1. Purpose

The purpose of this policy is to establish comprehensive guidelines for safeguarding the confidentiality and security of members’ information within the CalAIM Enhanced Care Management (ECM) and Community Support (CS) Program. This policy ensures compliance with all applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA). By adhering to these guidelines, we aim to protect the privacy rights of our members and uphold the highest standards of ethical conduct.

2. Scope

This policy applies to all individuals who have access to confidential member information within the CalAIM ECM & CS Program. This includes employees, contractors, volunteers, and any affiliated personnel. It is the responsibility of each person within this scope to understand and adhere to the procedures outlined in this document to protect the confidentiality of member information.

3. Definitions

For the purposes of this policy, “Confidential Member Information” refers to any personal, medical, or financial information that can identify a member. This encompasses Protected Health Information (PHI) as defined by HIPAA, which includes any information about health status, provision of health care, or payment for health care that can be linked to an individual. “Authorized Personnel” are individuals who have been granted access to confidential information because it is necessary for them to perform their job duties effectively.

4. Policy Statement

We are committed to protecting all confidential member information from unauthorized access, use, disclosure, alteration, or destruction. Access to such information is strictly controlled and is granted only to authorized personnel who require it to perform their assigned duties. Unauthorized disclosure of confidential information is prohibited and may result in disciplinary action, up to and including termination of employment. All personnel are expected to act in accordance with this policy and to uphold the highest standards of confidentiality.

5. Procedures

5.1 Access Control

Access to confidential member information is carefully managed to ensure that only authorized personnel can access it. We adhere to the principle of least privilege, granting employees the minimum level of access necessary to perform their job functions. Secure login credentials are required for accessing electronic systems containing confidential information, and these credentials must not be shared or disclosed to others. Regular audits are conducted to review and adjust access rights, ensuring they remain appropriate as roles and responsibilities change.

5.2 Physical Security

Physical documents containing confidential information are stored in secure locations, such as locked cabinets or rooms with controlled access. Workstations must be secured by locking them when unattended, and computer screens should be positioned to prevent unauthorized viewing by visitors or other employees without access rights. Access to areas where confidential information is stored is restricted to authorized personnel, and visitors must be accompanied at all times.

5.3 Electronic Security

All electronic confidential information is protected through encryption during storage and transmission. Our electronic systems are accessed via secure, password-protected networks safeguarded with firewalls and antivirus protection. Employees are required to use strong passwords and to change them regularly. Regular backups of electronic data are performed and stored securely to prevent data loss due to system failures or emergencies. Security updates and patches are applied promptly to all systems to protect against vulnerabilities.

5.4 Data Transmission

When transmitting confidential information, only secure channels such as encrypted email or secure file transfer protocols (SFTP) are used. Personnel must verify the identity of the recipient before transmitting any confidential information to ensure it is shared only with authorized individuals. Under no circumstances should confidential information be transmitted through unsecured channels or to unauthorized parties.

5.5 Data Disposal

Proper disposal of confidential information is essential to maintain security. Electronic data must be permanently erased using secure deletion methods that prevent recovery, such as data wiping software or physical destruction of storage media. Physical documents containing confidential information must be destroyed through shredding or incineration to ensure the information cannot be reconstructed or retrieved. Records of data disposal should be maintained as appropriate.

5.6 Training and Awareness

All new personnel are required to participate in onboarding training that covers confidentiality policies, procedures, and legal obligations. This training ensures employees understand the importance of maintaining confidentiality and the specific steps they must take to protect member information. Ongoing education is provided through annual refresher courses and updates on any changes to policies or regulations. Employees are encouraged to stay informed about best practices in information security. All personnel must sign confidentiality agreements acknowledging their responsibilities regarding the handling of confidential information.

5.7 Incident Reporting and Response

In the event of a suspected or actual breach of confidentiality, personnel must report the incident immediately to the Compliance Officer or designated authority. A prompt and thorough investigation will be conducted to assess the breach, determine its impact, and implement measures to mitigate any risks. This may include steps to contain the breach, recover lost data, and prevent future occurrences. Affected members and relevant authorities will be notified as required by law, following established protocols for breach notification. Documentation of the incident and response actions will be maintained.

5.8 Member Rights

Members have specific rights concerning their personal information. They have the right to access their personal information upon request and to receive a copy of their records in a timely manner. Members can request corrections to their information if inaccuracies are found, and we are obligated to make appropriate amendments. We provide members with a privacy notice that explains how their information is used and protected, ensuring transparency and compliance with legal requirements. Members also have the right to request restrictions on certain uses and disclosures of their information, and we will accommodate such requests when possible.

6. Compliance and Enforcement

To ensure adherence to this policy, regular compliance audits are conducted. These audits review access logs, training records, and security measures to identify any areas of non-compliance or potential improvement. Violations of this policy are taken seriously and may result in disciplinary action, up to and including termination of employment. All personnel are expected to comply with all relevant laws and regulations, and failure to do so may also result in legal consequences. Management is responsible for enforcing this policy and for taking corrective action when violations occur.

7. Responsibilities

All personnel are responsible for maintaining the confidentiality of member information and for reporting any breaches or suspicious activities to the appropriate authorities. Employees should be vigilant and proactive in protecting confidential information, following all procedures and best practices outlined in this policy. Management is responsible for ensuring that team members understand and adhere to confidentiality policies, providing support and resources as needed. The Compliance Officer oversees the implementation of this policy, including developing training programs, conducting audits, and managing incident response procedures.

8. References

This policy is guided by several key laws and regulations, including:

• The Health Insurance Portability and Accountability Act (HIPAA), which sets national standards for the protection of health information.
• The California Confidentiality of Medical Information Act (CMIA), which provides additional protections for medical information in the state of California.
• The CalAIM ECM & CS Program Guidelines, which outline specific requirements for managing and protecting member information within the program.

9. Review and Revision

This policy will be reviewed annually or as required due to regulatory changes, organizational adjustments, or identified deficiencies. The review process will involve assessing the effectiveness of current procedures, considering feedback from personnel, and staying updated on changes in laws and technology. Any updates or revisions will be communicated promptly to all personnel to ensure continued compliance and awareness. Employees are encouraged to provide input on ways to improve the policy and its implementation.

1. Purpose

The purpose of this policy is to establish a comprehensive process for overseeing the application of privacy policies within the CalAIM Enhanced Care Management & Community Support (ECM & CS) program. This policy ensures that the organization remains in full compliance with all applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) and California state privacy regulations. By implementing a structured approach, we aim to protect the privacy and security of Protected Health Information (PHI) and Personally Identifiable Information (PII), thereby maintaining the trust of our beneficiaries and stakeholders.

2. Scope

This policy applies to all employees, contractors, volunteers, and third-party partners who are involved in the CalAIM ECM & CS program and have access to PHI or PII. It is essential that every individual within this scope understands their responsibilities and adheres to the procedures outlined in this policy to ensure the confidentiality, integrity, and availability of sensitive information.

3. Definitions

• Protected Health Information (PHI): Any information related to an individual’s health status, the provision of healthcare, or payment for healthcare that can be linked to a specific person. This includes medical records, billing information, and any other data that identifies an individual and relates to their health.
• Personally Identifiable Information (PII): Information that can be used to identify, contact, or locate a single person, or to identify an individual in context. This may include names, addresses, Social Security numbers, and other personal data.
• CalAIM ECM & CS Program: The California Advancing and Innovating Medi-Cal Enhanced Care Management & Community Support program, which is designed to provide comprehensive care management services to Medi-Cal beneficiaries, particularly those with complex needs.

4. Roles and Responsibilities

Privacy Officer: The Privacy Officer is responsible for overseeing compliance with all privacy laws and regulations within the ECM & CS program. This includes conducting regular audits and assessments to ensure that privacy policies are effectively implemented. The Privacy Officer manages any privacy incidents or breaches, coordinating investigations, and implementing corrective actions as necessary. They serve as the primary point of contact for all privacy-related matters and provide guidance to staff and contractors on best practices.

Program Manager: The Program Manager is tasked with implementing privacy policies within the ECM & CS program. They ensure that staff members receive appropriate training and resources to understand and comply with privacy requirements. The Program Manager collaborates with the Privacy

Officer to address any issues of non-compliance and to promote a culture of privacy awareness throughout the program.

All Staff and Contractors: Every individual who has access to PHI or PII within the ECM & CS program is required to adhere strictly to all privacy policies and procedures. Staff and contractors must report any suspected breaches or instances of non-compliance promptly to the Privacy Officer or designated authority. They are responsible for safeguarding sensitive information and following established protocols for its use, disclosure, and disposal.

5. Policy Details

5.1 Application of Privacy Policies

Access Control: Access to PHI and PII is limited to authorized personnel who require this information to perform their job duties. The organization implements role-based access controls, ensuring that individuals have the minimum necessary access to fulfill their responsibilities. Unauthorized access, use, or disclosure of sensitive information is strictly prohibited and subject to disciplinary action.

Data Handling: PHI and PII must be used and disclosed only for authorized purposes, such as treatment, payment, and healthcare operations, as defined by HIPAA. Sensitive information must be securely stored, whether in physical or electronic form, and transmitted using approved methods that include encryption and secure communication channels. Staff must ensure that PHI and PII are not left unattended or accessible to unauthorized individuals, both within and outside the workplace.

Confidentiality Agreements: All staff members and contractors are required to sign confidentiality agreements as a condition of employment or engagement. These agreements outline the individual’s obligations to protect PHI and PII and specify the consequences of violating these obligations. The confidentiality agreements are maintained on file and are enforceable throughout the duration of the individual’s association with the organization.

5.2 Oversight Process

Training and Education: The organization mandates comprehensive privacy training for all new hires before they are granted access to PHI or PII. This training covers relevant laws and regulations, organizational policies, and best practices for protecting sensitive information. Additionally, annual refresher courses are provided to all staff members to reinforce their understanding and to inform them of any updates or changes to privacy policies.

Monitoring and Auditing: Regular audits are conducted by the Privacy Officer to assess compliance with privacy policies and to identify potential areas of risk. These audits may include reviewing access logs, monitoring data transmissions, and evaluating the effectiveness of security measures. The organization utilizes monitoring tools to detect unauthorized access or unusual activity that may indicate a breach or non-compliance.

Risk Assessments: Periodic risk assessments are performed to identify vulnerabilities in the handling of PHI and PII. These assessments evaluate the likelihood and potential impact of various threats, such as unauthorized access, data breaches, or loss of data integrity. Based on the findings, the organization implements mitigation strategies, such as enhancing security controls, updating policies, or providing additional staff training.

Policy Review: The privacy policies are reviewed at least annually to ensure they remain aligned with current laws, regulations, and industry best practices. Changes in legislation, technology, or organizational processes may necessitate updates to the policies. Any revisions are approved by senior management and communicated promptly to all relevant parties, with additional training provided as necessary.

