Sign In
Welcome to the California Department of Health Care Services 
Skip Navigation LinksHome > Forms, Laws & Publications > Laws > Privacy > Privacy Breaches

Privacy Breach

Privacy Breach imageA Privacy breach is an unauthorized disclosure of personal confidential information that violates state or federal privacy laws.  In the event of a privacy breach, the following procedures should be followed to ensure the appropriate level of response.

The DHCS investigates all alleged breaches of personal confidential information reported by its employees, staff of its business associates, individual program beneficiaries or other persons and will work to resolve the issues raised in order to safeguard individuals' confidential information and improve the DHCS business systems and practices.  The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the DHCS is made aware of a privacy breach.  If the privacy breach involves electronic, unencrypted confidential information, the state breach notification law may be triggered.

 

DHCS employees must provide immediate notice to the DHCS Privacy Officer and the DHCS Information Security Officer of any suspected or actual breach of security or unauthorized disclosure in violation of any applicable federal and state laws or regulations. 
Note:  Business Associates must also notify DHCS of security breaches. 

  

What information do we need to keep private?

 The HIPAA Privacy Rule requires covered entities, including the DHCS, to have policies and procedures for permissible uses and disclosures of protected health information (PHI).  PHI is information that can identify or can be used to identify an individual, and relates to the past, present or future health condition of an individual.  PHI includes information about the health care services an individual has received or will receive, as well as information used to collect payment for health care services.  Payment related activities may also require determinations of eligibility or other health care coverage, coordination of benefits, cost sharing, third party liability, adjudication of claims, billing utilization review or other prior authorization of services.  PHI also includes information in any form, including paper, electronic (E-PHI) and oral communications.  Refer to 18 identifiers of what constitutes PHI. HIPAA does not cover workers' compensation records, employee records, or records about providers.  However, DHCS considers these records information that must be safeguarded in the same manner as PHI, and has determined all these records to be "personal confidential information."

  • Personal Confidential Information that we need to keep private
            *Information that is not public which identifies or describes an individual including:
                        -Names
                        -Home Addresses
                        -Home Telephone Numbers
                        -Social Security Numbers  
                        -Medical or Employment Histories
                        -Personnel Records
                        -Licensing Records
    In some instances involving unauthorized disclosures, a formal breach notification letter will be sent to persons whose PCI is impacted.  Breaches may be paper or electronic.  Electronic breaches trigger the state breach notification law when the name plus Social Security number, or DMV, or financial account number are involved.  Then individuals must be notified according to the state breach notification law state breach notification law.
Assembly Bill 1298 (Jones; Chapter 699; Statutes of 2007) Adds Medical/Health Information to the State Breach Notification Law Effective January 1, 2008 

The state expansion from a financial identity theft law to a medical identity theft law will take effect on January 1, 2008, triggering breach notifications whenever medical or health insurance policy information are breached. 
State law requires written notification to California residents whenever there is a breach of unencrypted electronic data containing the following data elements of personal information:

  • The individual's first name or first initial and last name in combination with:
  • Social Security Number
  • Driver's license or California ID number
  • Account number, credit or debit card number in combination with security code, access code or password
    AB 1298 adds two new categories of breach triggering information:
    Medical Information: defined as the individual's medical history, treatment or diagnosis; mental or physical health condition
    Health Information:  health insurance policy or subscriber number, application and claims history, as well as appeals records

Privacy Breach Presentation

 

Back To Top

 

BREACH WRITTEN REPORT -  Sample Breach Report
When an unauthorized disclosure or privacy breach occurs, a written report to the DHCS Privacy Officer is required. The Privacy Officer will make a determination upon careful review of the circumstances and state law.  Therefore, it is important that staff complete a thorough report. Please document the circumstances using the following sample report.  The report will assist you to describe the incident, identify potential harm and determine a corrective action plan to prevent future occurrences.

Centers for Medicare and Medicaid Services (CMS) issues guidance to state Medicaid systems and program staff on requirements for reporting breaches - click here to view August 15, 2007 CMS letter
 
Flow chart of security breach staff reporting process

 

 

Back To Privacy Office Home Page