1. Purpose

The purpose of this policy is to establish comprehensive guidelines for the use and disclosure of Protected Health Information (PHI) within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management (ECM) & Community Support (CS) Program. This policy ensures that Pacific Health Group complies with the Health Insurance Portability and Accountability Act (HIPAA) and all applicable state laws. It aims to protect the privacy and security of individuals’ health information while allowing necessary access for the provision of high-quality health care services.

2. Scope

This policy applies to all employees, contractors, volunteers, and business associates of Pacific Health Group who are involved in the CalAIM ECM & CS Program and have access to PHI. It encompasses all forms of PHI, whether electronic, paper-based, or verbal, and governs all activities related to the handling of this sensitive information.

3. Definitions

For the purposes of this policy, several key terms are defined to ensure clarity:

• Protected Health Information (PHI): This refers to any individually identifiable health information that is transmitted or maintained in any form or medium. PHI includes data related to an individual’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care services.
• Use: The term “use” pertains to the sharing, employment, application, utilization, examination, or analysis of PHI within Pacific Health Group.
• Disclosure: “Disclosure” involves the release, transfer, provision of access to, or divulging of PHI in any manner to entities or individuals outside of Pacific Health Group.
• Minimum Necessary Standard: This principle requires that any use or disclosure of PHI must be limited to the minimum amount necessary to accomplish the intended purpose, except in specific circumstances outlined by law.

4. Policy

4.1 Permitted Uses and Disclosures

PHI may be used or disclosed by Pacific Health Group under the following circumstances:

4.1.1 For Treatment, Payment, and Health Care Operations

• Treatment: PHI is permitted to be used or disclosed for the purpose of providing, coordinating, or managing health care and related services within the CalAIM ECM & CS Program. This includes consultations between health care providers and referrals of patients for treatment.
• Payment: PHI may be utilized or disclosed to obtain payment for health care services. This encompasses activities such as billing, claims management, collection efforts, and utilization reviews.
• Health Care Operations: PHI can be used or disclosed for activities necessary for the operation of Pacific Health Group. These activities include quality assessment and improvement, employee training programs, accreditation, certification, licensing, or credentialing activities.

4.1.2 As Permitted by Plan Documents

PHI may also be used or disclosed as specified in Medi-Cal plan documents and agreements. This includes any necessary actions to carry out program functions under the CalAIM ECM, provided they are consistent with the terms outlined in these documents and comply with applicable laws.

4.1.3 As Required by Law

Pacific Health Group is obligated to disclose PHI when such disclosure is mandated by federal, state, or local laws. This includes, but is not limited to, reporting cases of abuse, neglect, or domestic violence, and complying with court orders, subpoenas, or other legal processes.

4.2 Authorizations

Any use or disclosure of PHI that is not expressly permitted by this policy or required by law requires a valid, written authorization from the individual or their legal representative. The authorization must specify the information to be disclosed, the purpose of the disclosure, and the person or entity to whom the disclosure may be made. It must also include an expiration date or event and inform the individual of their right to revoke the authorization in writing.

4.3 Minimum Necessary Standard

All personnel must adhere to the Minimum Necessary Standard by making reasonable efforts to use or disclose only the minimum amount of PHI needed to accomplish the intended purpose. This standard applies to all situations except when the disclosure is for treatment purposes, made to the individual, authorized by the individual, or required by law.

4.4 Safeguards

Pacific Health Group is committed to implementing administrative, physical, and technical safeguards to protect the privacy and security of PHI. Administrative safeguards include policies and procedures designed to prevent, detect, contain, and correct security violations. Physical safeguards involve controlling physical access to facilities and equipment where PHI is stored. Technical safeguards encompass the technology and related policies that protect electronic PHI and control access to it, such as encryption and secure networks.

4.5 Business Associates

All business associates who have access to PHI must enter into a Business Associate Agreement (BAA) with Pacific Health Group. The BAA mandates that the business associate complies with HIPAA and applicable state laws concerning PHI. It outlines the permitted uses and disclosures of PHI by the business associate, requires the implementation of appropriate safeguards, and stipulates the procedures for reporting any unauthorized use or disclosure of PHI.

4.6 Individual Rights

Individuals have specific rights regarding their PHI, which Pacific Health Group is committed to upholding:

• Right of Access: Individuals have the right to inspect and obtain a copy of their PHI held by Pacific Health Group, with certain exceptions.
• Right to Request Amendments: If an individual believes that their PHI is incorrect or incomplete, they have the right to request an amendment.
• Right to an Accounting of Disclosures: Individuals have the right to receive a list of certain disclosures of their PHI made by Pacific Health Group over a specified period.

Procedures will be established to facilitate the exercise of these rights in compliance with legal requirements.

4.7 Training and Awareness

All workforce members who have access to PHI are required to receive training on this policy, HIPAA regulations, and any updates. Training will be provided upon hiring and periodically thereafter to ensure that all personnel are knowledgeable about privacy and security obligations and can carry out their responsibilities effectively.

4.8 Reporting and Mitigation

Any suspected breaches or violations of this policy must be reported immediately to the Privacy Officer. Pacific Health Group will take prompt action to investigate all reports and, if a breach is confirmed, will take steps to mitigate any harmful effects. This may include notifying affected individuals, regulatory agencies, and taking corrective actions to prevent future occurrences.

4.9 Sanctions

Violations of this policy may result in disciplinary action appropriate to the severity of the violation. Disciplinary measures may include retraining, reprimand, suspension, or termination of employment or contracts. Pacific Health Group will enforce sanctions consistently to uphold the integrity of its privacy and security practices.

5. Procedures

5.1 Accessing PHI

Access to PHI is granted based on job responsibilities and the necessity to perform specific duties. Employees and contractors must use unique user IDs and secure passwords to access electronic PHI. Authentication protocols, such as multi-factor authentication, may be employed to enhance security. Access rights will be reviewed periodically to ensure they remain appropriate.

5.2 Disclosing PHI

Before disclosing PHI, personnel must verify the identity and authority of the requestor, especially if the disclosure is to someone outside of Pacific Health Group. This may involve requesting identification or confirming credentials. Disclosures that are not for treatment, payment, or health care operations must be documented, including details such as the date, recipient, and purpose of the disclosure.

5.3 Responding to Legal Requests

All legal requests for PHI, such as subpoenas or court orders, must be forwarded immediately to the Privacy Officer. The Privacy Officer will coordinate with legal counsel to review the request and determine the appropriate response, ensuring that any disclosure complies with legal obligations while protecting the individual’s privacy rights.

5.4 Secure Communication

When transmitting PHI electronically, personnel must use secure methods such as encrypted email or secure messaging systems approved by Pacific Health Group. Physical documents containing PHI should be handled with care, ensuring they are not left unattended or exposed in public or unsecured areas. Shredding or secure disposal methods must be used when disposing of PHI.

6. Responsibilities

• Employees and Contractors: Every employee and contractor is responsible for understanding and adhering to this policy. They must ensure that they handle PHI appropriately and report any violations or suspicious activities to their supervisor or the Privacy Officer without delay.
• Managers and Supervisors: Managers and supervisors are tasked with ensuring that their team members are informed about this policy and receive the necessary training. They must monitor compliance within their teams and address any issues promptly.
• Privacy Officer: The Privacy Officer oversees the implementation and enforcement of this policy. Responsibilities include conducting training programs, managing breach investigations, responding to individuals’ rights requests, and serving as the primary contact for any privacy and security concerns.

7. References

This policy is informed by and complies with the following laws and regulations:

• Health Insurance Portability and Accountability Act (HIPAA), 45 CFR Parts 160 and 164: Federal regulations that establish national standards for the protection of PHI.
• California Confidentiality of Medical Information Act (CMIA): State law that provides additional protections for medical information in California.
• CalAIM ECM & CS Program Guidelines and Medi-Cal Regulations: Specific guidelines and regulations governing the CalAIM ECM & CS Program and Medi-Cal services.

By adopting this policy, Pacific Health Group reaffirms its commitment to protecting the privacy and security of PHI within the CalAIM ECM & CS Program. All personnel are expected to familiarize themselves with these guidelines and integrate them into their daily practices to ensure compliance and maintain the trust of the individuals we serve.

1. Purpose

The primary purpose of this policy is to establish a comprehensive framework for identifying and eliminating the unnecessary collection of Protected Health Information (PHI) within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management (ECM) & Community Support (CS) Program. By doing so, we aim to protect patient privacy, ensure compliance with all applicable laws and regulations, and enhance the efficiency of our data management practices. This policy underscores our commitment to adhere to the highest standards of confidentiality and integrity in handling PHI.

2. Scope

This policy applies to all employees, contractors, volunteers, and third-party partners involved in the CalAIM ECM & CS Program who collect, access, use, or manage PHI. It encompasses every individual and department that interacts with PHI in any capacity, ensuring that the principles outlined herein are uniformly applied across the entire program.

3. Definitions

Protected Health Information (PHI): Any information about an individual’s health status, the provision of healthcare, or payment for healthcare that can be linked to a specific person. This includes any part of a patient’s medical record or payment history.

Unnecessary PHI Collection: The gathering of PHI that is not essential for program operations, service delivery, compliance, or legal requirements. This involves collecting information without a clear, justified purpose directly related to the functions of the CalAIM ECM & CS Program.