5.3 Reporting and Incident Management

Incident Reporting: Staff and contractors are required to report any suspected or confirmed breaches of PHI or PII immediately upon discovery. Reports should be made to the Privacy Officer using the organization’s standardized incident reporting procedures. Prompt reporting enables the organization to take swift action to contain and mitigate the impact of the incident.

Incident Response: Upon receiving a report of a potential breach, the Privacy Officer initiates an investigation to determine the nature and scope of the incident. The organization follows a defined incident response plan that includes steps for containment, eradication of the threat, recovery of systems, and communication with affected parties. Notifications to individuals and regulatory authorities are made in accordance with legal requirements, and all actions taken are thoroughly documented.

5.4 Communication and Awareness

Policy Dissemination: The organization ensures that privacy policies and related documents are easily accessible to all staff and contractors. Policies are available through the organization’s intranet, employee handbooks, and during orientation sessions. Regular communications, such as newsletters or team meetings, are used to reinforce the importance of privacy and to highlight any updates or reminders.

Feedback Mechanisms: Open channels of communication are established for staff to provide feedback or suggestions regarding privacy practices. This may include anonymous surveys, suggestion boxes, or direct communication with the Privacy Officer or management. The organization values input from staff and uses feedback to enhance privacy policies and procedures.

6. Compliance

Enforcement: The organization enforces compliance with privacy policies through established disciplinary procedures. Non-compliance may result in disciplinary action, up to and including termination of employment. For contractors and partners, violations of privacy policies may lead to the termination of contracts and potential legal action. The organization is committed to holding all individuals accountable for their actions to maintain a culture of compliance and integrity.

Legal Obligations: The organization is obligated to adhere to all applicable federal and state privacy laws, including HIPAA and the California Consumer Privacy Act (CCPA). Compliance with these laws is not only a legal requirement but also essential to maintaining the trust of our beneficiaries and stakeholders. The organization cooperates fully with regulatory bodies during compliance reviews or investigations and takes corrective actions as necessary to address any findings.

7. Review and Update of the Policy

This policy will be reviewed annually or as required due to changes in laws, regulations, or organizational requirements. The review process involves assessing the effectiveness of current policies, considering feedback from staff and stakeholders, and incorporating any new legal or technological developments. Updates to the policy are approved by senior management and communicated to all staff and contractors in a timely manner. Training and resources are provided to ensure that everyone understands and can implement the changes effectively.

8. References

This policy is informed by and complies with the following laws, regulations, and guidelines:

• Health Insurance Portability and Accountability Act (HIPAA): Federal legislation that provides data privacy and security provisions for safeguarding medical information.
• California Consumer Privacy Act (CCPA): State law that enhances privacy rights and consumer protection for residents of California.
• CalAIM ECM & CS Program Guidelines: Guidelines provided by the state for the implementation and operation of the Enhanced Care Management & Community Support program.
• Organization’s Privacy and Security Policies: Internal policies that govern the handling of sensitive information and outline the organization’s commitment to privacy and security.

1. Purpose

The primary objective of this policy is to delineate the responsibilities of all staff members in safeguarding Protected Health Information (PHI) within the CalAIM Enhanced Care Management & Community Support (ECM & CS) Program. By adhering to this policy, we aim to ensure full compliance with all pertinent federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA). Protecting PHI is not only a legal requirement but also a fundamental aspect of maintaining the trust and confidence of the individuals we serve.

2. Scope

This policy applies comprehensively to all employees, contractors, volunteers, and any other individuals who have access to PHI within the CalAIM ECM & CS Program. Regardless of your role or level within the organization, if you handle PHI, you are obligated to comply with the guidelines and procedures outlined in this policy.

3. Definitions

Protected Health Information (PHI): PHI refers to any individually identifiable health information that is transmitted or maintained in any form or medium. This includes electronic records, paper documents, and oral communications that contain personal health details.

Staff: For the purposes of this policy, “staff” encompasses all individuals who work within the CalAIM ECM & CS Program. This includes full-time and part-time employees, independent contractors, interns, and volunteers who may come into contact with PHI.

CalAIM ECM & CS Program: The California Advancing and Innovating Medi-Cal’s Enhanced Care Management & Community Support Program is designed to provide comprehensive care management services to Medi-Cal beneficiaries with complex health needs. The program focuses on delivering person-centered care that addresses both medical and social determinants of health.

4. Policy Statement

All staff members bear a personal and professional responsibility to protect the confidentiality, integrity, and availability of PHI. This means actively preventing unauthorized access, use, or disclosure of PHI in all forms. Compliance with this policy is mandatory, and staff must familiarize themselves with all related procedures to ensure that PHI is handled appropriately at all times.

5. Staff Responsibilities

5.1 Access Control

Staff members are required to access PHI strictly on a need-to-know basis, corresponding directly to their job duties. Accessing PHI beyond what is necessary for your role is prohibited. Each staff member must use unique user identification credentials and robust passwords to access electronic systems containing PHI. Sharing login credentials with others is strictly forbidden. When devices containing PHI are left unattended, staff must ensure they are locked or logged off to prevent unauthorized access.

5.2 Confidentiality and Privacy

Maintaining the confidentiality of PHI is paramount. Staff should only disclose PHI to authorized individuals who have a legitimate need for the information in the course of their duties. When transmitting PHI electronically, staff must use approved, secure communication methods, such as encrypted email or secure portals. Verbal discussions involving PHI should be conducted in private settings to prevent inadvertent disclosures. Avoid discussing PHI in public areas or any place where conversations can be overheard by unauthorized persons.

5.3 Use and Disclosure of PHI

Staff may use PHI solely for purposes permitted by law, such as treatment, payment, and healthcare operations. Any use or disclosure of PHI outside these permitted purposes requires explicit written authorization from the individual. Staff must obtain this authorization before proceeding with such disclosures. Additionally, staff are responsible for maintaining accurate records of any disclosures of PHI as required by law, ensuring transparency and accountability in how PHI is handled.

5.4 Physical and Electronic Safeguards

Protecting PHI requires both physical and electronic security measures. Physical records containing PHI must be stored in locked cabinets or rooms with controlled access to prevent unauthorized entry. Electronic PHI should be stored on secure servers with appropriate security protocols, including encryption where applicable. Staff must ensure that all devices used to access PHI, such as computers and mobile devices, have up-to-date security measures, including antivirus software and firewalls.

5.5 Data Disposal

Proper disposal of PHI is critical to prevent unauthorized access after the information is no longer needed. Paper records containing PHI must be shredded or incinerated before disposal. For electronic data, staff must use approved methods to permanently delete PHI from devices before they are disposed of or repurposed. Simply deleting files is insufficient; data must be rendered irretrievable.

5.6 Reporting and Incident Response

In the event of a suspected or actual breach of PHI, staff are required to report the incident immediately to the Compliance Officer or designated authority. Prompt reporting enables the organization to take swift action to mitigate any potential harm. Staff must fully cooperate with any investigations related to potential breaches or violations, providing accurate and complete information as requested.

5.7 Training and Compliance

All staff members are required to complete mandatory training on PHI protection and HIPAA compliance on an annual basis. This training is designed to keep staff informed about best practices, legal requirements, and any updates to policies and procedures. Staff are also expected to stay informed about changes to laws and regulations that may affect how PHI is handled within the organization.

5.8 Sanctions for Non-Compliance

Failure to comply with this policy can have serious consequences. Staff who violate the policy may face disciplinary actions, which can include verbal or written warnings, suspension, or termination of employment, depending on the severity of the violation. Additionally, unauthorized disclosure of PHI can result in legal penalties, including fines and criminal charges. It is essential for staff to understand the gravity of these responsibilities and the potential repercussions of non-compliance.

6. Procedures

6.1 Incident Response Plan

In the event of a PHI breach, staff must follow the organization’s incident response plan. This involves immediate reporting, containment of the breach if possible, and documentation of all relevant details. The incident response plan outlines specific steps to be taken to address the breach, including notifications to affected individuals and regulatory bodies as required by law.

6.2 Audit and Monitoring

The organization conducts regular audits to ensure compliance with PHI protection policies. Staff may be required to participate in these audits by providing access to records or systems and by answering questions about their practices. Audits help identify potential weaknesses in security measures and provide opportunities for improvement.

6.3 Use of Personal Devices

Staff wishing to use personal devices to access PHI must obtain prior authorization from the organization. Authorized personal devices must meet the organization’s security standards, which may include installing specific security software, enabling device encryption, and agreeing to remote wipe capabilities in case the device is lost or stolen.

7. Compliance and Enforcement

To maintain the highest standards of PHI protection, the organization will conduct regular compliance checks and assessments. Staff are expected to fully cooperate with these efforts. Any violations of this policy will be addressed promptly according to the organization’s disciplinary procedures. Enforcement actions are taken not only to correct individual behavior but also to uphold the integrity of the organization’s commitment to PHI protection.

8. Review and Revision

This policy will undergo a thorough review on an annual basis to ensure it remains current with changes in laws, regulations, and organizational practices. Staff are encouraged to provide feedback on the policy and suggest improvements. Updates to the policy will be communicated to all staff, who are responsible for familiarizing themselves with any changes.

1. Purpose

The purpose of this policy is to establish comprehensive guidelines and procedures to address and penalize the negligent use or abuse of Protected Health Information (PHI) within the CalAIM Enhanced Care Management & Community Support (ECM & CS) Program. This policy aims to ensure strict compliance with all applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA). By clearly outlining expectations and consequences, we seek to protect the confidentiality, integrity, and security of PHI, thereby maintaining the trust of the individuals we serve.

2. Scope

This policy applies to all individuals who have access to PHI within the CalAIM ECM & CS Program. This includes, but is not limited to, employees, contractors, volunteers, interns, and business associates. It encompasses anyone who interacts with PHI in any capacity, whether through direct patient care, administrative functions, or supportive services.

3. Definitions

Protected Health Information (PHI): Refers to any information, including demographic data, that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care, or the payment for health care services, which can be used to identify the individual. PHI can exist in various forms, such as electronic records, paper documents, or verbal communications.

Negligent Use or Abuse: Describes any action or inaction that demonstrates a failure to exercise the appropriate level of care in handling PHI, resulting in unauthorized access, disclosure, alteration, or destruction of such information. This includes both intentional and unintentional acts that compromise the confidentiality and security of PHI.

CalAIM ECM & CS Program: Stands for California Advancing and Innovating Medi-Cal Enhanced Care Management & Community Support Program. It is a state initiative aimed at providing comprehensive care management services to Medi-Cal beneficiaries with complex needs, focusing on whole-person care and improved health outcomes.

