PRIVACY INCIDENT REPORT
For all HHSA Programs/Regions/Divisions and Article 14 Contractors
STAFF INVOLVED IN PRIVACY INCIDENTStaff Involved were County Employees Contractors / County Program/Region:
If Contractor: Contractor/Program Name:
Name of COR: COR Phone Number: Contract #:
Name of Staff Involved:
Location/Worksite: / Privacy Training Date: / Job Title and Duties:
Name of Staff involved:
Location/Worksite: / Privacy Training Date: / Job Title and Duties:
If last privacy training in excess of 12 months: Date staff last signed a confidentiality statement:
Reason annual training not completed timely:
INCIDENT DETAILS
Describe Incident (Include address and location of incident, what happened, and how you found out):
DO NOT INCLUDE ANY PROTECTED INFORMATION ON THIS REPORT
Date Incident Occurred:Date Discovered: / Police Report Filed? Yes No If yes, report #:
If privacy incident report is more than 1 day after incident, explain:
DATA INVOLVED IN INCIDENT
Summary of Data involved (such as type of documents):
# of Individuals’ Data Involved: (check if estimate) / Type of Data Involved: Check all that apply.
Provide a breakdown of the individuals whose data was involved:
# of Adults not on Medi-Cal # of adults on Medi-Cal
# of Minors not on Medi-Cal # of Minors on Medi-Cal / First Name or Initial
CIN or Medi-Cal #
Membership #
Address/Zip Code
Appointment Info
Credit Card/Bank Acct#
Driver’s License #
Diagnosis or Condition HIV/AIDS Test Results / Last Name
SSN
DOB
Telephone #
Case number
EBT Number
Other ID #
Medications
Other Labs
Type/s of Media Involved: Check all that apply:
Paper Email Verbal / Desktop Laptop Tablet / Smart Phone
Other Cell Phone
Medication Bottle / EBT Card
Appt Book
Label
Computer System; system name (ie CalWIN):
Other media; explain:
Types of Data Involved: Check all that apply: / User Name/Email Address & Password
Health Plan Name (including Medi-Cal)
HIPAA Psychotherapy Notes (separate from EHR)
Other; explain:
Mental Health Info Substance Abuse Records
Physical Health or Medical Data Case Status
Court or Police Reports Health Insurance Claims Info
MITIGATIONS
Do you suspect data was viewed by an unauthorized person?: Yes No Explain:
Was data eventually recovered? Yes Explain how, when, and who has data now:
No Explain why not recovered and attempts to retrieve:
For email incidents: Date (or dates) staff requested recipient delete email:
Date deletion of email was confirmedby recipient:
For privacy incidents that involve loss or theft of assets (such as computer or phone):
For Contractor incidents:
Was data encrypted per NIST standards? Yes No
Was device encrypted: Yes No
Was device wiped: Yes No Date of wipe: / For County incidents:
County laptop, tablet, or phone asset #:
Date device wipe request submitted to IT:
Date device wipe confirmed by IT:
If wipe request not sent to IT within one day, explain:
Describe Data Security, mitigating factors, and corrective actions taken (and dates, as applicable):
Date written notification letter sent to client/s:
If notification not sent to clients, explain rationale:
For contractors only: Is your Program covered by HIPAA: Yes No (if no, skip this section)
If yes, do you plan to notify OCR? Yes Note: Provide date of OCR notification and OCR report number via email once submitted.
No Provide low risk analysis summary:
SIGNATURE
Name of Staff Completing Report (Staff completing form cannot be involved in incident):
Job Title: / Date: / Phone #:
Privacy Incident Report 2017 August_FL (00000002) 1