Minimum Necessary Standard: A principle requiring that only the least amount of PHI needed to accomplish the intended purpose is collected, used, or disclosed. This standard is fundamental to protecting patient privacy and is a cornerstone of both federal and state regulations governing PHI.

4. Policy Statement

All personnel involved in the CalAIM ECM & CS Program must adhere strictly to the minimum necessary standard when collecting PHI. The collection of unnecessary PHI is prohibited. A structured mechanism will be implemented to identify and eliminate practices that lead to unnecessary PHI collection. This mechanism involves regular assessments, staff training, process modifications, and continuous monitoring to ensure ongoing compliance with this policy.

5. Procedures

5.1 Data Inventory and Mapping

An up-to-date inventory of all PHI collected, used, stored, or disclosed within the ECM & CS Program must be maintained. This inventory should detail the types of PHI collected, the purpose of its collection, where it is stored, and who has access to it. Additionally, a data flow diagram must be created to map how PHI moves through the organization. This diagram should illustrate all points of PHI collection, processing, storage, and disclosure. Understanding the flow of PHI is crucial for identifying areas where unnecessary collection may occur and for implementing effective safeguards.

5.2 Needs Assessment

Regular assessments must be conducted to evaluate the necessity of each category of PHI collected. This involves scrutinizing whether the information is essential for program functions such as service delivery, compliance with legal obligations, or operational requirements. Stakeholders including program managers, legal counsel, and compliance officers should collaborate during this assessment to validate the necessity of specific PHI elements. This collaborative approach ensures that decisions are well-informed and align with both operational needs and legal mandates.

5.3 Elimination of Unnecessary PHI

Upon identifying PHI that is deemed unnecessary, immediate steps must be taken to eliminate its collection. This includes updating forms to remove unnecessary fields, modifying electronic data capture systems, and revising data collection procedures. Staff must be informed of these changes and provided with clear instructions to ensure that only essential PHI is collected moving forward. This proactive approach minimizes the risk of unnecessary PHI accumulation and enhances compliance with the minimum necessary standard.

5.4 Training and Awareness

All staff involved in the collection and handling of PHI must receive comprehensive training on the principles outlined in this policy. This training should emphasize the importance of collecting only necessary information and provide guidance on how to identify and avoid unnecessary PHI collection. Regular refresher courses should be offered to keep staff updated on any changes to policies or procedures. By fostering a culture of awareness and accountability, we can ensure that all personnel are equipped to uphold the highest standards of PHI protection.

5.5 Monitoring and Auditing

Periodic audits must be conducted to monitor compliance with this policy. These audits should review data collection practices, assess adherence to the minimum necessary standard, and identify any instances of unnecessary PHI collection. If such instances are discovered, they must be documented, and appropriate corrective actions should be taken promptly. Establishing a clear protocol for incident reporting and resolution ensures that issues are addressed effectively and that lessons learned are integrated into future practices.

5.6 Policy Review and Updates

This policy must be reviewed at least annually or whenever significant changes occur in regulations, program operations, or best practices. The review process should involve key stakeholders to ensure that the policy remains relevant and effective. Any necessary amendments should be made promptly, and staff must be informed of these changes. Regular reviews and updates are essential for maintaining compliance and for adapting to the evolving landscape of healthcare regulations and technologies.

6. Roles and Responsibilities

Program Managers are responsible for ensuring that their teams understand and comply with this policy. They must facilitate training sessions, oversee data collection practices, and address any issues related to unnecessary PHI collection within their departments.

Compliance Officer oversees all compliance efforts related to PHI handling. This includes conducting audits, providing guidance on regulatory requirements, and serving as a resource for staff with questions or concerns about PHI collection. The Compliance Officer also coordinates the policy review and update process.

All Staff and Contractors must adhere strictly to this policy in all their activities. They are required to participate in training sessions, follow established procedures for PHI handling, and report any instances of unnecessary PHI collection. Each individual has a responsibility to protect patient privacy and contribute to the organization’s compliance efforts.

7. Compliance and Enforcement

Compliance with this policy is mandatory. Failure to comply may result in disciplinary action, which could range from additional training to termination of employment or contracts, depending on the severity of the violation. Legal consequences may also apply under state and federal laws such as HIPAA and the California Confidentiality of Medical Information Act (CMIA). It is imperative that all personnel understand the seriousness of non-compliance and the potential repercussions for both individuals and the organization.

8. References

• Health Insurance Portability and Accountability Act (HIPAA): Federal legislation that provides data privacy and security provisions for safeguarding medical information.
• California Confidentiality of Medical Information Act (CMIA): State law that imposes strict confidentiality requirements on medical information and sets forth penalties for unauthorized disclosure.
• CalAIM ECM & CS Program Guidelines: Specific guidelines governing the operations of the ECM & CS Program, including requirements for PHI handling.

These references provide the legal and regulatory framework underpinning this policy and should be consulted for further guidance.

This policy must be communicated to all relevant parties and made readily accessible. Adherence is mandatory to ensure the integrity and confidentiality of PHI within the CalAIM ECM & CS Program. Protecting patient privacy is a fundamental obligation of all personnel involved in the program.

Purpose

The primary objective of this policy is to establish clear guidelines and procedures for identifying and reporting any impermissible uses or disclosures of Protected Health Information (PHI) within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management (ECM) & Community Support (CS) Program. By implementing these guidelines, Pacific Health Group aims to ensure full compliance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable state laws. This policy underscores our commitment to safeguarding the privacy and security of individuals’ health information and maintaining the trust placed in us by patients and partners.

Scope

This policy is applicable to all employees, contractors, volunteers, and agents of Pacific Health Group who are involved in any capacity with the CalAIM ECM & CS Program. It encompasses all activities related to the handling of PHI, including its collection, access, use, disclosure, storage, and disposal. Everyone within the scope of this policy is expected to understand and adhere to the procedures outlined herein.

Policy Statement

Pacific Health Group is dedicated to upholding the highest standards of privacy and security concerning PHI. Any impermissible use or disclosure of PHI is considered a serious violation of both legal obligations and organizational ethics. It is imperative that all workforce members promptly identify and report any such incidents to ensure timely investigation, mitigation, and compliance with regulatory requirements. Our organization fosters a culture of accountability and compliance, recognizing that protecting PHI is not just a legal requirement but a fundamental aspect of patient care and trust.

Definitions

Protected Health Information (PHI): This refers to any information, including demographic data, that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care to the individual, or the payment for health care services. PHI includes information that identifies the individual or provides a reasonable basis to believe it can be used to identify the individual.

Impermissible Use or Disclosure: Any use or disclosure of PHI that is not permitted under HIPAA, HITECH, or relevant state laws and regulations. This includes unauthorized access, acquisition, use, or disclosure that compromises the security or privacy of PHI.

Breach: Defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA, which compromises the security or privacy of the PHI. A breach is presumed to have occurred unless it can be demonstrated that there is a low probability that the PHI has been compromised.

Procedures

Identification of Impermissible Uses or Disclosures

All workforce members are expected to remain vigilant in recognizing situations that may constitute an impermissible use or disclosure of PHI. This includes being aware of activities such as:

• Unauthorized access to PHI by individuals who do not have the necessary clearance.
• Sharing PHI without proper authorization or consent from the patient.
• Loss or theft of devices (e.g., laptops, smartphones) that contain PHI.
• Discussing PHI in public areas where conversations may be overheard by unauthorized persons.
• Improper disposal of documents or devices containing PHI.

Awareness and prompt recognition are crucial in preventing and mitigating potential breaches. Workforce members should be knowledgeable about what constitutes PHI and the proper protocols for handling it.

Reporting Requirements

If a workforce member becomes aware of a potential or actual impermissible use or disclosure of PHI, they are required to report it immediately to their supervisor and the Privacy Officer. Timely reporting is essential to initiate prompt action to mitigate any potential harm. Reports should include all relevant details known at the time, such as the nature of the incident, the type of PHI involved, and any actions taken thus far.

Reports can be made through various methods:

• Direct Communication: Speaking in person or over the phone with the supervisor or Privacy Officer.
• Secure Email: Sending a detailed account via the organization’s secure email system.
• Anonymous Reporting: Utilizing the organization’s compliance hotline or anonymous reporting system if available.

The organization strictly prohibits any form of retaliation against individuals who report concerns in good faith. Retaliation is considered a serious violation of organizational policy and will not be tolerated.

Investigation Process

Upon receiving a report of an impermissible use or disclosure, the Privacy Officer will promptly initiate a thorough investigation. The process involves:

• Assessment of the Report: Reviewing the information provided to understand the scope and nature of the incident.
• Evidence Gathering: Collecting all relevant documentation, electronic records, and conducting interviews with involved parties.
• Collaboration: Working with legal counsel, IT personnel, and other relevant departments to assess technical aspects and legal implications.
• Documentation: Keeping detailed records of all steps taken, findings, and conclusions drawn during the investigation.

The investigation aims to determine whether a breach occurred, the extent of the breach, and the individuals affected. It also seeks to identify the root cause to prevent future occurrences.