4. Policy Statement

All personnel affiliated with the CalAIM ECM & CS Program are expected to handle PHI with the utmost confidentiality and professionalism. The negligent use or abuse of PHI is strictly prohibited. Any violations of this policy will result in disciplinary actions that may include retraining, suspension, termination of employment or contractual relationships, and potential legal consequences. The organization is committed to enforcing this policy consistently and fairly to protect the rights and privacy of individuals and to comply with legal and ethical obligations.

5. Procedures

5.1. Access and Use of PHI

Personnel are authorized to access PHI strictly on a need-to-know basis as required to perform their specific job duties. When handling PHI, individuals must use secure methods for transmission and storage, such as encrypted emails, secure file transfers, and locked filing cabinets for physical documents. Before disclosing PHI, staff must verify the identity and authority of the requesting party to ensure they have legitimate access rights. All electronic devices and systems used to access PHI should be password-protected and comply with the organization’s cybersecurity protocols.

5.2. Reporting Violations

If an individual suspects or becomes aware of any misuse, unauthorized access, or security breach involving PHI, they are obligated to report it immediately to the Compliance Officer or designated authority. The report should include all relevant details to facilitate a thorough investigation. Employees are expected to cooperate fully with any internal or external investigations, providing truthful and complete information to aid in resolving the issue promptly.

5.3. Training

All personnel must complete mandatory training on PHI handling, privacy policies, and security protocols upon hire and annually thereafter. The training will cover topics such as recognizing PHI, understanding privacy laws, proper methods for handling and disposing of PHI, and procedures for reporting violations. Employees are also responsible for staying informed about any updates or changes to relevant laws, regulations, or organizational policies that may affect their duties.

6. Penalties and Disciplinary Actions

Penalties for negligent use or abuse of PHI will be determined based on the severity, intent, and circumstances surrounding the violation. The organization reserves the right to consider the individual’s history of compliance when deciding on appropriate disciplinary actions.

6.1. Minor Violations

Minor violations are unintentional actions that may not result in significant harm but indicate a lapse in following proper procedures. Examples include inadvertently viewing PHI not related to one’s job duties or forgetting to log off a workstation, potentially exposing information to unauthorized individuals.

• First Offense: The individual will receive a verbal warning and be required to undergo immediate retraining on PHI policies and procedures.
• Second Offense: A written warning will be issued, and the employee will be mandated to participate in additional training sessions focusing on privacy and security practices.
• Subsequent Offenses: Further violations may result in suspension without pay or termination of employment, depending on the circumstances and the individual’s overall performance record.

6.2. Moderate Violations

Moderate violations involve actions that could potentially expose PHI to unauthorized parties or demonstrate a disregard for established protocols. Examples include sharing PHI with unauthorized personnel or leaving physical or electronic PHI unsecured.

• First Offense: The individual will receive a written warning and be required to attend mandatory retraining sessions. Depending on the severity, a suspension may be considered.
• Second Offense: The employee may face suspension without pay, and a reevaluation of their role and access privileges will be conducted to determine if adjustments are necessary to prevent future incidents.
• Subsequent Offenses: Termination of employment or contractual agreements may occur, along with the possibility of reporting the individual to professional licensing boards or regulatory agencies for further action.

6.3. Severe Violations

Severe violations are intentional acts or repeated negligence that result in significant harm or pose substantial risks to individuals’ privacy rights. Examples include the deliberate disclosure of PHI for personal gain, malicious intent, or failure to correct negligent behavior after receiving prior warnings.

• Immediate Actions: The individual will face immediate termination of employment or contractual relationships. Access to all organizational systems and facilities will be revoked promptly.
• Legal Consequences: The organization will report the incident to appropriate regulatory bodies, such as the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and may pursue civil or criminal charges against the individual. The organization may also cooperate with law enforcement agencies in any investigations or legal proceedings.

7. Responsibilities

7.1. Employees and Contractors

All employees and contractors are responsible for adhering strictly to PHI policies and procedures. This includes actively safeguarding PHI, using it appropriately, and preventing unauthorized access or disclosure. Individuals must report any suspected or actual violations promptly and participate fully in all required training and educational activities to remain compliant with current laws and organizational standards.

7.2. Management

Managers and supervisors are responsible for enforcing this policy consistently and impartially. They should ensure that their teams understand the importance of PHI security and provide necessary resources and support for compliance. Management must monitor their staff’s adherence to policies, address any issues proactively, and take appropriate disciplinary actions when violations occur.

7.3. Compliance Officer

The Compliance Officer oversees the implementation and enforcement of this policy. This role includes conducting regular audits, investigating reported violations, maintaining records of incidents and corrective actions, and updating policies as necessary. The Compliance Officer serves as a resource for staff to address questions or concerns about PHI handling and compliance matters.

8. Monitoring and Auditing

To ensure ongoing compliance with PHI handling procedures, the organization will conduct regular monitoring and auditing activities. These may include reviewing access logs, assessing security measures, and evaluating compliance with training requirements. Any discrepancies or areas of non-compliance identified during audits will be addressed immediately. Corrective actions may involve additional training, policy revisions, or disciplinary measures in accordance with this policy.

9. References

This policy is informed by and complies with the following laws and guidelines:

• Health Insurance Portability and Accountability Act (HIPAA) of 1996: Federal law that establishes national standards for the protection of individuals’ medical records and other personal health information.
• California Confidentiality of Medical Information Act (CMIA): State law that provides additional protections for the confidentiality of medical information in California.
• CalAIM ECM & CS Program Guidelines: State-specific guidelines that outline the requirements and expectations for the Enhanced Care Management & Community Support Program under CalAIM.

10. Policy Review

This policy will undergo a formal review on an annual basis or as required due to changes in relevant laws, regulations, or organizational practices. The review process will involve evaluating the effectiveness of the policy, incorporating feedback from stakeholders, and making necessary updates to ensure continued compliance and protection of PHI.

1. Purpose

The confidentiality of participant information is a foundational element of the CalAIM Enhanced Care Management & Community Support (ECM & CS) Program. This policy is established to provide clear guidelines and procedures for promptly reporting any suspected or actual breaches of confidentiality. By adhering to this policy, we ensure compliance with legal requirements, protect participant information, and uphold the trust placed in us by the individuals and communities we serve.

2. Scope

This policy applies to all individuals involved in the CalAIM ECM & CS Program, including employees, contractors, volunteers, and partners who handle confidential participant information. It encompasses all forms of Protected Health Information (PHI) and Personally Identifiable Information (PII), whether stored or transmitted electronically, on paper, or communicated verbally.

3. Definitions

Breach of Confidentiality: A breach of confidentiality refers to any unauthorized acquisition, access, use, or disclosure of PHI or PII that compromises the security or privacy of such information. This includes incidents where information is accessed by individuals without proper authorization or used for purposes not permitted by organizational policies or applicable laws.

Protected Health Information (PHI): PHI includes any information about an individual’s health status, the provision of healthcare, or payment for healthcare that can be linked to a specific person. This encompasses a wide range of data, such as medical records, health histories, test results, and insurance information.

Personally Identifiable Information (PII): PII refers to any data that can identify, contact, or locate a single person, or that can be used with other sources to identify a single individual. Examples include names, addresses, social security numbers, and birth dates.

4. Policy Statement

All personnel are obligated to maintain the highest standards of confidentiality concerning participant information. In the event of a suspected or actual breach of confidentiality, it is mandatory to report the incident immediately upon discovery. Timely reporting is essential to initiate prompt mitigation efforts, comply with legal obligations, and minimize potential harm to affected individuals. Delayed reporting may exacerbate the impact of the breach and result in non-compliance with regulatory requirements.

5. Procedures for Reporting Breaches

Immediate Action Upon Discovery

When a breach is suspected or confirmed, the individual who becomes aware of the incident must take immediate steps to report it. The first point of contact should be their direct supervisor. The report should be made verbally and as soon as possible to ensure swift action. If the supervisor is unavailable, or if the individual believes it is inappropriate to report to them, the designated Privacy Officer or the Compliance Department should be contacted directly.

Providing Detailed Information

In reporting the breach, the individual should provide comprehensive details to facilitate an effective response. This includes:

• Description of the Incident: A clear and concise account of what occurred, including how and when the breach was discovered.
• Types of Information Compromised: Identification of the specific types of PHI or PII that were involved in the breach.
• Affected Individuals: Information about the number and, if known, the identities of the individuals whose information was compromised.
• Immediate Actions Taken: Any steps already taken to contain or mitigate the breach should be described.

Completion of Incident Report

Following the initial verbal report, the individual must complete an official incident report form provided by the Compliance Department. This document should capture all known details of the breach and be submitted promptly. Accurate documentation is crucial for legal compliance and for guiding the subsequent investigation and response.

Maintaining Confidentiality During Reporting

Throughout the reporting process, it is imperative to maintain strict confidentiality. The details of the breach should not be disclosed to unauthorized individuals. Discussing the incident outside of official reporting and investigation channels can lead to further unauthorized disclosures and may compromise the integrity of the investigation.

6. Investigation Process

Initiation of Investigation

The Privacy Officer is responsible for initiating an investigation within 24 hours of the breach being reported. The investigation aims to determine the scope, cause, and potential impact of the breach. It will also assess whether the breach resulted from systemic issues or isolated incidents.

Cooperation and Support

All personnel are expected to fully cooperate with the investigation. This includes providing additional information as requested, participating in interviews, and assisting in identifying factors that contributed to the breach. Cooperation is essential for a thorough and effective investigation.

Assessment and Documentation

The investigation will assess the extent of the breach, including the number of individuals affected and the sensitivity of the information compromised. All findings will be thoroughly documented, and the documentation will be maintained securely to protect confidentiality and comply with legal requirements.

7. Mitigation and Notification

Immediate Containment Measures

Upon confirmation of a breach, immediate steps will be taken to contain the incident and prevent further unauthorized access or disclosure. This may involve securing physical records, disabling compromised user accounts, or other actions appropriate to the nature of the breach.

Legal Compliance and Notifications

The organization will comply with all legal obligations regarding breach notifications. This includes:

• Notifying Affected Individuals: Individuals whose information was compromised will be notified in a timely manner, as required by law. Notifications will include information about the breach, steps the individual can take to protect themselves, and what the organization is doing to address the situation.
• Reporting to Regulatory Bodies: The organization will report the breach to relevant regulatory agencies, such as the Department of Health and Human Services (HHS) under HIPAA regulations, if required.
• Engaging Law Enforcement: If criminal activity is suspected, appropriate law enforcement agencies will be notified.

Corrective Actions

Based on the findings of the investigation, the organization will implement corrective actions to prevent future breaches. This may include revising policies and procedures, enhancing security measures, providing additional training to personnel, or other appropriate measures.

