of any suspension in the further disposal of documents. Please refer to the department eDiscovery and Litigation Hold Policy for further details.

Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee

  • The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.

• Department Information Security Officer (ISO)

  • The ISO shall ensure processes exist for the secure destruction of paper and electronic records when no longer needed.

  • The ISO shall ensure specific retention requirements for sensitive or confidential data as defined by the Owners of Information Assets are adhered to.

  • The ISO shall ensure the safe and secure disposal of confidential data and information assets.

  • The ISO shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.

• Department Owners of Information Assets and Program Management

  • Owners of Information Assets shall ensure that no document is retained for longer than is legally or contractually allowed.

  • Owners of Information Assets shall implement data retention and disposal guidelines limiting data storage and retention times in accordance with legal, regulatory, and business requirements.

  • Owners of Information Assets shall define and enforce data retention requirements.

• Department Information Asset Custodians

  • Information Asset Custodians shall assist Owners of Information Assets in identifying data retention security controls commensurate with the classification of the data.

  • Information Asset Custodians shall document, implement, monitor, and maintain data retention security protection controls as defined by Owners of Information Assets.

  • Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor and maintain data retention security controls.

• Department Records Management Coordinator (RMC) and Records Management Assistant Coordinator (RMAC)

  • The RMC, pursuant to Gov. Code 12274, shall assist the RMACs, Owners and Custodians of Information Assets in establishing proper data retention periods.

  • The RMC shall assist in training identified RMACs and entity staff in records retention.

  • The RMACs shall ensure that required data retention periods are maintained and data beyond the lifecycle of established policy is properly disposed.

Enforcement

• Non-compliance with this policy may result in disciplinary or adverse action as set forth in the Department Operations Manual, Chapter 3, Article 22.

• The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, Information Security Officer (ISO), and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

• The consequences of negligence and non-compliance with state laws and policies may include department and personal:

  • Loss of delegated authorities.

  • Negative audit findings.

  • Monetary penalties.

  • Legal actions.

Auditing

• The department has the right to audit any activities related to the use of state information assets.

• CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Reporting

• Violations of this policy shall be reported to the department ISO.

Security Variance Process

• If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

Authority

• This policy complies with State of California Government Code Section 11549.3.

Revisions

• The CIO or designee shall ensure that the contents of this article are current and accurate.

Introduction and Overview

• California Department of Corrections and Rehabilitation (CDCR), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIA), hereinafter referred to as department, collects, processes, transmits, and stores large amounts of data to support essential missions and business functions. Some data maintained by the department may be sensitive or confidential, and may require special precautions to protect it from unauthorized modification, or deletion as per the State Administrative Manual.

• The department has the responsibility to classify its data and information assets, and to implement suitable controls to protect it from unauthorized access, corruption, or loss.