Risk Assessment

A comprehensive risk assessment will be conducted to evaluate the probability that PHI has been compromised. This assessment considers:

• Nature and Extent of PHI Involved: Evaluating the sensitivity of the data, such as whether it includes Social Security numbers, financial information, or medical diagnoses.
• Unauthorized Person Involved: Determining who accessed or received the PHI and their potential to misuse it.
• Actual Acquisition or Viewing: Assessing whether the PHI was actually acquired or viewed, or if there was only the potential for such access.
• Mitigation Measures: Considering the actions already taken to mitigate the breach and reduce harm.

The findings from the risk assessment will guide the organization’s response, including the necessity and method of notification to affected individuals and regulatory bodies.

Mitigation Efforts

Immediate steps will be taken to contain and limit the impermissible use or disclosure of PHI. Mitigation efforts may include:

• Retrieving Disclosed Information: Attempting to recover any PHI that was improperly disclosed.
• Requesting Confidentiality: Asking unauthorized recipients to return or destroy the PHI and maintain confidentiality.
• Correcting System Vulnerabilities: Addressing any technical or procedural weaknesses that contributed to the breach.
• Providing Support: Offering assistance to affected individuals, such as credit monitoring services in cases involving financial information.

The organization is committed to reducing any potential harm to individuals and preventing future incidents through effective mitigation strategies.

Notification

If a breach of unsecured PHI is confirmed, the organization will notify affected individuals, regulatory authorities, and, if necessary, the media, in accordance with legal requirements.

• Notification to Individuals: Affected individuals will be informed without unreasonable delay and no later than 60 days after the discovery of the breach. The notification will include:

• • A description of the incident.

• • Types of PHI involved.

• • Steps individuals can take to protect themselves.

• • Actions the organization is taking to investigate and mitigate the breach.

• • Contact information for further assistance.

• Notification to HHS: The Department of Health and Human Services (HHS) will be notified as required under HIPAA regulations.
• State Authorities: The organization will comply with any additional state-specific reporting requirements, which may involve notifying state regulatory agencies.
• Media Notification: If the breach involves more than 500 residents of a state or jurisdiction, the organization will provide notice to prominent media outlets serving that area.

All notifications will be documented and carried out in a manner that complies with legal and regulatory standards.

Record Keeping

The organization will maintain detailed records of all reports, investigations, risk assessments, and notifications related to impermissible uses or disclosures of PHI. These records will be:

• Securely Stored: Protected from unauthorized access and maintained in a secure environment.
• Retained: Kept for a minimum of six years from the date of creation or the date when it was last in effect, whichever is later, or as required by law.
• Accessible for Review: Available for internal audits and external regulatory reviews as necessary.

Proper record keeping is essential for demonstrating compliance and for ongoing improvement of privacy practices.

Training and Education

To ensure that all workforce members are knowledgeable about privacy obligations, the organization will provide comprehensive training programs:

• Initial Training: All new workforce members will receive training on privacy policies and procedures before they begin handling PHI.
• Ongoing Training: Annual refresher courses and additional training when policies or regulations change.
• Specialized Training: Targeted sessions for roles with heightened privacy responsibilities.
• Acknowledgment: Workforce members are required to acknowledge their understanding and commitment to comply with privacy policies.

Training will cover topics such as recognizing PHI, proper handling procedures, identifying potential breaches, and the importance of timely reporting.

Disciplinary Actions

Non-compliance with this policy or failure to adhere to privacy laws may result in disciplinary action, which could include:

• Counseling or Retraining: For minor or unintentional violations.
• Formal Reprimand: Documented warning for more serious breaches.
• Suspension or Termination: For severe or intentional violations.
• Legal Action: In cases involving criminal misconduct or significant harm.

Disciplinary actions will be determined based on the severity of the violation and will be applied consistently to all workforce members.

Responsibilities

• Workforce Members: Must adhere to all policies and procedures, safeguard PHI, report any impermissible uses or disclosures, and participate in required training.
• Supervisors: Responsible for promoting a culture of compliance, ensuring team members understand their obligations, and supporting them in fulfilling their responsibilities.
• Privacy Officer: Oversees compliance with privacy laws, conducts investigations, coordinates notifications, and provides guidance and training.

Compliance and Enforcement

Failure to comply with this policy may result in civil and criminal penalties under HIPAA and HITECH, as well as disciplinary actions by Pacific Health Group. The organization is committed to enforcing this policy and taking appropriate action to prevent future incidents.

References

• HIPAA Privacy Rule: 45 CFR Parts 160 and 164
• HIPAA Security Rule: 45 CFR Part 164 Subparts A and C
• HITECH Act: Sections pertaining to breach notification
• CalAIM ECM & CS Program Guidelines
• California Confidentiality of Medical Information Act (CMIA)
• [Additional State Laws and Regulations as Applicable]

Purpose

The purpose of this policy is to establish a comprehensive and clear process for reporting, investigating, and mitigating any impermissible uses or disclosures of Protected Health Information (PHI) within the CalAIM Enhanced Care Management (ECM) & Community Support (CS) Program. By adhering to this policy, the organization ensures compliance with federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), and demonstrates its commitment to protecting the privacy and security of individuals’ health information.

Scope

This policy applies to all employees, contractors, volunteers, and partners who are involved in the CalAIM ECM & CS Program and who have access to PHI. It encompasses all activities related to the handling, use, or disclosure of PHI in any form, whether electronic, paper-based, or oral communication.

Policy Statement

The organization is committed to maintaining the confidentiality and integrity of PHI. All impermissible uses or disclosures of PHI must be reported immediately upon discovery to facilitate a timely response, appropriate mitigation, and compliance with legal obligations. Failure to report such incidents undermines the organization’s ability to protect PHI and comply with regulatory requirements.

Definitions

Protected Health Information (PHI): PHI refers to any information, including demographic data, that relates to an individual’s past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare that can identify the individual. This includes information that is transmitted or maintained in any form or medium.

Impermissible Use or Disclosure: This term refers to any use or disclosure of PHI that is not permitted or required by HIPAA regulations or the organization’s policies. Examples include accessing PHI without a legitimate need, sharing PHI with unauthorized individuals, or failing to secure PHI appropriately.

Breach: A breach is defined as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. A breach is presumed to have occurred unless the organization demonstrates a low probability that the PHI has been compromised based on a risk assessment.

Procedures

1. Immediate Reporting of Impermissible Uses or Disclosures

Any staff member who becomes aware of an impermissible use or disclosure of PHI is required to report the incident immediately. The report should be made to both the staff member’s immediate supervisor and the Privacy Officer as soon as possible, but no later than 24 hours after the discovery of the incident. Immediate reporting is crucial to enable the organization to respond promptly and mitigate any potential harm.

2. Notification to the Privacy Officer

Supervisors who receive reports of impermissible uses or disclosures must notify the Privacy Officer within 24 hours. The notification should include all available details about the incident, including the nature of the PHI involved, the circumstances surrounding the impermissible use or disclosure, and any immediate actions taken to address the situation. The supervisor should ensure that the staff member completes the Incident Reporting Form to document the incident thoroughly.

3. Documentation of the Incident

The Incident Reporting Form is a critical tool for documenting all relevant aspects of the incident. The form should include:

• Date and Time of the Incident: Specify when the impermissible use or disclosure occurred and when it was discovered.
• Description of the PHI Involved: Detail the types of PHI that were used or disclosed impermissibly, such as medical records, social security numbers, or other identifying information.
• Explanation of How the Incident Occurred: Provide a clear narrative of the events leading to the impermissible use or disclosure, including any errors or violations of policy.
• Identification of Individuals Involved: List all personnel, patients, or external parties involved in the incident.
• Immediate Actions Taken: Describe any steps taken immediately after the discovery to contain or mitigate the impact of the incident.

The completed form should be submitted to the Privacy Officer promptly to facilitate the investigation process.

4. Investigation of the Incident

The Privacy Officer is responsible for initiating an investigation within 48 hours of receiving the incident report. The investigation aims to:

• Determine the Nature and Scope of the Incident: Assess how the impermissible use or disclosure occurred and identify any systemic issues.
• Assess Potential Risks: Evaluate the likelihood that the PHI has been compromised and the potential harm to affected individuals.
• Determine Whether a Breach Occurred: Decide if the incident meets the definition of a breach under HIPAA regulations.
• Recommend Mitigation Strategies: Identify steps to prevent similar incidents in the future and reduce any harm caused.

The Privacy Officer may collaborate with legal counsel, information security personnel, and other relevant departments to ensure a thorough investigation.

5. Mitigation Efforts

Upon confirmation of an impermissible use or disclosure, the organization will take appropriate steps to mitigate any adverse effects. Mitigation efforts may include:

• Retrieving Disclosed PHI: Attempting to recover any PHI that was disclosed improperly.
• Securing Affected Systems: Implementing security measures to prevent further unauthorized access or disclosure.
• Providing Support to Affected Individuals: Offering resources or guidance to individuals whose PHI was compromised, such as credit monitoring services or counseling on protective measures.
• Reviewing and Updating Policies: Assessing current policies and procedures to identify and implement improvements.

The organization is committed to reducing any negative impact on individuals and preventing future occurrences.