8. Training and Education

Mandatory Training Programs

All personnel are required to participate in annual training on confidentiality and data security policies. The training will cover:

• Understanding PHI and PII: Definitions and examples to ensure clarity about what constitutes confidential information.
• Legal Requirements: An overview of laws and regulations governing confidentiality, such as HIPAA and state-specific laws.
• Identifying and Reporting Breaches: Guidance on recognizing potential breaches and the procedures for reporting them.
• Best Practices for Data Security: Strategies for protecting confidential information in daily work activities.

Ongoing Education

In addition to annual training, the organization will provide ongoing education through updates, newsletters, or meetings to keep personnel informed about changes in policies, emerging threats, or new regulatory requirements.

9. Non-Retaliation Policy

Protection for Good Faith Reporting

The organization is committed to fostering an environment where personnel can report breaches without fear of retaliation. Individuals who report suspected or actual breaches in good faith are protected under this policy. Retaliation against any individual for reporting a breach is strictly prohibited and will not be tolerated.

Consequences of Retaliation

Any act of retaliation will be subject to disciplinary action, up to and including termination of employment or contractual agreements. Personnel are encouraged to report any concerns about retaliation to the Compliance Department or Human Resources.

10. Disciplinary Actions

Accountability for Non-Compliance

Personnel who fail to comply with this policy may face disciplinary actions. Non-compliance includes failing to report breaches, mishandling confidential information, or obstructing an investigation.

Range of Disciplinary Measures

Disciplinary actions will be proportionate to the severity of the violation and may include:

• Verbal or Written Warnings: For minor or first-time offenses.
• Mandatory Retraining: To address gaps in knowledge or understanding.
• Suspension: Temporary removal from duties pending further investigation.
• Termination: For serious or repeated violations.
• Legal Action: In cases involving gross negligence, willful misconduct, or violations of law, legal proceedings may be initiated.

11. Policy Review and Updates

Regular Review Process

This policy will undergo a formal review at least once annually or more frequently if required by changes in laws, regulations, or organizational practices. The review will assess the effectiveness of the policy and incorporate any necessary updates.

Communication of Changes

Any revisions to the policy will be communicated promptly to all personnel. Updates will be distributed through official communication channels, and additional training or informational sessions may be provided to ensure understanding and compliance.

1. Purpose

The purpose of this policy is to establish comprehensive guidelines and procedures for safeguarding physical access to facilities involved in the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management & Community Support (ECM & CS) Program. Protecting physical access is crucial to ensure the safety of employees, clients, and visitors, as well as to secure sensitive information and organizational assets. This policy aims to mitigate risks associated with unauthorized entry, theft, and potential breaches that could compromise the integrity of our operations and compliance with legal and regulatory requirements.

2. Scope

This policy applies to all individuals who access [Company Name]’s physical facilities where CalAIM ECM & CS Program activities are conducted. This includes employees at all levels, contractors, vendors, temporary workers, interns, volunteers, and visitors. The policy encompasses all physical locations owned, leased, or operated by the company, including offices, clinics, data centers, and any off-site locations where company business is performed.

3. Definitions

• Authorized Personnel: Individuals who have been granted permission to access specific areas of the facility based on their job responsibilities and after appropriate approval processes.
• Sensitive Areas: Locations within the facility that house confidential information, critical systems, or conduct restricted operations. Examples include server rooms, records storage areas, and executive offices.
• Physical Access Controls: Security measures such as locks, electronic access control systems, biometric scanners, security personnel, and surveillance equipment used to regulate entry to and exit from the facility.

4. Policy Details

4.1 Physical Security Controls

All entry points to the facility must be secured to prevent unauthorized access. This involves the installation and maintenance of physical barriers like locked doors, security gates, and turnstiles. The facility shall employ advanced access control systems, including keycards, biometric scanners, or personal identification numbers (PINs), to authenticate individuals seeking entry, especially into sensitive areas.

Clear and visible signage must be placed at all restricted areas, indicating that access is limited to authorized personnel only and outlining the requirements for entry. Adequate lighting is to be maintained around the perimeter and at all entrances to enhance visibility and deter unauthorized access. Security personnel may be stationed at key locations to monitor entry, assist with access control procedures, and respond to incidents.

Regular inspections and maintenance checks shall be conducted on all physical security equipment to ensure optimal functionality. Any defects or malfunctions must be reported immediately to the facilities management team and repaired promptly to maintain the integrity of security measures.

4.2 Access Control Procedures

Access rights to the facility and its sensitive areas are granted based on the principle of least privilege. Individuals are provided with the minimum level of access necessary to perform their specific job functions. Before access is granted, a formal request must be submitted and approved by the individual’s supervisor and the security department. This approval process ensures that only those with a legitimate need can access sensitive areas.

Sharing of access credentials, such as keycards or PINs, is strictly prohibited. Each individual is responsible for the security of their access credentials and must report any lost or stolen credentials immediately to the security department. Prompt reporting allows for deactivation of compromised credentials to prevent unauthorized access.

The security department will conduct regular audits of access logs and authorization levels. These audits help identify any unauthorized access attempts, ensure that access rights remain appropriate for current job responsibilities, and detect irregularities that may indicate a security breach.

4.3 Visitor Management

All visitors to the facility are required to adhere to visitor management procedures designed to protect the security of the facility and its occupants. Upon arrival, visitors must sign in at the reception desk, providing valid government-issued identification for verification. They will be issued temporary identification badges, which must be worn visibly at all times while on the premises.

Visitors are required to be escorted by authorized personnel throughout their visit. This ensures that visitors do not inadvertently access restricted or sensitive areas and that their activities within the facility are monitored. Visitors are generally restricted to non-sensitive areas unless they have received explicit authorization from management to access specific sensitive areas for a legitimate purpose.

At the conclusion of their visit, visitors must return their temporary identification badges and sign out at the reception desk. Reception staff shall verify that all visitors have departed and that no temporary badges are unaccounted for.

4.4 Employee Responsibilities

Employees play a critical role in maintaining the physical security of the facility. They are required to complete security awareness training upon hiring and participate in refresher training sessions annually or as needed. This training covers the importance of physical security, procedures for accessing sensitive areas, and protocols for reporting security incidents.

Employees are responsible for securing confidential materials, both physical and electronic. This includes locking filing cabinets, securing documents when not in use, and ensuring that workstations are locked when unattended. Employees must be vigilant and report any suspicious activities, unauthorized individuals, or security breaches immediately to their supervisor or the security department.

In the event of termination or a change in job responsibilities, all access rights must be revoked or adjusted immediately. The human resources department, in coordination with the security department, is responsible for ensuring that departing employees return all company property, including access credentials, and that their access to the facility and information systems is terminated.

4.5 Monitoring and Surveillance

The facility will employ a comprehensive monitoring and surveillance system to enhance security. Surveillance cameras will be installed at all entry points, exits, and sensitive areas. These cameras will operate in compliance with all applicable privacy laws and regulations, ensuring that monitoring is conducted ethically and legally.

Surveillance footage will be securely stored for a period defined by legal requirements or company policy, typically a minimum of 90 days. Access to surveillance footage is restricted to authorized personnel and used solely for security purposes. The security department is responsible for regularly reviewing footage to detect and investigate any suspicious activities or security incidents.

Alarm systems will be installed to detect unauthorized access attempts, breaches, or other security incidents. These systems will be connected to a central monitoring station staffed by security personnel who can respond promptly to any alerts.

4.6 Emergency and Incident Response

The organization is committed to ensuring the safety of all personnel during emergencies. All emergency exits must be clearly marked with illuminated signage and kept free of obstructions at all times to ensure a safe and swift evacuation. Evacuation plans are to be developed for each facility, detailing procedures for various emergency scenarios such as fires, natural disasters, or security threats.

These evacuation plans will be communicated to all employees through training sessions and posted in visible locations throughout the facility. Regular drills will be conducted to familiarize employees with evacuation routes and procedures. Feedback from these drills will be used to improve the effectiveness of emergency response plans.

In the event of a security breach or emergency, the Incident Response Plan must be followed. This plan outlines the roles and responsibilities of employees, communication protocols, and steps to mitigate the incident and restore normal operations. First aid kits and emergency contact information will be readily available throughout the facility to assist in the event of injuries or medical emergencies.

4.7 Compliance and Enforcement

Adherence to this policy is mandatory for all personnel accessing the facility. Non-compliance may result in disciplinary actions, including verbal or written warnings, suspension, termination of employment, or legal action, depending on the severity of the violation. The organization is committed to enforcing this policy fairly and consistently.

The company must ensure that all physical security practices comply with applicable federal, state, and local regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and guidelines issued by the California Department of Health Care Services (DHCS).

Employees are encouraged to report any concerns or suggestions regarding physical security to their supervisor or the security department. Such feedback is valuable for continuous improvement of security measures.

5. Policy Review

This policy will undergo a comprehensive review at least annually or whenever significant changes occur in the regulatory environment or organizational practices. The review process will involve key stakeholders, including representatives from security, human resources, legal, and operational departments. The objective is to ensure that the policy remains effective, relevant, and compliant with all current laws and regulations.

Any revisions to the policy will be communicated to all personnel through official channels, and additional training will be provided as necessary to ensure understanding and compliance.

6. References

• California Department of Health Care Services (DHCS) Regulations: Provides guidelines and requirements for healthcare services in California, which must be adhered to in the operation of the CalAIM ECM & CS Program.
• Health Insurance Portability and Accountability Act (HIPAA): Federal law that sets standards for the protection of sensitive patient health information.

1. Purpose

The primary objective of this policy is to establish comprehensive guidelines and procedures aimed at safeguarding electronic access to sensitive patient information within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management & Community Support (ECM & CS) Program. By implementing this policy, we ensure adherence to all pertinent federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), thereby promoting the confidentiality, integrity, and availability of electronic health information.

2. Scope

This policy is applicable to all individuals involved in the CalAIM ECM & CS Program, including employees, contractors, volunteers, and partners who have any form of access to electronic patient information and related systems. It encompasses all electronic protected health information (ePHI) that is created, stored, transmitted, or received electronically within the scope of the program.

3. Definitions

For the purposes of this policy:

• Electronic Protected Health Information (ePHI): This refers to any protected health information that is handled electronically, whether it is created, stored, transmitted, or received.
• User: Any individual who is authorized to access ePHI within the systems associated with the CalAIM ECM & CS Program.
• Authentication: The process utilized to verify the identity of a user or system, ensuring that access is granted only to authorized individuals.

4. Policy Statements

4.1 Compliance with Laws and Regulations

All electronic access to patient information must be conducted in strict compliance with federal and state laws, including but not limited to:

• The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, which set national standards for the protection of health information.
• The California Confidentiality of Medical Information Act (CMIA), which governs the confidentiality and disclosure of medical information within the state.
• Any other applicable federal and state regulations that pertain to the protection of health information.

