150 likes | 269 Views
June 04, 2013 Robin Thomas, NC III, Presenter. HIPAA BREACH REPORTING. PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or State laws. Federal Law is the HIPAA Privacy Rule and State Law is the Information Practices Act of 1977.
E N D
June 04, 2013 Robin Thomas, NC III, Presenter HIPAA BREACH REPORTING
PRIVACY BREACHES • A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or State laws. Federal Law is the HIPAA Privacy Rule and State Law is the Information Practices Act of 1977. • Privacy breaches may be paper or electronic, and may occur when information is transmitted to an unintended or unauthorized recipient. • Examples of paper breaches include: • Misdirected paper faxes with PHI/PCI outside of the Department • Loss or theft of paper documents containing PHI/PCI • Mailings with PHI/PCI to incorrect providers or service recipient • Examples of electronic breaches include all of the following if they contain PHI/PCI: • Stolen unencrypted laptops, hard drives, or PCs • Stolen unencrypted thumb drives • Stolen unencrypted compact discs (CDs) • Misdirected electronic fax to a person outside of authorized State government
INCIDENT REPORTING • State policy requires Departments to follow specified notification and reporting processes when information security incidents occur…and this process starts with you! • As soon as you are aware that an incident has occurred, report it to your supervisor immediately. • In addition, as applicable to the incident, you must report: • description of the information disclosed or accessed by an unauthorized person • the primary business processes involved
Breach Reporting If a breach of security is suspected, you must immediately report it to the CDPH Information Security Office (CDPH.InfoSecurityOffice@cdph.ca.gov). If you suspect CDPH confidential or sensitive information was viewed by an unauthorized individual, you must also notify the CDPH Privacy Office (Privacy@cdph.ca.gov). Make sure to keep your Supervisor informed.
First Contact: Stephen Stuart, Privacy Officer/Sen. Staff Counsel Privacy Office, Office of Legal Services Stephen.Stuart@cdph.ca.gov (916) 440-7432 Ivory Mitchell, Privacy Analyst Privacy Office, Office of Legal Services Ivory.Mitchell@cdph.ca.gov (916) 440-7845
STEP ONE • Email to Stephen and Ivory: • A clear and concise description of the incident • No abbreviations or acronyms. The PO or the ISO are not familiar with Newborn Screening’s or other entities abbreviations or acronyms. • Forms 1-4 listed on the next page
STEP ONE • Complete and submit forms to the Privacy Office • CDPH Breach Incident Reporting Form cdph2375 • submit one form per incident • 2. HIPAA Breach Notification Checklist • complete one for each party involved • 3. State Breach Notification Checklist • complete one for each party involved • 4. Security Incident Determination Checklist • submit one form per incident • The privacy office will review and determine • Whether a breach occurred and next steps.
STEP TWO • The Privacy Office will draft letters for mailing. • Review the letters for necessary corrections and send approval back to the privacy office. • The Privacy Office will update letters. • Print letters, obtain Program chief signature, copy for file and mail to affected parties. • Update and print Notification Log for file.
STEP THREE • Complete and submit forms to the Privacy Office • Completed Breach Corrective Action Plan • Send copy of Notification Log 30 days after letters mailed. • Update Notification Log if any communication received.
Office of Information Security Contacts: Brian Issertell Department of Public Health Information Security Office Brian.Issertell@cdph.ca.gov (916) 552-9924 Greg Meixner Greg.Meixner@cdph.ca.gov (916) 322-2649