6. Notification to Affected Individuals

If the investigation concludes that a breach has occurred, the organization will notify affected individuals without unreasonable delay and no later than 60 days after the discovery of the breach. The notification will be provided in written form and will include:

• A Description of the Breach: Explain what happened, including the date of the breach and the date of its discovery.
• Types of PHI Involved: Specify the categories of information that were compromised, such as names, addresses, dates of birth, medical information, or other sensitive data.
• Steps Individuals Should Take: Provide recommendations on how individuals can protect themselves from potential harm, such as monitoring financial accounts or changing passwords.
• Actions Taken by the Organization: Outline the measures the organization has implemented to investigate the breach, mitigate harm, and prevent future incidents.
• Contact Information: Offer contact details for a representative who can answer questions and provide additional information.

The notification process will comply with all applicable legal requirements to ensure that individuals are informed and can take appropriate action.

7. Reporting to Regulatory Authorities and Media

In cases where the breach affects 500 or more individuals, the organization is required to notify the Department of Health and Human Services (HHS) and prominent media outlets serving the affected area. Such notifications must be made without unreasonable delay and in accordance with HIPAA regulations. For breaches involving fewer than 500 individuals, the organization will maintain a log of all such incidents and submit the log annually to HHS as required.

8. Disciplinary Actions for Non-Compliance

Employees, contractors, or partners who fail to comply with this policy may face disciplinary actions, which could include retraining, reprimand, suspension, or termination of employment or contract. The severity of the disciplinary action will correspond to the nature of the violation, whether it resulted from negligence or intentional misconduct, and whether it is a repeat offense. The organization takes non-compliance seriously and will enforce this policy to uphold the integrity and confidentiality of PHI.

9. Training and Awareness Programs

The organization is committed to providing regular training and education to all staff members regarding HIPAA regulations, the importance of protecting PHI, and the procedures outlined in this policy. Training sessions will be conducted at least annually and will be mandatory for all employees, contractors, and volunteers with access to PHI. Additional training may be provided as needed to address specific issues or changes in laws and regulations.

10. Record Keeping and Documentation

All documentation related to impermissible uses or disclosures, including incident reports, investigation records, correspondence, and mitigation actions, will be maintained securely by the Privacy Officer. These records will be retained for a minimum of six years from the date of their creation or the date they were last in effect, whichever is later. The organization will ensure that all records are protected from unauthorized access and are available for review by regulatory authorities if required.

Responsibilities

• All Staff Members: Every individual with access to PHI is responsible for understanding and adhering to this policy. Staff members must protect PHI in their daily activities and report any suspected incidents immediately.
• Supervisors: Supervisors are responsible for fostering a culture of compliance within their teams. They must ensure that staff members are trained, understand their obligations, and feel comfortable reporting incidents without fear of retaliation.
• Privacy Officer: The Privacy Officer holds primary responsibility for overseeing the implementation of this policy. This includes conducting investigations, coordinating mitigation efforts, managing notifications, and maintaining records. The Privacy Officer also serves as a resource for staff members with questions or concerns about PHI protection.
• Management: Organizational leaders must provide the necessary resources, support, and oversight to ensure the effective implementation of this policy. Management is responsible for enforcing compliance and addressing any systemic issues that may contribute to impermissible uses or disclosures.

Compliance

Adherence to this policy is mandatory. Non-compliance may result in disciplinary action and can expose the organization and individuals to legal penalties under HIPAA and other applicable laws. The organization emphasizes the importance of compliance not only to meet legal obligations but also to maintain the trust of the individuals it serves.

Review and Revision

This policy will be reviewed on an annual basis and updated as necessary to reflect changes in federal and state laws, regulations, or organizational practices. Any revisions will be approved by the designated approving authority and communicated to all staff members promptly. Feedback from staff members is encouraged to improve the effectiveness of the policy and its implementation.

References

• Health Insurance Portability and Accountability Act (HIPAA): 45 CFR Parts 160 and 164 outline the federal regulations for protecting PHI and the requirements for reporting breaches.
• California Confidentiality of Medical Information Act (CMIA): California Civil Code §§ 56-56.37 provide state-specific regulations regarding the confidentiality and disclosure of medical information.
• CalAIM ECM & CS Program Guidelines: These guidelines offer specific directives and standards for the ECM & CS program, including expectations for PHI handling.

For questions or additional information regarding this policy, please contact the Privacy Officer. The organization values open communication and is committed to assisting staff members in understanding their responsibilities related to PHI protection.

Purpose:

The primary purpose of this policy is to establish a comprehensive framework for identifying, responding to, and strengthening protections after any impermissible use or disclosure of Protected Health Information (PHI) within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management (ECM) & Community Support (CS) program. By implementing this policy, we aim to ensure full compliance with federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), and to demonstrate our unwavering commitment to safeguarding PHI.

Scope:

This policy is applicable to all employees, contractors, volunteers, and any other workforce members who are involved in the CalAIM ECM & CS Program and handle PHI in any capacity. It is essential that every individual within the organization understands their responsibilities concerning the protection of PHI and the procedures to follow in the event of an impermissible use or disclosure.

Definitions:

• Protected Health Information (PHI): Refers to any information related to an individual’s health status, the provision of healthcare, or payment for healthcare that can be linked to that individual. This includes a wide range of identifiers such as names, addresses, birth dates, Social Security numbers, and any other information that can identify a person.
• Impermissible Use or Disclosure: Any acquisition, access, use, or disclosure of PHI in a manner that is not permitted under HIPAA or other applicable laws. This includes unauthorized sharing of PHI with individuals or entities that are not entitled to receive it.
• Breach: An impermissible use or disclosure that compromises the security or privacy of PHI. A breach is presumed to have occurred unless it can be demonstrated that there is a low probability that the PHI has been compromised based on a risk assessment.

Policy Statement:

The CalAIM ECM & CS Program is deeply committed to the protection of PHI and recognizes the critical importance of maintaining the confidentiality, integrity, and security of this sensitive information. In the event of any impermissible use or disclosure of PHI, the organization will take immediate and appropriate actions to mitigate any potential harm. This includes notifying affected individuals and regulatory bodies as required, and implementing measures to prevent future occurrences. The organization is dedicated to fostering a culture of compliance and accountability, ensuring that all workforce members understand and adhere to the highest standards of privacy and security.

Procedures:

In the unfortunate event of an impermissible use or disclosure of PHI, the following procedures will be diligently followed to ensure a prompt and effective response:

1. Immediate Reporting:

Any workforce member who becomes aware of an impermissible use or disclosure of PHI is required to report the incident immediately to their supervisor and the Privacy Officer. The report should include all known details, such as the date and time of the incident, the nature of the PHI involved, how the incident occurred, and any individuals or entities who may have improperly received or accessed the PHI.

2. Incident Investigation:

Upon receiving the report, the Privacy Officer will promptly initiate a thorough investigation to determine the nature and scope of the incident. This investigation will involve collecting all relevant information, interviewing involved parties, reviewing security logs, and examining any physical or electronic evidence. The objective is to understand precisely what happened, identify the root cause, and determine the extent to which PHI was compromised.

3. Mitigation Efforts:

Immediate steps will be taken to mitigate any potential harm resulting from the impermissible use or disclosure. This may include attempting to retrieve the improperly disclosed PHI, requesting that unauthorized recipients return or destroy the information, and preventing further unauthorized access. The organization will also provide guidance to affected individuals on steps they can take to protect themselves, such as monitoring their credit reports or changing passwords.

4. Risk Assessment:

A comprehensive risk assessment will be conducted to evaluate the probability that the PHI has been compromised. This assessment will consider factors such as the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. The results of this assessment will inform the organization’s decision-making regarding notifications and further actions.

5. Notification Requirements:

In compliance with HIPAA and applicable state laws, the organization will notify all affected individuals without unreasonable delay and no later than 60 days following the discovery of the breach. The notification will be written in plain language and include a description of the incident, the types of PHI involved, steps individuals should take to protect themselves, a description of what the organization is doing to investigate and mitigate the breach, and contact information for further assistance.

If the breach involves more than 500 residents of a state or jurisdiction, the organization will also notify prominent media outlets serving that area. Additionally, the Department of Health and Human Services (HHS) will be notified in accordance with regulatory requirements, as well as any applicable state authorities.

6. Developing an Action Plan:

Based on the findings of the investigation, the organization will develop and implement a comprehensive action plan to enhance protections and prevent future incidents. This plan may include revising policies and procedures, strengthening technical safeguards such as encryption and access controls, enhancing physical security measures, and improving operational practices. The action plan will be documented and its implementation monitored to ensure effectiveness.

7. Training and Education:

The organization will provide additional training and education to workforce members, especially those involved in the incident. This training will focus on reinforcing the importance of compliance with privacy and security policies, understanding the potential consequences of non-compliance, and adopting best practices for safeguarding PHI. Ongoing education will be a priority to maintain a high level of awareness and vigilance among all staff.

8. Disciplinary Actions:

Appropriate disciplinary actions will be taken against workforce members who violated policies, in accordance with the organization’s disciplinary procedures. The severity of the disciplinary action will depend on factors such as the nature of the violation, whether it was intentional or accidental, and the potential harm caused. Disciplinary measures may range from counseling and retraining to suspension or termination of employment.

9. Monitoring and Review:

The organization will regularly monitor the effectiveness of the measures implemented to enhance PHI protections. This includes conducting periodic audits, reviewing access logs, and assessing compliance with updated policies and procedures. The organization will remain vigilant in identifying and addressing any new risks or vulnerabilities that may emerge.