4.2 Access Control

Access to ePHI is to be carefully controlled and managed to prevent unauthorized access:

• Role-Based Access: Access rights to ePHI will be granted based on the specific roles and responsibilities of users within the CalAIM ECM & CS Program. This ensures that individuals have access only to the information necessary for their job functions.
• Principle of Least Privilege: Users will be provided with the minimum level of access—or permissions—needed to perform their duties effectively. This minimizes the risk of unauthorized access or data breaches.
• Authorization Process: All access must be formally authorized by the appropriate supervisor or program administrator. This involves a documented approval process to ensure accountability.

4.3 Authentication Measures

To protect against unauthorized access, robust authentication measures will be implemented:

• Unique User Identifiers: Each user will be assigned a unique user ID to ensure that all activities can be accurately tracked and attributed.
• Strong Password Policies: Users are required to create strong passwords that meet complexity requirements, such as a minimum length and the inclusion of a combination of letters, numbers, and special characters. Passwords must be changed regularly to maintain security.
• Multi-Factor Authentication (MFA): MFA will be employed, especially for remote access and systems considered high-risk, adding an extra layer of security beyond just passwords.

4.4 Data Encryption

Encryption is essential to protect ePHI from unauthorized access during transmission and storage:

• Encryption in Transit: All ePHI transmitted over networks must be encrypted using industry-standard encryption protocols like TLS or SSL. This ensures that data intercepted during transmission cannot be read by unauthorized parties.
• Encryption at Rest: ePHI stored on servers, databases, laptops, and other devices must also be encrypted to protect data in the event of physical theft or unauthorized access.

4.5 Physical Security

Physical access to hardware and facilities that store ePHI must be secured:

• Secure Facilities: Areas such as server rooms must have controlled access, using locks, access cards, or biometric systems to prevent unauthorized entry.
• Device Security: Portable devices like laptops and tablets should be secured with locks or kept in secure locations when not in use. Users must ensure that such devices are not left unattended in unsecured areas.

4.6 Monitoring and Audit Controls

Continuous monitoring and auditing are crucial for detecting and responding to unauthorized access:

• Activity Logging: Systems must record detailed logs of all access to ePHI, including user IDs, dates, times, and the nature of activities performed. This creates an audit trail for accountability.
• Regular Audits: Designated personnel will regularly review system and access logs to identify any unauthorized access or unusual activities that may indicate a security threat.
• Intrusion Detection Systems: Implementation of intrusion detection systems (IDS) will help in monitoring network traffic for suspicious activities and provide alerts for potential security breaches.

4.7 Training and Awareness

Educating users is vital for maintaining security standards:

• Mandatory Training Programs: All users must complete comprehensive privacy and security training before they are granted access to ePHI. This training will cover topics like recognizing phishing attempts, proper handling of sensitive information, and reporting procedures for security incidents.
• Annual Refresher Courses: Users are required to participate in annual training sessions to stay updated on the latest security policies and practices.
• Regular Communication: The organization will provide ongoing updates, newsletters, or reminders to keep security practices at the forefront of users’ daily activities.

4.8 Incident Response

Prompt response to security incidents is critical to mitigate risks:

• Immediate Reporting: Users must report any suspected or actual security incidents, such as lost devices or unauthorized access, immediately to the designated security officer or IT department.
• Incident Response Plan: An established incident response plan will guide the organization’s actions in addressing and mitigating security breaches. This plan includes steps for containment, eradication, recovery, and post-incident analysis.
• Notification Requirements: In the event of a breach involving ePHI, the organization will notify affected individuals and appropriate authorities in compliance with legal and regulatory requirements.

4.9 Third-Party Access

Managing third-party access is essential to maintain security:

• Business Associate Agreements (BAAs): All third-party entities that require access to ePHI must enter into a formal agreement that outlines their responsibilities for protecting this information.
• Due Diligence Process: Before granting access, the organization will conduct a thorough evaluation of the third party’s security practices to ensure they meet the required standards.
• Ongoing Monitoring: The organization will monitor third-party compliance with security requirements on an ongoing basis.

4.10 Data Backup and Recovery

Ensuring the availability of ePHI is essential for continuous care:

• Regular Data Backups: The organization will perform regular backups of ePHI to secure locations to prevent data loss due to system failures, disasters, or other unforeseen events.
• Secure Storage of Backups: Backup data must be stored securely, with encryption and access controls equivalent to those of the primary systems.
• Testing Recovery Procedures: Regular testing of backup and recovery procedures will be conducted to ensure that data can be restored effectively and accurately in the event of data loss.

4.11 Disposal of ePHI

Proper disposal of ePHI is necessary to prevent unauthorized access after data is no longer needed:

• Secure Deletion Methods: Electronic media containing ePHI must be disposed of using methods that ensure data cannot be reconstructed, such as degaussing, shredding, or using specialized software tools for secure deletion.
• Documentation of Disposal: All disposal processes must be thoroughly documented, including the date, method, and personnel involved, to maintain compliance and accountability.

5. Responsibilities

5.1 Program Management

Program management holds the responsibility for ensuring the effective implementation and enforcement of this policy. This includes allocating necessary resources for security measures and training programs, as well as supporting a culture of compliance and security awareness throughout the organization.

5.2 Security Officer

The designated security officer is responsible for overseeing compliance with all security policies and procedures. Duties include conducting regular risk assessments and audits to identify potential vulnerabilities, coordinating incident response efforts in the event of a security breach, and staying informed about changes in laws and technology that may affect security practices.

5.3 Users

All users with access to ePHI are required to adhere strictly to the security policies and procedures outlined in this document. Users must also remain vigilant and report any security incidents or potential vulnerabilities immediately to the appropriate authorities within the organization.

6. Enforcement

Non-compliance with this policy is a serious matter that may result in disciplinary action, which could include termination of employment or contractual agreements. Additionally, individuals may face legal penalties under federal or state laws for violations involving the mishandling of protected health information.

7. Review and Revision

This policy will undergo a formal review on an annual basis or whenever significant changes occur in relevant regulations or technology. The review process will involve assessing the effectiveness of current security measures and making necessary updates to address new threats or compliance requirements.

8. References

• HIPAA Privacy Rule: 45 CFR Part 160 and Subparts A and E of Part 164, which establish national standards for the protection of individually identifiable health information.
• HIPAA Security Rule: 45 CFR Part 160 and Subparts A and C of Part 164, which set standards for the security of electronic protected health information.
• California Confidentiality of Medical Information Act (CMIA): State law governing the confidentiality and disclosure of medical information.
• National Institute of Standards and Technology (NIST) Guidelines: Federal guidelines providing a framework for improving critical infrastructure cybersecurity.

1. Purpose

The purpose of this policy is to establish comprehensive processes and guidelines to ensure the security of media and device controls within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management & Community Support (ECM & CS) program. The policy aims to protect sensitive patient information, maintain compliance with all relevant laws and regulations, and prevent any unauthorized access, disclosure, alteration, or destruction of data. By implementing these guidelines, we strive to uphold the highest standards of data security and integrity, thereby fostering trust among patients, staff, and stakeholders involved in the program.

2. Scope

This policy applies to all individuals associated with the CalAIM ECM & CS program, including but not limited to employees, contractors, consultants, temporary staff, and any other personnel who handle or have access to electronic or physical media and devices containing sensitive information. It encompasses all activities related to the use, storage, transport, and disposal of media and devices that may contain Protected Health Information (PHI), Personally Identifiable Information (PII), or other sensitive data pertinent to the program.

3. Definitions

• Media: Refers to any physical or electronic storage devices that hold data. This includes hard drives, USB drives, CDs, DVDs, magnetic tapes, and paper documents. Media can be portable or fixed and is used to store, transfer, or archive information.
• Devices: Encompasses electronic equipment such as desktop computers, laptops, tablets, smartphones, and any other hardware used to access, process, or store program data. Devices may be owned by the organization or permitted for use under a Bring Your Own Device (BYOD) policy.
• Sensitive Information: Any data that is protected by privacy laws and regulations. This includes, but is not limited to, Protected Health Information (PHI), which pertains to an individual’s health status or healthcare services, and Personally Identifiable Information (PII), which can be used to identify an individual, such as Social Security numbers, addresses, and financial information.

4. Policy Statements

To ensure the security of sensitive information within the CalAIM ECM & CS program, the following principles are established:

• Security of Media and Devices: All media and devices containing sensitive information must be secured appropriately to prevent unauthorized access. This involves implementing both physical and technical safeguards.
• Encryption: All electronic storage media and devices that contain sensitive information must utilize approved encryption methods. Encryption serves as a critical line of defense in protecting data integrity and confidentiality.
• Access Restriction: Access to media and devices is to be restricted strictly to authorized personnel. Authorization levels are to be assigned based on the principle of least privilege, ensuring individuals have access only to the information necessary for their role.
• Proper Disposal: Media and devices that are no longer in use must be disposed of following proper procedures to prevent any possibility of data recovery or unauthorized access. This includes secure data erasure and physical destruction methods.
• Regular Audits: Periodic audits and assessments are to be conducted to ensure ongoing compliance with this policy. These evaluations will help identify potential vulnerabilities and areas for improvement.

5. Procedures

5.1. Media and Device Inventory

An accurate and up-to-date inventory of all media and devices used within the program must be maintained. This inventory should include details such as device type, serial numbers, assigned users, and the classification of data stored. Proper labeling of media and devices is essential to indicate the sensitivity level of the information they contain, which aids in enforcing appropriate handling procedures.

5.2. Access Control

Robust authentication mechanisms must be in place to restrict access to devices and the sensitive information they hold. This includes implementing strong password policies, biometric scans, or multi-factor authentication methods. Access rights should be assigned based on job responsibilities and reviewed regularly to adjust for any changes in roles or employment status. Unauthorized access attempts should be logged and investigated promptly.

5.3. Encryption

Approved encryption technologies must be employed for all sensitive data stored on electronic media and devices. Encryption keys must be managed securely, with restricted access to prevent unauthorized decryption of data. Procedures should be established for key generation, distribution, storage, rotation, and destruction to maintain the integrity of the encryption process.

5.4. Physical Security

Physical safeguards are crucial in preventing unauthorized access to media and devices. All physical media should be stored in locked cabinets or secure rooms with controlled access measures such as keycards or biometric scanners. Devices should never be left unattended in unsecured areas. Visitors should be escorted in areas where sensitive information is accessible, and a log of visitor access should be maintained.

5.5. Transport of Media and Devices

When transporting media or devices that contain sensitive information, secure methods must be used to protect them from loss or theft. Physical media should be placed in locked containers, and electronic data transmissions should be encrypted end-to-end. A detailed log must be kept for all media and devices removed from secure areas, documenting the date, time, purpose of removal, and the personnel involved in the transport.

5.6. Disposal and Destruction

Before disposal, all data must be irreversibly erased from electronic media and devices using approved data sanitization methods such as degaussing or overwriting. For physical media containing sensitive information, methods like shredding, incineration, or pulverization must be employed to ensure data cannot be reconstructed. Records of all disposal and destruction activities must be meticulously maintained, including details of the items destroyed, methods used, and personnel involved in the process.

