HIPAA BREACH REPORTING
June 04, 2013Robin Thomas, NC III,
Presenter
PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or State laws. Federal Law is the HIPAA Privacy Rule and State Law is the Information Practices Act of 1977. Privacy breaches may be paper or electronic, and may occur when information is transmitted to an unintended or unauthorized recipient. Examples of paper breaches include: • Misdirected paper faxes with PHI/PCI outside of the Department • Loss or theft of paper documents containing PHI/PCI • Mailings with PHI/PCI to incorrect providers or service recipient
Examples of electronic breaches include all of the following if they contain PHI/PCI: • Stolen unencrypted laptops, hard drives, or PCs • Stolen unencrypted thumb drives • Stolen unencrypted compact discs (CDs) • Misdirected electronic fax to a person outside of authorized State
government
INCIDENT REPORTING
State policy requires Departments to follow specified notification and reporting processes when information security incidents occur…and this process starts with you! As soon as you are aware that an incident has occurred, report it to your supervisor immediately.
In addition, as applicable to the incident, you must report: • description of the information disclosed or
accessed by an unauthorized person • the primary business processes involved
Breach ReportingIf a breach of security is suspected, you must immediately report it to the CDPH Information Security Office ([email protected]).
If you suspect CDPH confidential or sensitive information was viewed by an unauthorized individual, you must also notify the CDPH Privacy Office ([email protected]).
Make sure to keep your Supervisor informed.
First Contact:
Stephen Stuart, Privacy Officer/Sen. Staff CounselPrivacy Office, Office of Legal [email protected](916) 440-7432
Ivory Mitchell, Privacy AnalystPrivacy Office, Office of Legal [email protected](916) 440-7845
STEP ONEEmail to Stephen and Ivory:• A clear and concise description of the incident • No abbreviations or acronyms. The PO or the
ISO are not familiar with Newborn Screening’s or other entities abbreviations or acronyms.
• Forms 1-4 listed on the next page
STEP ONE Complete and submit forms to the Privacy Office
1. CDPH Breach Incident Reporting Form cdph 2375 submit one form per incident
2. HIPAA Breach Notification Checklist complete one for each party involved
3. State Breach Notification Checklist complete one for each party involved
4. Security Incident Determination Checklist submit one form per incident
The privacy office will review and determineWhether a breach occurred and next steps.
STEP TWO • The Privacy Office will draft letters for mailing.• Review the letters for necessary corrections
and send approval back to the privacy office.• The Privacy Office will update letters.• Print letters, obtain Program chief signature,
copy for file and mail to affected parties.• Update and print Notification Log for file.
STEP THREE
Complete and submit forms to the Privacy Office
5. Completed Breach Corrective Action Plan6. Send copy of Notification Log 30 days after letters mailed.7. Update Notification Log if any communication received.
Office of Information Security Contacts:
Brian IssertellDepartment of Public HealthInformation Security [email protected](916) 552-9924
Greg [email protected](916) 322-2649