10. Documentation:

Comprehensive documentation of the incident, including the investigation process, risk assessment, mitigation efforts, notifications made, and corrective actions taken, will be maintained. This documentation is critical for demonstrating compliance with legal and regulatory requirements and for informing future improvements. Records will be retained for a minimum of six years or as required by law.

Responsibilities:

• Workforce Members: Every workforce member has a responsibility to protect PHI and to report any impermissible uses or disclosures promptly. This includes adhering to all organizational policies and procedures related to PHI, participating in required training, and exercising due diligence in daily activities.
• Supervisors: Supervisors are responsible for fostering a culture of compliance within their teams. They must ensure that reports of impermissible uses or disclosures are promptly escalated to the Privacy Officer and support their staff in understanding and complying with privacy and security policies.
• Privacy Officer: The Privacy Officer has the primary responsibility for leading the investigation of incidents, coordinating mitigation efforts, ensuring that necessary notifications are made, and overseeing the development and implementation of action plans to enhance protections.
• Management: Senior management is responsible for providing the necessary resources and support to implement this policy effectively. This includes investing in training, technology, and staffing to maintain robust privacy and security programs.

Training:

All workforce members are required to participate in initial training upon hire and annual refresher training on HIPAA regulations and the organization’s policies regarding PHI. This training will cover essential topics such as recognizing and reporting breaches, understanding the legal and ethical obligations related to PHI, and best practices for safeguarding sensitive information. Additional training sessions may be conducted as needed, especially following incidents or changes in regulations.

Monitoring Compliance:

The Privacy Officer will actively monitor adherence to this policy through regular audits, assessments, and reviews. Any compliance issues identified will be reported to senior management, and corrective actions will be taken as necessary. The organization is committed to continuous improvement and will use findings from monitoring activities to strengthen its privacy and security practices. Non-compliance with this policy may result in disciplinary action, up to and including termination of employment.

Review and Revision:

This policy will undergo a formal review at least annually to ensure that it remains current with legal and regulatory requirements and reflects the organization’s operational practices. Revisions will be made as necessary to address changes in laws, technology, or organizational needs. Feedback from workforce members, audit findings, and lessons learned from incidents will be considered during the review process.

By understanding and adhering to the provisions of this policy, all workforce members contribute to the protection of our clients’ sensitive health information and uphold the integrity and reputation of the CalAIM ECM & CS Program. The organization values the trust placed in us by our clients and is committed to maintaining that trust through diligent compliance with all privacy and security obligations.

Purpose

The purpose of this policy is to establish comprehensive guidelines for limiting access to Protected Health Information (PHI) within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management (ECM) & Community Support (CS) Program. This policy is designed to ensure compliance with federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA). By adhering to these guidelines, the organization aims to protect the privacy and security of patient information, maintain patient trust, and uphold the highest standards of ethical conduct in healthcare services.

Scope

This policy applies to all employees, contractors, volunteers, and third-party associates who access, use, or manage PHI within the CalAIM ECM & CS Program. It encompasses all forms of PHI, whether electronic, paper-based, or verbal, and covers all activities related to the collection, handling, storage, transmission, and disposal of such information.

Definitions

Protected Health Information (PHI): PHI refers to any information about an individual’s health status, the provision of healthcare, or payment for healthcare that can be linked to a specific person. This includes medical records, billing information, and any other data that could identify a patient.

CalAIM Program: The California Advancing and Innovating Medi-Cal ECM & CS Programs is a Medi-Cal initiative aimed at providing comprehensive care management for high-need beneficiaries. The program focuses on delivering coordinated, whole-person care to improve health outcomes.

Minimum Necessary Standard: This principle requires that access to PHI be limited to the minimum amount necessary to accomplish the intended purpose. It emphasizes the need to restrict unnecessary or excessive access to sensitive information.

Policy Statement

Our organization is committed to ensuring that access to PHI within the CalAIM ECM & CS Program is strictly limited to authorized individuals who require the information to perform their specific job duties. We adhere to the “minimum necessary” standard, ensuring that PHI is accessed, used, or disclosed only when essential for legitimate healthcare operations, treatment, or payment processes. Unauthorized access, use, or disclosure of PHI is strictly prohibited and may result in disciplinary action, including termination and potential legal consequences.

Procedures

Access Control

Access to PHI is controlled through a role-based system that assigns permissions based on an individual’s job responsibilities. Employees are granted access rights that are necessary for their roles, ensuring they can perform their duties effectively without exposing PHI unnecessarily. For example, a clinician may have access to patient treatment records, while administrative staff may access billing information.

Regular reviews of access privileges are conducted to ensure they remain appropriate over time. If an employee changes roles or leaves the organization, their access rights are promptly updated or revoked. Managers are responsible for approving access requests and ensuring that only authorized personnel have access to PHI. All access authorizations are documented and maintained for compliance and auditing purposes.

Authentication and Security Measures

To safeguard PHI, the organization implements robust authentication mechanisms. Each user is assigned a unique identifier and is required to use secure passwords that comply with established complexity requirements. Passwords must be changed regularly, and sharing login credentials is strictly prohibited.

Where feasible, multi-factor authentication is employed to enhance security. This may involve a combination of something the user knows (password), something the user has (security token), or something the user is (biometric verification).

Physical security measures are also in place to protect PHI. Access to areas where PHI is stored, such as file rooms or server facilities, is restricted to authorized personnel. Physical records are kept in lockable cabinets, and electronic workstations are configured with automatic screen locks and privacy filters to prevent unauthorized viewing.

Training and Awareness

All staff members with access to PHI are required to participate in mandatory training programs on HIPAA regulations and the proper handling of PHI. This training is provided during onboarding and includes topics such as privacy laws, data security practices, and the consequences of non-compliance.

Annual refresher courses are conducted to keep staff updated on any changes in regulations or organizational policies. Employees must acknowledge their understanding of these policies by signing confidentiality agreements, which are kept on file as part of their employment records.

Monitoring and Auditing

The organization maintains detailed logs of all access to and modifications of PHI. These logs record the user identity, time of access, and the nature of the activity performed. Regular audits of these logs are conducted to detect any unauthorized access or anomalies that may indicate security breaches.

An incident response plan is in place to address any suspected or confirmed breaches of PHI. This plan outlines the steps for immediate containment, investigation, notification of affected individuals, and remediation efforts. All incidents are thoroughly documented, and reports are submitted to the appropriate regulatory authorities as required.

Data Minimization and Use Limitations

In alignment with the “minimum necessary” standard, staff members are instructed to access and use only the PHI required to perform their specific tasks. For activities such as research or reporting, de-identified or aggregated data should be used whenever possible to minimize exposure of individual patient information.

When responding to requests for PHI, whether internal or external, the organization evaluates the necessity and legality of the disclosure. Only the minimum necessary information is provided, and all disclosures are documented in accordance with policy requirements.

Third-Party Access and Business Associates

Any third-party entities, including vendors or contractors, that require access to PHI must enter into a Business Associate Agreement (BAA) with the organization. The BAA outlines the responsibilities and obligations of the third party in protecting PHI, ensuring they comply with HIPAA and other relevant regulations.

Before granting access, the organization conducts due diligence to assess the third party’s security measures and compliance history. Ongoing assessments and audits may be performed to ensure continued adherence to privacy and security standards.

Compliance and Enforcement

Strict compliance with this policy is mandatory for all staff members. The organization enforces this policy through regular training, monitoring, and disciplinary actions when necessary. Violations of the policy may result in consequences ranging from additional training to termination of employment, depending on the severity of the infraction.

Employees are encouraged to report any suspected violations or security concerns to their supervisor or the Privacy Officer without fear of retaliation. All reports are investigated promptly, and appropriate corrective actions are taken to address any issues identified.

Responsibilities

Privacy Officer: The Privacy Officer holds primary responsibility for overseeing the implementation of this policy. This includes ensuring compliance with legal requirements, updating the policy as necessary, and serving as the point of contact for any questions or concerns regarding PHI access and security.

Managers and Supervisors: Managers and supervisors are responsible for ensuring their team members understand and comply with this policy. They must facilitate necessary training, approve access requests appropriately, and monitor adherence to security protocols within their departments.

All Staff Members: Each individual with access to PHI must comply with this policy. Staff members are expected to protect PHI diligently, report any breaches or suspicious activities promptly, and participate in all required training programs. They must also maintain the confidentiality of all PHI and use it only for authorized purposes.

Review and Revision

This policy is subject to annual review or more frequent revisions if necessitated by changes in regulations, technology, or organizational practices. The review process includes evaluating the effectiveness of current procedures, identifying areas for improvement, and updating the policy to address any new risks or compliance requirements. Feedback from staff and audit findings are incorporated to enhance the policy continually.

This policy reflects our organization’s unwavering commitment to protecting patient privacy and ensuring that access to PHI is appropriately limited and managed. By adhering to these guidelines, we uphold the trust placed in us by our patients and comply with all legal and ethical standards governing healthcare information.

Purpose

The purpose of this policy is to ensure that all agents and subcontractors engaged by Pacific Health Group in the CalAIM Enhanced Care Management (ECM) & Community Support (CS) Program adhere to the same restrictions and conditions regarding Protected Health Information (PHI) as required of Pacific Health Group. This policy is established to maintain compliance with all applicable federal and state laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA). By implementing this policy, Pacific Health Group aims to protect the privacy and security of PHI and ensure that all parties involved in the ECM & CS Program understand and fulfill their legal and ethical obligations.