5.7. Incident Reporting

Any incidents involving the loss, theft, or unauthorized access of media or devices must be reported immediately to the designated security officer. Prompt reporting is essential to initiate the incident response plan, which includes steps for containment, eradication, recovery, and communication to affected parties if necessary. Employees should be trained to recognize potential security incidents and understand the importance of timely reporting.

5.8. Training and Awareness

Regular training sessions must be conducted to educate all personnel on media and device security practices. Training should cover topics such as recognizing phishing attempts, proper handling of sensitive information, and the procedures outlined in this policy. As technology and security threats evolve, training materials must be updated to reflect the latest best practices. Employee understanding should be assessed periodically through evaluations or assessments.

6. Roles and Responsibilities

• Program Manager: The Program Manager is responsible for ensuring overall compliance with this policy. This includes allocating resources necessary for its implementation, fostering a culture of security awareness, and addressing any issues of non-compliance.
• Security Officer: The Security Officer oversees the security measures related to media and devices. Responsibilities include conducting regular audits, managing incident responses, updating security protocols, and providing guidance on security matters to staff.
• Employees and Staff: All personnel are required to adhere strictly to the guidelines and procedures outlined in this policy. They are responsible for protecting the media and devices entrusted to them, reporting any security incidents or concerns promptly, and participating in required training programs.

7. Compliance and Enforcement

Adherence to this policy is mandatory for all personnel associated with the CalAIM ECM & CS program. Non-compliance may result in disciplinary action, which could range from additional training and warnings to termination of employment or contractual agreements. In cases where violations involve breaches of laws or regulations, legal actions may be pursued. Regular compliance audits will be conducted, and any identified deficiencies must be rectified promptly.

8. Review and Revision

This policy will undergo a thorough review at least annually or whenever significant changes occur in technology, regulatory requirements, or organizational structure. Revisions will be made as necessary to ensure the policy remains effective and relevant. All updates will be communicated to the relevant personnel, and training materials will be adjusted accordingly. Feedback from staff is encouraged to improve the policy’s effectiveness.

1. Purpose

The primary aim of this policy is to establish comprehensive requirements for physical safeguards that protect workstations within the CalAIM Enhanced Care Management & Community Support (ECM & CS) Program. These safeguards are essential to prevent unauthorized access, theft, damage, or loss of sensitive information, including electronic Protected Health Information (ePHI). By implementing these measures, we strive to maintain the confidentiality, integrity, and availability of sensitive data, ensuring compliance with applicable federal and state regulations.

2. Scope

This policy applies universally to all employees, contractors, volunteers, and any other individuals who have access to workstations within the CalAIM ECM & CS Program facilities. It encompasses all physical locations where workstations are used or stored, including offices, meeting rooms, and remote work environments associated with the program.

3. Definitions

• Workstation: Any electronic computing device, such as a desktop computer, laptop, tablet, or similar device, along with the electronic media stored in its immediate environment. This includes any equipment that performs functions like processing, storing, or transmitting data.
• Physical Safeguards: The physical measures, policies, and procedures implemented to protect electronic information systems and related buildings and equipment from natural and environmental hazards, as well as unauthorized intrusion. These safeguards are designed to prevent physical access to equipment and facilities by unauthorized individuals.

4. Policy Statements

4.1 Secure Location of Workstations

All workstations must be situated in secure areas with controlled access to prevent unauthorized individuals from viewing or accessing them. This means that workstations should be located away from publicly accessible spaces and should not be easily visible or accessible to passersby. For instance, placing workstations near reception desks, hallways, or meeting rooms is discouraged unless appropriate security measures are in place. If workstations must be in such areas, additional protections like privacy screens, physical barriers, or supervised access should be implemented to safeguard sensitive information displayed on the screens.

4.2 Access Control

Access to areas containing workstations must be restricted exclusively to authorized personnel. This involves implementing physical access controls such as locked doors, access badges, or biometric systems to ensure that only individuals with proper authorization can enter these areas. Visitors or any unauthorized individuals must be accompanied by authorized personnel at all times when in areas where workstations are present. This escort policy helps prevent unauthorized access to sensitive information and ensures that visitors do not inadvertently compromise security protocols.

4.3 Physical Security Measures

To protect workstations against theft or unauthorized removal, physical security measures must be employed. This includes using physical locks, security cables, or enclosures to secure devices when they are unattended. For example, laptops should be locked to desks using security cables, and desktops should be anchored to prevent easy removal. In shared or unsecured areas, these measures are particularly crucial. Additionally, server rooms and areas housing critical infrastructure should have enhanced security measures, such as surveillance cameras and alarm systems, to deter unauthorized access and provide monitoring capabilities.

4.4 Screen Protection

To prevent unauthorized viewing of sensitive information displayed on monitors, privacy screens or filters should be used. These devices limit the viewing angle of the screen, making it difficult for individuals nearby to read the display unless they are directly in front of it. Moreover, all workstations must be configured to automatically lock after a period of inactivity not exceeding five minutes. This automatic locking mechanism ensures that if an employee steps away from their workstation, it cannot be accessed by unauthorized individuals. Employees are also encouraged to manually lock their screens when leaving their workstations unattended, even for short periods.

4.5 Clean Desk Policy

A clean desk policy must be enforced to ensure that all sensitive documents and materials are securely stored when not in use. Employees are required to remove all sensitive documents from their workstations at the end of each workday and store them in locked drawers or cabinets. This includes notes, printouts, portable storage devices, and any other materials containing confidential information. By keeping workstations clear of sensitive materials, we reduce the risk of unauthorized access and maintain a professional work environment. Employees should also ensure that whiteboards and bulletin boards do not display sensitive information.

4.6 Environmental Controls

Workstations must be safeguarded against environmental risks such as water leaks, excessive heat, dust, and electrical surges. This involves positioning devices away from areas prone to spills or leaks, such as under air conditioning units or near windows that may leak during rain. Surge protectors and uninterruptible power supplies (UPS) should be used to protect against electrical surges and power outages. Additionally, employees should avoid consuming food and beverages near workstations to prevent accidental spills that could damage equipment or lead to data loss.

4.7 Equipment Disposal

All electronic devices must undergo proper data sanitization procedures before disposal or redeployment to ensure that sensitive information is not inadvertently released. This includes securely erasing or destroying data storage media according to industry best practices and regulatory requirements. Devices should not be discarded in regular trash bins but should be disposed of following environmentally responsible recycling practices and in compliance with applicable regulations, such as those outlined by the National Institute of Standards and Technology (NIST) guidelines on media sanitization.

4.8 Reporting and Response

In the event of theft, loss, or unauthorized access to workstations, it is imperative that such incidents are reported immediately to the designated department, such as the Security Officer or IT Department. Prompt reporting allows for swift action to mitigate potential risks, including unauthorized access to sensitive data. An incident response plan should be in place to address security breaches involving workstations. This plan should outline specific procedures for responding to incidents, including containment, eradication, recovery, and notification steps. Regular drills and training should be conducted to ensure that all employees are familiar with the incident response procedures.

5. Responsibilities

5.1 Employees and Authorized Users

Employees and authorized users are responsible for adhering to all physical safeguard policies and procedures outlined in this document. They must remain vigilant in protecting workstations and sensitive information from unauthorized access. This includes following best practices for securing devices, such as locking screens when not in use and securing portable devices when traveling. Additionally, employees are required to report any suspicious activities, security incidents, or potential vulnerabilities promptly to the appropriate authorities to enable timely intervention.

5.2 Management

Management has the responsibility to ensure that their teams are fully informed about this policy and comply with its requirements. They should facilitate training and awareness programs to educate employees about the importance of physical security and the specific measures they need to implement. Managers should also lead by example by strictly adhering to the policy themselves and by fostering a culture of security within their teams. They are responsible for addressing any non-compliance issues and for providing the necessary resources to implement the required safeguards.

5.3 Security Officer/IT Department

The Security Officer and IT Department are tasked with overseeing the implementation of physical safeguards across the organization. They are responsible for developing and maintaining the policies and procedures related to physical security and for ensuring that these policies are up-to-date with the latest regulatory requirements and industry best practices. Regular audits and assessments should be conducted to evaluate compliance with the policy and to identify areas for improvement. In the event of a security incident, the Security Officer and IT Department coordinate the response efforts, including investigation, mitigation, and communication with relevant stakeholders.

6. Compliance

Compliance with this policy is mandatory for all employees and affiliated personnel. Non-compliance may result in disciplinary action, which can include termination of employment or contractual agreements. Such actions are necessary to uphold the integrity of the organization’s security posture and to comply with legal obligations. Additionally, individuals may face legal penalties under applicable federal and state laws, including those stipulated by the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA). The organization is committed to enforcing this policy to protect sensitive information and to maintain the trust of the individuals we serve.

7. References

This policy is guided by several key regulations and guidelines:

• Health Insurance Portability and Accountability Act (HIPAA), 45 CFR Part 164: Establishes national standards for the security of electronic protected health information.
• California Confidentiality of Medical Information Act (CMIA): Governs the confidentiality and disclosure of medical information in California.
• CalAIM ECM & CS Program Guidelines: Provides specific directives and best practices for the Enhanced Care Management & Community Support Program.

These references serve as the foundational framework for our physical security measures and ensure that our policies align with legal and regulatory requirements.

8. Review and Revision

This policy shall undergo a formal review annually or as needed to accommodate changes in regulations, technology advancements, or organizational practices. The review process involves evaluating the effectiveness of current safeguards, assessing compliance levels, and updating the policy to address any identified gaps or emerging threats. All revisions must be approved by the designated authority and communicated to all employees and relevant stakeholders to ensure continued compliance and awareness.

1. Purpose

The purpose of this policy is to establish comprehensive guidelines for safeguarding oral, written, and electronic confidential information within the organization, specifically relating to the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management & Community Support (ECM & CS) Program. By implementing this policy, the organization aims to ensure compliance with all relevant federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), and to maintain the highest standards of integrity and confidentiality for all sensitive information.

2. Scope

This policy is applicable to all individuals associated with the organization, including employees, contractors, volunteers, interns, and any other persons who have access to confidential information related to the CalAIM ECM & CS Program. It encompasses all forms of confidential information—oral, written, and electronic—and outlines the responsibilities of all parties in protecting this information from unauthorized access, use, disclosure, alteration, or destruction.

3. Definitions

Confidential information refers to any data or information that is private, sensitive, or proprietary. This includes, but is not limited to, Protected Health Information (PHI), Personally Identifiable Information (PII), financial records, and any proprietary organizational information. PHI is any information about an individual’s health status, the provision of health care, or payment for health care that can be linked to a specific person. Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received electronically. Workforce members are defined as employees, volunteers, trainees, and any other persons whose conduct, in the performance of work for the organization, is under its direct control, regardless of whether they are compensated by the organization.