Scope

This policy applies to all agents, subcontractors, and any third parties who, on behalf of Pacific Health Group, have access to, use, or disclose PHI while performing services under the CalAIM ECM & CS Program. It encompasses any individual or entity that acts under the authority of Pacific Health Group, including but not limited to consultants, vendors, and service providers, who may interact with PHI in the course of their duties.

Policy Statement

Pacific Health Group mandates that all agents and subcontractors agree to and comply with the same restrictions and conditions concerning PHI that apply to the organization. This requirement is non-negotiable and is a fundamental condition of any contractual or working relationship with Pacific Health Group. Agents and subcontractors must handle PHI in a manner consistent with Pacific Health Group’s policies and procedures, ensuring the confidentiality, integrity, and availability of PHI. They are obligated to adhere to all relevant laws and regulations, including HIPAA, CMIA, and any other applicable federal or state statutes governing the protection of health information.

Procedures

Contractual Agreements

All contracts and agreements with agents and subcontractors must include specific clauses that require adherence to PHI regulations identical to those binding Pacific Health Group. These contractual provisions must outline the responsibilities and obligations of agents and subcontractors regarding the handling, security, and confidentiality of PHI. Where applicable, Pacific Health Group must execute Business Associate Agreements (BAAs) with agents and subcontractors. These BAAs should detail the permissible uses and disclosures of PHI, the implementation of appropriate safeguards, breach notification requirements, and the terms related to the termination of the agreement.

Training and Education

Before accessing any PHI, agents and subcontractors are required to undergo comprehensive training on PHI regulations, data privacy, and security practices. This training is designed to ensure that they fully understand their obligations under HIPAA, CMIA, and Pacific Health Group’s policies. Additionally, Pacific Health Group will provide periodic updates and refresher training sessions to inform agents and subcontractors of any changes in laws, regulations, or organizational policies related to PHI. Agents and subcontractors must actively participate in these training programs and apply the knowledge gained to their daily operations.

Access Control

Access to PHI by agents and subcontractors must be strictly controlled and limited to the minimum necessary information required to perform their assigned duties. Pacific Health Group will implement robust authentication measures to verify the identity of individuals accessing PHI, ensuring that only authorized personnel have access. Agents and subcontractors are prohibited from accessing PHI beyond their authorized scope and must comply with all access control policies and procedures established by Pacific Health Group. Unauthorized access or misuse of PHI is considered a serious violation and may result in immediate termination of the contractual agreement.

Data Security Measures

Agents and subcontractors are required to implement and maintain appropriate technical and physical safeguards to protect PHI during transmission and storage. Technical safeguards may include the use of encryption technologies, secure communication channels, firewalls, and anti-malware software to prevent unauthorized access and data breaches. Physical safeguards involve securing facilities, workstations, and devices that store or transmit PHI, ensuring that only authorized personnel can access these areas and equipment. Agents and subcontractors must regularly assess and update their security measures to address emerging threats and vulnerabilities.

Breach Notification

In the event of a suspected or actual breach of PHI, agents and subcontractors are obligated to immediately report the incident to Pacific Health Group. Prompt notification is critical to allow for timely investigation, mitigation of harm, and compliance with legal reporting requirements. Agents and subcontractors must provide all relevant information about the breach, including the nature of the incident, the PHI involved, and any steps taken to contain and remediate the issue. They must fully cooperate with Pacific Health Group in conducting a thorough investigation and implementing corrective actions to prevent future occurrences.

Subcontracting Conditions

Agents and subcontractors are prohibited from engaging additional subcontractors to perform services involving PHI without obtaining prior written approval from Pacific Health Group. If such approval is granted, agents and subcontractors must ensure that any subcontractors agree in writing to the same PHI restrictions and conditions outlined in their agreement with Pacific Health Group. This includes executing appropriate BAAs and ensuring that subcontractors are aware of and comply with all relevant laws, regulations, and organizational policies. Agents and subcontractors remain responsible for the actions of their subcontractors and must monitor their compliance with PHI requirements.

Audit and Compliance Monitoring

Pacific Health Group reserves the right to conduct audits and compliance reviews of agents and subcontractors to ensure adherence to PHI requirements. Agents and subcontractors must grant access to relevant records, systems, and personnel for the purpose of these audits. In cases where non-compliance is identified, agents and subcontractors are required to develop and implement remediation plans promptly. These plans must be approved by Pacific Health Group and may include corrective actions such as additional training, policy revisions, or enhanced security measures. Failure to address compliance issues satisfactorily may result in termination of the contractual agreement.

Termination Clause

Contracts with agents and subcontractors may be terminated immediately if they fail to comply with PHI obligations or if they breach any terms related to the handling of PHI. Upon termination, agents and subcontractors must return or securely destroy all PHI received from Pacific Health Group, in accordance with organizational policies and applicable laws. They must provide written certification confirming the return or destruction of PHI. If returning or destroying PHI is not feasible, agents and subcontractors must extend the protections of the agreement to the retained PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

Responsibilities

Agents and Subcontractors are responsible for fully understanding and complying with all laws, regulations, and contractual obligations related to PHI. They must participate in all required training programs, implement necessary administrative, technical, and physical safeguards, and ensure that their actions align with Pacific Health Group’s policies and procedures. Agents and subcontractors must promptly report any breaches or incidents involving PHI and cooperate with Pacific Health Group in addressing such issues.

Pacific Health Group is responsible for providing agents and subcontractors with the necessary training, resources, and support to fulfill their PHI obligations. The organization must ensure that all contractual agreements include appropriate PHI provisions and that agents and subcontractors are informed of their responsibilities. Pacific Health Group will monitor compliance with this policy through audits, assessments, and oversight activities, and will enforce policy provisions through contractual remedies, up to and including termination of agreements.

Definitions

• Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in any form or medium, including demographic data, that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or payment for the provision of health care.
• Agent: An individual or entity authorized to act on behalf of Pacific Health Group, with the authority to create obligations on behalf of the organization and who may access, use, or disclose PHI in the course of their duties.
• Subcontractor: An individual or entity to whom an agent or contractor delegates a function, activity, or service, other than in the capacity of a member of the workforce of such agent or contractor, and who may access, use, or disclose PHI.

References

• Health Insurance Portability and Accountability Act (HIPAA): Federal law establishing national standards for the protection of individually identifiable health information.
• California Confidentiality of Medical Information Act (CMIA): State law governing the privacy and security of medical information in California.
• CalAIM ECM & CS Program Guidelines: Official guidelines outlining the requirements and objectives of the CalAIM ECM & CS Programs.

Review Cycle

This policy will be reviewed annually or as required by changes in laws, regulations, or organizational practices. The review will assess the policy’s effectiveness and ensure continued compliance with all applicable legal and regulatory requirements. Updates or revisions to the policy will be communicated promptly to all agents, subcontractors, and relevant stakeholders.

Purpose

The purpose of this policy is to establish comprehensive and standardized procedures for the secure return and destruction of Protected Health Information (PHI) within the California Advancing and Innovating Medi-Cal (CalAIM) Enhanced Care Management (ECM) & Community Support (CS) Program. This policy aims to ensure that all PHI is handled in a manner that maintains its confidentiality and integrity, in full compliance with federal and state regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA).

Scope

This policy is applicable to all individuals associated with the CalAIM ECM & CS Program, including employees, contractors, volunteers, and business associates who handle PHI in any form—whether electronic, paper, or oral. It encompasses all activities related to the return and destruction of PHI, ensuring that every stakeholder understands their responsibilities and the procedures to follow.

Definitions

Protected Health Information (PHI): Refers to any individually identifiable health information that is created, received, maintained, or transmitted by the CalAIM ECM & CS Program, in any form or medium.

Return of PHI: The secure process of transferring PHI back to the patient, their authorized representative, or the originating entity from which the information was received.

Destruction of PHI: The irreversible process of eliminating PHI in a manner that renders it unreadable and indecipherable, ensuring that it cannot be reconstructed or retrieved.

Business Associate: An external entity or individual that performs functions or activities on behalf of the CalAIM ECM & CS Program, involving the use or disclosure of PHI.

Policy Statement

The CalAIM ECM & CS Program is committed to the responsible handling of PHI. All PHI must be returned or destroyed securely when it is no longer necessary for the purposes for which it was collected or as required by law. This policy ensures that the handling of PHI adheres to all applicable legal standards, thereby protecting the privacy and security of individuals’ health information.

Procedures

Identification of PHI for Return or Destruction

To maintain compliance and ensure the appropriate handling of PHI, regular audits will be conducted to identify information that is no longer required for operational purposes. These audits involve a thorough review of all PHI repositories, both electronic and physical, to determine which records are eligible for return or destruction. Each identified piece of PHI will be meticulously documented, detailing the type of information, its current status, and the rationale for its return or destruction. This documentation serves as a record to support compliance efforts and facilitate accountability.

Return of PHI

Before returning PHI to patients or originating entities, the necessary authorizations must be obtained. This ensures that the transfer of sensitive information is conducted legally and ethically. For electronic PHI, secure transfer methods such as encrypted email or secure file transfer protocols must be utilized to prevent unauthorized access during transmission. Physical PHI should be returned using certified mail or bonded courier services that provide tracking capabilities, ensuring that the information reaches the intended recipient safely and promptly.

Each return of PHI must be thoroughly documented. This documentation should include the date of transfer, the recipient’s information, the method used for transfer, and a detailed description of the PHI being returned. Maintaining these records is essential for accountability and for demonstrating compliance during audits or inspections.

Destruction of PHI

When PHI is deemed no longer necessary, it must be destroyed using approved methods to ensure it cannot be reconstructed or accessed. For electronic PHI, this involves using data wiping software that meets Department of Defense (DoD) standards, specifically DoD 5220.22-M, or physically destroying storage media to prevent data recovery. Paper PHI must be rendered unreadable through shredding, pulping, or incineration.

If third-party vendors are engaged to assist with the destruction of PHI, it is imperative to verify that these vendors are certified and comply with HIPAA regulations. Prior to engaging their services, a Business Associate Agreement (BAA) must be executed to formalize the vendor’s responsibilities regarding PHI handling and destruction.

Upon completion of the destruction process, a Certificate of Destruction must be obtained and filed. This certificate should detail the date of destruction, the method used, and the personnel involved in the process. Keeping these certificates is crucial for demonstrating compliance and for record-keeping purposes.

Storage Before Return or Destruction

Prior to the return or destruction of PHI, all information must be stored in secure locations that employ robust access controls. Only authorized personnel should have access to these storage areas, ensuring that PHI remains protected until the return or destruction process is initiated. Physical storage areas should be locked and monitored, while electronic storage systems should utilize encryption and other security measures to prevent unauthorized access.

Training and Awareness

Ensuring that all relevant personnel are adequately trained in PHI handling, return, and destruction procedures is a critical component of this policy. Mandatory training sessions will be conducted to educate employees, contractors, and business associates on the proper methods for handling PHI, the importance of compliance with relevant laws, and the specific procedures outlined in this policy. Training materials will be reviewed and updated annually or whenever there are significant changes in regulations or operational processes to ensure ongoing compliance and awareness.

Incident Reporting

In the event of any unauthorized disclosure, loss, or breach of PHI, immediate action is required. Such incidents must be reported promptly to the Privacy Officer, who will oversee the response in accordance with the incident response plan. This plan outlines the steps to mitigate risks, contain the breach, and notify affected parties as mandated by law. Timely reporting and response are essential to minimizing the impact of any security incidents and to maintaining trust and compliance.

Compliance and Enforcement

The Privacy Officer is responsible for conducting periodic reviews and audits to ensure adherence to this policy. These reviews help identify any areas of non-compliance and provide opportunities for improvement. Non-compliance with this policy may result in disciplinary actions, which can range from verbal warnings to termination of employment, depending on the severity of the infraction. Consistent enforcement of this policy is vital to maintaining the integrity and security of PHI within the CalAIM ECM & CS Program.

Responsibilities

Privacy Officer:
The Privacy Officer holds the primary responsibility for overseeing the implementation and maintenance of this policy. This includes ensuring that all activities related to the return and destruction of PHI comply with federal and state regulations. The Privacy Officer is also tasked with conducting training sessions, performing regular audits, and addressing any compliance issues that arise.

Employees and Contractors:
All employees and contractors involved in the CalAIM ECM & CS Program must adhere strictly to this policy. They are required to participate in mandatory training sessions, follow established procedures for handling PHI, and promptly report any incidents or breaches to the Privacy Officer. Their cooperation and diligence are essential to safeguarding PHI and maintaining compliance with legal requirements.

References

Federal Laws:

• Health Insurance Portability and Accountability Act (HIPAA) of 1996: Establishes national standards for the protection of PHI.
• Health Information Technology for Economic and Clinical Health (HITECH) Act: Promotes the adoption of health information technology and strengthens HIPAA rules.

State Laws:

• California Confidentiality of Medical Information Act (CMIA): Protects the confidentiality of medical information in California.
• California Data Breach Notification Law: Requires entities to notify individuals of data breaches involving personal information.

1. Purpose

The primary objective of this policy is to delineate comprehensive guidelines and procedures that govern the appropriate use and disclosure of Protected Health Information (PHI) by all personnel involved in the California Advancing and Innovating Medi-Cal Enhanced Care Management & Community Support Service (ECM & CS) Program. This policy ensures that the privacy and security of PHI are maintained in strict accordance with the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and other relevant federal and state regulations. By establishing clear protocols, the organization aims to prevent unauthorized access, use, or disclosure of PHI and to promote a culture of compliance and accountability among all staff, contractors, and subcontractors engaged in the program.

2. Scope

This policy is universally applicable to all employees, contractors, subcontractors, and any other individuals or entities that have access to PHI within the CalAIM ECM & CS Program. It encompasses all forms of PHI, whether it is maintained electronically, on paper, or communicated orally. The policy extends to all activities related to the creation, receipt, maintenance, or transmission of PHI, ensuring that every aspect of PHI handling is governed by stringent privacy and security measures.

3. Definitions

To ensure clarity and mutual understanding, key terms used within this policy are defined as follows:

• Protected Health Information (PHI): This refers to any individually identifiable health information that is held or transmitted by a covered entity or its business associates, regardless of the medium in which it is stored or conveyed. PHI includes information such as medical records, billing information, and any other data that can be used to identify an individual’s health status or healthcare services.
• CalAIM ECM & CS Program: The California Advancing and Innovating Medi-Cal Enhanced Care Management Program is designed to improve care coordination and health outcomes for Medi-Cal beneficiaries. It focuses on providing comprehensive care management services to individuals with complex health needs.
• Inappropriate Use or Disclosure: This term describes any instance where PHI is used or disclosed in a manner that is not authorized under HIPAA, CMIA, or other applicable laws. It encompasses actions that exceed the permissions granted for the use or disclosure of PHI and includes both intentional and unintentional breaches of privacy.

4. Policy Statements

Appropriate Use and Disclosure of PHI

All PHI accessed, used, or disclosed within the CalAIM ECM & CS Program must be directly related to the performance of program duties, including treatment, payment, or as mandated by law. Employees, contractors, and subcontractors are required to adhere to the minimum necessary standard, which stipulates that only the least amount of PHI necessary to accomplish the intended purpose should be accessed or shared. This principle is fundamental in minimizing the risk of unauthorized access or disclosure.

Prohibited Actions

Any unauthorized access, use, or disclosure of PHI is strictly prohibited. This includes using PHI for personal gain, sharing information with individuals or entities that do not have the requisite authorization, and failing to implement adequate safeguards to protect PHI from improper access or disclosure. Such actions undermine the integrity of the CalAIM ECM & CS Program and violate both organizational policies and legal requirements.

5. Procedures

Reporting Inappropriate Use or Disclosure

It is imperative that any individual who becomes aware of an inappropriate use or disclosure of PHI promptly reports the incident to the designated Privacy Officer or compliance official. Reports can be submitted verbally or in writing and should provide as much detail as possible to facilitate a thorough investigation. Timely reporting is crucial in mitigating potential harm and addressing breaches effectively.

Investigation

Upon receipt of a report, the Privacy Officer will initiate a comprehensive investigation to ascertain the validity and extent of the inappropriate use or disclosure. The investigation process involves collecting relevant information, interviewing parties involved, and meticulously documenting all findings. This systematic approach ensures that all aspects of the incident are thoroughly examined and that appropriate actions are determined based on factual evidence.

Remediation and Corrective Actions

If the investigation confirms that there has been an inappropriate use or disclosure of PHI, immediate steps will be taken to mitigate any potential harm. This may include notifying affected individuals in accordance with legal requirements. Additionally, corrective actions will be implemented to prevent recurrence. These actions may encompass providing additional training to staff, revising existing procedures, or enhancing safeguards to bolster PHI protection measures.

6. Disciplinary Actions

Violations of this policy are taken very seriously and may result in disciplinary measures, which can range from formal reprimands to termination of employment or contracts. For contracted providers and subcontractors, violations may lead to penalties, termination of contracts, or legal action, depending on the severity and nature of the breach. The organization is committed to enforcing these consequences to uphold the integrity of the CalAIM ECM & CS Program and to ensure compliance with all relevant regulations.

7. Training and Awareness

To foster a culture of compliance and awareness, all staff, contractors, and subcontractors must undergo comprehensive training on this policy and the applicable laws governing PHI. Training sessions will be conducted regularly to reinforce the importance of PHI protection and to update personnel on any changes to regulations or organizational practices. Additionally, new hires and contractors will receive training as part of their onboarding process, ensuring that they are well-informed about their responsibilities from the outset.

8. Compliance and Auditing

Regular audits will be conducted to monitor adherence to this policy and to identify any potential vulnerabilities in the handling of PHI. These audits serve as a proactive measure to detect non-compliance and to address it promptly through appropriate corrective actions. By continuously assessing compliance, the organization can maintain high standards of PHI protection and swiftly respond to any emerging risks or issues.

9. Policy Review

This policy is subject to annual review to ensure its continued relevance and effectiveness in light of evolving laws, regulations, and organizational practices. Any necessary updates will be made to reflect changes in the regulatory landscape or operational requirements. Employees, contractors, and subcontractors will be promptly informed of significant changes to the policy to ensure ongoing compliance and awareness.