4. Policy Statements

The organization is committed to protecting all forms of confidential information against unauthorized access, use, disclosure, alteration, or destruction. All workforce members are required to handle confidential information responsibly and in compliance with applicable laws and organizational policies. Access to confidential information is strictly limited to individuals who need it to perform their job duties. Any breach or suspected breach of confidential information must be reported immediately in accordance with the organization’s incident reporting procedures.

5. Procedures

5.1. Access Control

Access to confidential information is granted based on the principle of least privilege, meaning that individuals are given the minimum level of access necessary to perform their job functions. Workforce members must use unique user IDs and strong passwords when accessing electronic systems that contain confidential information. Passwords should be kept confidential and should not be shared with others. Physical access to areas where confidential information is stored, such as filing cabinets or server rooms, must be controlled through locks, access cards, or other security measures. Visitors should be escorted in areas where confidential information is accessible.

5.2. Handling of Confidential Information

When handling oral information, workforce members should ensure that conversations involving confidential information are conducted in private settings to prevent unauthorized individuals from overhearing. This includes being mindful of surroundings in open offices, elevators, cafeterias, or public places.

For written information, physical documents containing confidential information should be stored in secure locations when not in use. This may involve keeping documents in locked drawers or cabinets. When transporting documents, they should be kept in secure folders or envelopes and not left unattended.

Electronic information must be stored on secure servers with appropriate encryption and access controls. Workforce members should log off or lock their computers when they are not in use to prevent unauthorized access. Electronic devices such as laptops, tablets, and smartphones that contain confidential information should have security features like passwords or biometric locks enabled.

5.3. Transmission of Confidential Information

Confidential information should be transmitted using secure methods. When sending electronic communications, workforce members should use encrypted email services or secure file transfer protocols. Confidential information should not be sent through unsecured channels like standard email or instant messaging unless appropriate security measures are in place.

When faxing confidential information, workforce members should confirm the recipient’s fax number before sending and use a cover sheet that includes a confidentiality statement. They should also verify that the recipient is available to receive the fax to prevent unauthorized access.

5.4. Disposal of Confidential Information

Disposal of confidential documents must be carried out securely. Physical documents should be shredded using cross-cut shredders or placed in secure disposal bins designated for confidential materials. Electronic media containing confidential information, such as hard drives, USB drives, or CDs, must be sanitized using approved data destruction methods or physically destroyed to prevent data recovery.

5.5. Use of Personal Devices

If workforce members are authorized to use personal devices to access confidential information, these devices must comply with the organization’s security policies. This includes installing security software, enabling device encryption, and adhering to password policies. Confidential information should not be stored on personal devices unless explicitly authorized and secured. If a personal device is lost or stolen, the incident must be reported immediately.

5.6. Training and Awareness

All workforce members are required to participate in training on the protection of confidential information upon hiring and on an annual basis thereafter. Training programs will cover topics such as recognizing confidential information, proper handling procedures, legal obligations, and reporting protocols for breaches or suspected breaches. Additional training may be provided when there are changes in laws, regulations, or organizational policies to ensure ongoing compliance.

6. Responsibilities

All workforce members are responsible for understanding and complying with this policy. They must handle confidential information appropriately and report any suspected or actual breaches promptly. Supervisors and managers have the additional responsibility of ensuring that their teams understand the policy and adhere to its guidelines. They should facilitate access to training and be available to address any questions or concerns regarding the handling of confidential information.

The Information Security Officer is responsible for overseeing the implementation of security measures designed to protect confidential information. This includes monitoring compliance with the policy, conducting regular security assessments, and addressing any incidents involving confidential information.

7. Monitoring and Compliance

The organization will conduct regular audits and assessments to monitor compliance with this policy. This may involve reviewing access logs, conducting physical inspections, and evaluating security controls. Non-compliance with the policy may result in disciplinary action, up to and including termination of employment. The organization reserves the right to take legal action if necessary.

8. Breach Notification

In the event of a breach of confidential information, the organization will follow all applicable laws and regulations regarding notification to affected individuals and authorities. This includes conducting a thorough investigation to determine the scope of the breach, mitigating any harm, and implementing measures to prevent future incidents. Affected individuals will be notified promptly, and the organization will cooperate with regulatory bodies as required.

9. Review and Revision

This policy will be reviewed on an annual basis and updated as necessary to reflect changes in laws, regulations, or organizational practices. Feedback from workforce members and lessons learned from incidents will be considered during the review process to enhance the effectiveness of the policy.

10. References

This policy is informed by and complies with the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and other relevant federal and state laws. It also aligns with the organization’s internal policies on information security and privacy.

Introduction

The CalAIM Enhanced Care Management & Community Support (ECM & CS) Program is dedicated to providing high-quality care management services while upholding the utmost standards of confidentiality and data protection. In an environment where sensitive information is routinely handled, it is imperative to have robust policies that govern access to confidential data. This Access Control Policy establishes a comprehensive framework for granting, modifying, and revoking access to confidential information based on role-based employment within the program. The policy is designed to ensure that all personnel have appropriate access aligned with their job responsibilities and that the confidentiality of sensitive information is maintained in compliance with all applicable laws and regulations.

Scope

This policy is applicable to all individuals who have access to confidential information within the CalAIM ECM & CS Program, including but not limited to employees, contractors, volunteers, interns, and consultants. It covers all forms of confidential data, whether stored electronically, on paper, or conveyed verbally. The policy encompasses all organizational systems, networks, databases, and physical locations where confidential information is stored or accessed.

Policy Statement

Access to confidential information is a privilege that comes with significant responsibility. The CalAIM ECM & CS Program adopts the principles of least privilege and role-based access control (RBAC) to govern access to sensitive data. Under this policy, access rights are carefully assigned to ensure that individuals have only the minimum level of access necessary to perform their specific job functions. Access rights must be immediately adjusted in response to any changes in an individual’s role or employment status, including promotions, lateral moves, demotions, or terminations. This approach minimizes the risk of unauthorized access and helps protect the integrity and confidentiality of sensitive information.

Roles and Responsibilities

Program Director

The Program Director holds the ultimate responsibility for the implementation and enforcement of this Access Control Policy. This includes approving role definitions, determining appropriate access levels for various positions, and ensuring that the policy aligns with organizational objectives and regulatory requirements. The Program Director also collaborates with other departments to address any issues related to access control and data protection.

Human Resources Department

The Human Resources (HR) Department plays a crucial role in the administration of access rights. HR is responsible for notifying the Information Technology (IT) Department and the Compliance Officer of all personnel changes, including new hires, role changes, and terminations. This notification must occur promptly to ensure timely adjustments to access rights. HR is also tasked with ensuring that job descriptions accurately reflect the access requirements and responsibilities associated with each role, thereby facilitating appropriate access control measures.

Information Technology Department

The IT Department is responsible for managing the technical aspects of access control. This includes configuring and maintaining systems that enforce access rights, processing authorized requests to grant, modify, or revoke access, and ensuring that access controls are functioning correctly. The IT Department maintains detailed audit logs of access to confidential information, which are essential for monitoring compliance and investigating potential security incidents. Additionally, IT collaborates with HR and supervisors to ensure that access rights are aligned with current job responsibilities.

Compliance Officer

The Compliance Officer oversees adherence to this policy and ensures that the organization complies with all relevant laws and regulations, such as HIPAA. This role involves conducting periodic audits and access reviews to verify that access rights are appropriately assigned and that no unauthorized access has occurred. The Compliance Officer is also responsible for developing and delivering training programs on confidentiality, data protection, and regulatory compliance to educate staff about their responsibilities under this policy.

Supervisors and Managers

Supervisors and managers are directly responsible for initiating access requests for their team members. They must ensure that these requests accurately reflect the access needed for each team member’s role. Supervisors are also responsible for monitoring their team’s compliance with access policies, addressing any issues of non-compliance, and reporting any changes in employment status or role to HR and IT promptly. They play a key role in reinforcing the importance of data protection and confidentiality within their teams.

Employees and Authorized Users

Every employee and authorized user granted access to confidential information must use that access responsibly. Users are expected to access only the information for which they have explicit authorization and to maintain the confidentiality of any information they handle. They must not share their access credentials with others and should report any suspected unauthorized access or security breaches immediately to their supervisor, the IT Department, or the Compliance Officer. Employees are also expected to participate in required training sessions to stay informed about policies and best practices related to data protection.

Procedures

Access Authorization for New Hires

When a new employee joins the organization, the HR Department initiates the access authorization process. HR must submit a formal access request to the IT Department, detailing the new hire’s role and the specific access rights required. This request should be based on predefined access profiles that correspond to the employee’s position. Before any access is granted, the new employee must complete mandatory training on confidentiality, data protection policies, and relevant regulations such as HIPAA. The IT Department then configures the necessary access rights, ensuring that the employee has the tools needed to perform their job effectively while maintaining compliance with the principle of least privilege.

Access Modification for Role Changes

In situations where an employee’s role changes—whether due to a promotion, transfer, or restructuring—the supervisor must promptly notify both HR and the IT Department. An access modification request must be submitted, outlining the changes in responsibilities and the corresponding adjustments needed in access rights. The IT Department reviews the request and modifies the employee’s access accordingly. If the new role involves handling different types of confidential information or requires additional security clearance, the employee must complete any necessary additional training before the new access rights are granted.

Access Removal upon Termination

Upon an employee’s termination, whether voluntary or involuntary, the HR Department is responsible for initiating the access removal process. HR must notify the IT Department immediately upon receiving notice of the termination. The IT Department is required to revoke all of the employee’s access privileges by the end of their last working day. This includes disabling network accounts, revoking access to applications and databases, and retrieving any organization-owned devices. HR must also collect all physical access devices from the departing employee, such as identification badges, keys, and access cards, to prevent unauthorized physical access to the organization’s facilities.

Periodic Access Review

To ensure ongoing compliance with access control policies, the Compliance Officer and the IT Department conduct semi-annual reviews of all access rights. During these reviews, they verify that each individual’s access remains appropriate for their current role and responsibilities. The review process involves checking access logs, confirming role assignments, and ensuring that no unauthorized access has been granted. Any discrepancies identified are documented and reported to the Program Director for immediate corrective action. This proactive approach helps to prevent security breaches and maintain the integrity of confidential information.

Audit Logs and Monitoring

The IT Department maintains comprehensive audit logs that record all access to confidential information. These logs capture details such as the user’s identity, the data accessed, the time of access, and the actions performed. The audit logs are reviewed quarterly to detect any patterns of unauthorized access or suspicious activities. If any irregularities are found, the IT Department collaborates with the Compliance Officer to investigate the matter thoroughly. Appropriate measures are then taken to address any security issues, which may include disciplinary action against individuals who have violated the policy.

Emergency Access Protocol

In exceptional circumstances where immediate access to confidential information is necessary to address an emergency, temporary access may be granted. Such access requires explicit approval from the Program Director or an authorized delegate. The request for emergency access must be documented, including the justification for the access and the specific information needed. The IT Department will grant the temporary access and monitor all activities performed under this provision. Emergency access is revoked as soon as it is no longer required, and a post-event review is conducted to assess the appropriateness of the access and to update policies or procedures if necessary.

Compliance and Enforcement

Compliance with this Access Control Policy is mandatory for all individuals within the scope of the policy. Non-compliance may result in disciplinary actions, which can include reprimands, suspension, termination of employment or contract, and possible legal action if laws have been violated. The organization takes violations seriously due to the potential risks they pose to clients, partners, and the organization’s reputation. All employees are expected to report any suspected violations of this policy to their supervisor, the Compliance Officer, or through established reporting channels without fear of retaliation.

Definitions

Confidential Information

Confidential information refers to any data that is protected under legal or regulatory frameworks, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA). This includes personal health information (PHI), personally identifiable information (PII), financial records, proprietary business information, and any other data that the organization has a duty to protect from unauthorized disclosure.

Role-Based Access Control (RBAC)

Role-Based Access Control is a security approach where access permissions are assigned to specific roles within an organization, rather than to individual users. Users are then assigned roles based on their job functions, which determines the level of access they have to systems and information. This method simplifies access management and enhances security by ensuring that users have access only to the information necessary for their roles.

Least Privilege Principle

The principle of least privilege is a security concept that dictates users should be granted the minimal level of access—or permissions—necessary to perform their job functions. By limiting access rights, the organization reduces the risk of unauthorized access to sensitive information and minimizes the potential impact of security breaches.

Related Policies

This Access Control Policy is part of a comprehensive set of policies designed to protect confidential information and ensure regulatory compliance. Other relevant policies include:

• Data Privacy Policy: Outlines the organization’s commitment to protecting personal data and specifies the procedures for handling such information.
• Information Security Policy: Defines the measures taken to protect the organization’s information assets from threats such as unauthorized access, cyber-attacks, and data breaches.
• HIPAA Compliance Policy: Details the specific requirements and procedures for handling protected health information in compliance with HIPAA regulations.
• Employee Confidentiality Agreement: A binding agreement that all employees must sign, acknowledging their responsibilities to protect confidential information.

Employees are expected to be familiar with these policies and to integrate their guidelines into their daily work practices.

References

Health Insurance Portability and Accountability Act (HIPAA)

A federal law enacted to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Organizations handling PHI are required to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).

CalAIM ECM & CS Program Guidelines

State-specific guidelines that outline the implementation requirements for the Enhanced Care Management & Community Support program. These guidelines provide directives on program operations, participant eligibility, data reporting, and other critical aspects that affect how confidential information is managed.

Organization’s Employee Handbook

A comprehensive resource that contains additional policies related to employee conduct, workplace expectations, confidentiality obligations, and the procedures for addressing violations. The handbook complements this policy by providing broader context and guidance on organizational standards.

Approval and Review

This Access Control Policy is effective as of [Insert Effective Date]. The policy will be reviewed annually or as necessitated by changes in regulatory requirements, organizational structure, or operational needs. Revisions to the policy must be approved by the Program Director to ensure consistency with organizational objectives and compliance mandates.

Acknowledgment

All individuals granted access to confidential information are required to sign an acknowledgment form confirming that they have read, understood, and agree to comply with this Access Control Policy. The signed acknowledgment will be maintained in the individual’s personnel file or contractor records. By signing, individuals affirm their commitment to uphold the organization’s standards for data protection and confidentiality.

Conclusion

Adherence to this Access Control Policy is essential for maintaining the confidentiality, integrity, and availability of sensitive information within the CalAIM ECM & CS Program. By following the procedures and guidelines outlined, the organization ensures compliance with legal and regulatory requirements, protects the privacy of individuals, and upholds the trust placed in us by clients, partners, and the community. It is the collective responsibility of all personnel to contribute to a secure and ethical work environment where confidential information is handled with the highest level of care and professionalism.

1. Purpose

The purpose of this policy is to establish comprehensive procedures for the secure disposal of confidential information within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management & Community Support (ECM & CS) Program. By implementing these procedures, we aim to ensure full compliance with all applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) and California privacy regulations. Secure disposal is critical to prevent unauthorized access, disclosure, or misuse of sensitive information, thereby protecting the privacy of individuals and maintaining the integrity of the ECM & CS Program.

2. Scope

This policy applies to all individuals associated with the CalAIM ECM & CS Program. This includes employees, contractors, volunteers, and any third-party associates who handle confidential information in any capacity. Every person within this scope is responsible for understanding and adhering to the procedures outlined in this policy to ensure the secure disposal of confidential information.

3. Definitions

Confidential Information refers to any data protected under federal or state law. This includes, but is not limited to, Protected Health Information (PHI), Personally Identifiable Information (PII), and sensitive organizational data. Disposal is defined as the act of discarding or destroying information or media containing confidential information in a manner that prevents unauthorized access or reconstruction of the information.

4. Policy Statement

All confidential information must be disposed of securely to prevent any possibility of unauthorized access, disclosure, or misuse. The disposal methods employed must render the information irretrievable and unreadable. This policy mandates strict adherence to secure disposal practices for both physical and electronic records, ensuring that all personnel understand and implement the necessary procedures.

5. Procedures

5.1 Physical Records

All physical documents containing confidential information must be handled with the utmost care during the disposal process. Prior to disposal, such documents should be stored in secure locations. Specifically, they should be placed in locked containers designated for confidential materials awaiting shredding. These containers must be clearly labeled as “Confidential—For Shredding” to prevent accidental access or mishandling.

When disposing of these documents, cross-cut shredders must be used for onsite destruction. Cross-cut shredding ensures that documents are shredded into small pieces that cannot be reassembled, thus safeguarding the information contained within. If a third-party shredding service is employed, it is essential to verify that the service provider is certified and adheres to strict confidentiality standards. The service provider must provide a certificate of destruction for each batch of documents destroyed, serving as a verifiable record of compliance.

Supervisors are responsible for overseeing the shredding process. They must verify that shredding is completed regularly and documented accordingly. This oversight ensures that the disposal process is consistent and that no confidential information remains vulnerable due to delays or procedural lapses.

5.2 Electronic Records

Electronic records require special attention due to the potential for data recovery even after deletion. When disposing of electronic records, secure data deletion software must be utilized. The software should comply with Department of Defense standards (DoD 5220.22-M) for data sanitization, which involves overwriting the data multiple times to prevent any possibility of recovery.

For electronic media that cannot be securely wiped—such as damaged hard drives or non-functional devices—physical destruction methods must be employed. Physical destruction may include degaussing (demagnetizing the storage media), shredding, or incineration. These methods ensure that the data cannot be reconstructed by any means.

Coordination with the IT Department is crucial for the disposal of servers, computers, mobile devices, and other electronic equipment. The IT Department is responsible for ensuring that all data is securely erased before the equipment is disposed of, reassigned, or recycled. They must follow industry best practices and maintain records of the disposal process.

5.3 Portable Storage Devices

Portable storage devices such as USB drives, CDs, and DVDs pose a unique risk due to their size and portability. An inventory of all portable storage devices containing confidential information must be maintained diligently. This inventory should include details such as the device type, the information it contains, and its current custodian.

When portable storage devices are no longer needed, they must be disposed of securely. Physical destruction is the preferred method, ensuring that data cannot be retrieved. Methods may include shredding the devices or incinerating them, depending on the materials involved.

5.4 Fax Machines, Printers, and Copiers

Many modern fax machines, printers, and copiers have internal memory that stores copies of documents processed by the device. Before disposing of or reassigning such equipment, all stored data must be cleared from the internal memory. Failure to do so could result in unauthorized access to confidential information.

If the equipment is leased and will be returned to the vendor, it is essential to ensure that the vendor is contractually obligated to securely erase all data from the equipment’s memory. This agreement should be documented in writing, providing legal protection and ensuring compliance.

5.5 Third-Party Contractors

When third-party contractors are involved in the disposal of confidential information, due diligence is required to verify their compliance with this policy and all legal requirements. This includes reviewing their procedures, certifications, and track record in handling confidential information.

Written agreements must be established with all third-party contractors, explicitly outlining their confidentiality obligations and the procedures they must follow for secure disposal. These agreements should include provisions for auditing and verifying compliance, ensuring that the contractors maintain the same high standards as the organization.

6. Responsibilities

All staff members are responsible for adhering to this policy and for reporting any breaches or potential risks immediately to their supervisor or the Compliance Officer. Vigilance is essential in preventing unauthorized access to confidential information.

Supervisors must ensure that their team members comply with the policy. They are responsible for providing the necessary resources and support for secure disposal practices and for reporting any issues or concerns promptly.

The IT Department plays a critical role in managing the secure disposal of electronic equipment. They are tasked with implementing technical solutions for data destruction and providing guidance and support to other departments as needed.

The Compliance Officer oversees the implementation of this policy across the organization. This includes conducting regular audits to assess compliance, addressing any identified issues, and updating the policy as necessary to reflect changes in laws or organizational practices.

7. Training

To ensure effective implementation, all employees and associates must undergo mandatory training on the secure disposal of confidential information. This training will be provided upon hire and annually thereafter. The training will cover the importance of secure disposal, specific procedures to follow, and the legal implications of non-compliance. Ongoing education reinforces the organization’s commitment to confidentiality and equips personnel with the knowledge to carry out their responsibilities effectively.

8. Compliance and Enforcement

Compliance with this policy is mandatory. Non-compliance may result in disciplinary action, up to and including termination of employment or contracts. In cases of willful misconduct or gross negligence, legal action may also be pursued. The organization is committed to enforcing this policy to protect the confidentiality of information and maintain trust with clients, partners, and regulatory bodies.

9. References

This policy is informed by several key pieces of legislation and regulatory guidance, including:

• Health Insurance Portability and Accountability Act (HIPAA): Establishes national standards for the protection of health information.
• California Confidentiality of Medical Information Act (CMIA): Governs the privacy of medical information within the state.
• California Consumer Privacy Act (CCPA): Provides consumers with rights regarding their personal information.
• Department of Health Care Services (DHCS) Regulations: Oversees Medi-Cal and related programs.

These references provide the legal framework within which this policy operates and underscore the importance of compliance.

10. Review and Revision

This policy will be reviewed annually to ensure that it remains current with legal requirements and best practices. It will be revised as needed in response to changes in legislation, technology, or organizational procedures. Feedback from personnel and findings from compliance audits will inform any necessary updates, ensuring that the policy evolves to meet emerging challenges.