10. References

This policy is grounded in the following legal frameworks and organizational guidelines:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• California Confidentiality of Medical Information Act (CMIA)
• CalAIM Framework and Guidelines

11. Contact Information

For any questions, concerns, or further clarification regarding this policy, individuals are encouraged to reach out to the designated Privacy Officer. The Privacy Officer is responsible for overseeing the implementation and enforcement of this policy and can provide guidance on compliance matters.

Acknowledgment

All employees, contractors, and subcontractors involved in the CalAIM ECM & CS Program are required to acknowledge that they have read, understood, and agree to comply with the provisions outlined in this policy. This acknowledgment is a condition of their employment or contract engagement and underscores the organization’s commitment to safeguarding PHI.

This policy establishes a robust framework for the appropriate use and disclosure of PHI within the CalAIM ECM & CS Program. By adhering to these guidelines, the organization ensures the protection of sensitive health information, maintains compliance with legal obligations, and upholds the trust of the individuals it serves.

1. Purpose

The purpose of this policy is to delineate the procedures and guidelines that enable members of the CalAIM Enhanced Care Management (ECM) & Community Support (CS) Program to request and obtain disclosures of their Protected Health Information (PHI). This policy ensures that such requests are handled in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other relevant federal and state privacy regulations. It underscores our commitment to safeguarding members’ rights to access their personal health information while maintaining the confidentiality and security of that information.

2. Scope

This policy is applicable to all members enrolled in the CalAIM ECM & CS Program and extends to all employees, contractors, and agents of Pacific Health Group who are involved in handling PHI within the program. It provides a comprehensive framework for managing requests for PHI disclosures, ensuring consistency and compliance across all interactions with members.

3. Definitions

To ensure clarity, the following key terms are defined within this policy:

• Protected Health Information (PHI): This refers to any individually identifiable health information held or transmitted by the CalAIM ECM & CS Program, whether in electronic, paper, or oral form. PHI includes information related to the member’s physical or mental health condition, healthcare provision, or payment for healthcare services.
• Member: An individual who is enrolled in the CalAIM ECM & CS Program and is eligible to receive services and support under the program.
• Request for Disclosure: A formal request initiated by a member seeking access to their PHI. This request can pertain to obtaining copies of their health records, seeking corrections, or requesting an accounting of disclosures.
• Covered Entity: Any organization, including Pacific Health Group, that handles PHI and is subject to HIPAA regulations.

4. Policy Statement

The CalAIM ECM & CS Program is dedicated to upholding members’ rights to access and obtain copies of their PHI. This policy outlines the standardized procedures for submitting, processing, and responding to such requests promptly and securely. By adhering to this policy, Pacific Health Group ensures compliance with all relevant laws and maintains the integrity and confidentiality of members’ health information.

5. Member Rights

Under this policy, members are entitled to several rights concerning their PHI:

• Access to PHI: Members have the right to access and obtain copies of their PHI maintained by the CalAIM ECM & CS Program.
• Request for Corrections: Members can request amendments or corrections to their PHI if they believe it is inaccurate or incomplete.
• Accounting of Disclosures: Members are entitled to receive an accounting of disclosures, detailing when and to whom their PHI has been disclosed.
• Request for Restrictions: Members may request limitations on certain uses and disclosures of their PHI, although Pacific Health Group is not obligated to agree to these restrictions except as required by law.
• Confidential Communications: Members can request that communications of their PHI be conducted in a specific manner or at specific locations to enhance their privacy.

6. Procedures for Requesting PHI Disclosure

6.1. Submitting a Request

Members wishing to request disclosure of their PHI must complete the standardized “Request for PHI Disclosure” form. This form is accessible through the Pacific Health Group website, available upon request from the Privacy Officer, or can be obtained in person at designated Pacific Health Group offices. Once completed, the request can be submitted through various channels, including a secure online portal, fax, mail, or in-person delivery. These multiple submission methods are designed to accommodate the diverse preferences and needs of our members.

6.2. Verification of Identity

To protect the security and confidentiality of PHI, Pacific Health Group requires verification of the member’s identity before processing any disclosure request. The Privacy Officer is responsible for this verification process. Acceptable methods of verification include presenting a government-issued photo ID or providing sufficient personal identifying information, such as the member’s date of birth and Social Security Number. This step ensures that PHI is only disclosed to the rightful individual, preventing unauthorized access.

6.3. Processing the Request

Upon receiving a request for PHI disclosure, the Privacy Officer will acknowledge receipt within five business days. This acknowledgment will inform the member of the expected timeline for processing the request. The Privacy Officer will then conduct a thorough review of the request to determine its scope and ensure that it complies with HIPAA and other applicable regulations. If the request is approved, the necessary PHI will be compiled and prepared for disclosure in a secure manner. In cases where the request is denied, the Privacy Officer will provide a written explanation detailing the reasons for denial and inform the member of their right to appeal the decision.

6.4. Timelines

Pacific Health Group is committed to responding to standard PHI disclosure requests within thirty calendar days from the date of receipt. In circumstances where additional time is required to process the request, the Privacy Officer will notify the member within the initial thirty-day period, explaining the reasons for the delay and providing a new expected completion date. Extensions beyond the initial thirty-day period will not exceed an additional thirty days, ensuring that members receive timely access to their PHI.

6.5. Delivery of PHI

Members have the flexibility to choose how they receive their PHI once their request has been processed. Options include secure mail, electronic download (subject to applicable consents and security measures), or in-person pickup at designated Pacific Health Group offices. This choice allows members to select the method that best suits their privacy and convenience preferences.

6.6. Fees

While Pacific Health Group strives to provide access to PHI without unnecessary barriers, reasonable, cost-based fees may be charged for copying and mailing PHI as permitted by law. Members will be informed of any applicable fees prior to the processing of their request, ensuring transparency and allowing members to make informed decisions regarding their request.

7. Appeals Process

In instances where a member’s request for PHI disclosure is denied, the policy provides a clear and accessible appeals process. Members can submit a written appeal to the Privacy Officer within sixty days of receiving the denial notice. The Privacy Officer will then review the appeal and provide a written response within thirty days. If the member remains dissatisfied with the outcome of the appeal, they have the option to file a complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS). This structured appeals process ensures that members have multiple avenues to seek resolution and uphold their rights.

8. Responsibilities

The successful implementation of this policy relies on the dedicated roles of various individuals within Pacific Health Group:

• Privacy Officer: The Privacy Officer holds primary responsibility for overseeing the implementation of this policy. This includes ensuring that all PHI disclosure requests are handled in compliance with HIPAA and other relevant regulations. The Privacy Officer is also tasked with training staff on the procedures for PHI disclosure, maintaining records of requests and responses, and serving as the primary point of contact for members regarding PHI disclosures.
• Staff Members: All staff involved in handling PHI requests must adhere strictly to this policy. This involves protecting the confidentiality and security of PHI throughout the request process, following established protocols for processing requests, and maintaining professionalism and sensitivity when interacting with members.

9. Security and Confidentiality

Maintaining the security and confidentiality of PHI is paramount. All disclosures of PHI must be conducted in a manner that prevents unauthorized access, use, or disclosure. Staff members are required to follow organizational security protocols, which include secure storage of PHI, encryption of electronic records, and ensuring that PHI is transmitted through secure channels. Additionally, access to PHI is restricted to authorized personnel only, and all disclosures are logged and monitored to detect and prevent any breaches of confidentiality.

10. Training and Awareness

To ensure that all employees and contractors are equipped to handle PHI requests appropriately, Pacific Health Group provides regular training sessions. These training programs cover the details of this policy, relevant laws and regulations, and best practices for protecting PHI. Ongoing education ensures that staff remain informed about any updates to policies or regulations and are proficient in implementing the procedures required to safeguard PHI effectively.

11. Compliance and Monitoring

Pacific Health Group is committed to maintaining the highest standards of compliance with this policy and applicable laws. To this end, regular audits of PHI disclosure requests are conducted to assess adherence to established procedures and identify any areas for improvement. These audits help ensure that all requests are processed consistently and in compliance with HIPAA and other relevant regulations. Any instances of non-compliance are addressed promptly and may result in disciplinary actions, including termination of employment or contracts, to uphold the integrity of the program.

12. Policy Review

This policy is subject to an annual review to ensure its continued relevance and effectiveness. During each review cycle, Pacific Health Group will assess the policy in light of any changes to laws, regulations, or organizational practices. Updates and revisions will be made as necessary to maintain compliance and to address emerging needs or challenges related to PHI disclosures.

13. Contact Information

For any questions, assistance, or further information regarding PHI disclosure requests, members are encouraged to contact the Privacy Officer. The Privacy Officer serves as the primary resource for guidance and support in navigating the PHI disclosure process.

1. Purpose

The CalAim ECM & CS Program is dedicated to safeguarding the privacy and security of its members’ Protected Health Information (PHI). This policy delineates the procedures and guidelines that members must follow to request an accounting of disclosures of their PHI. By providing a clear and transparent process, the program ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and relevant California state laws, thereby upholding the trust and confidence of its members.

2. Scope

This policy is applicable to all individuals enrolled in the CalAim ECM & CS Program, encompassing both current and former members. It covers all instances where PHI has been disclosed, whether such disclosures occurred in electronic, paper, or oral form. The policy ensures that all disclosures, except those made for treatment, payment, or healthcare operations, and those mandated by law, are accounted for upon request.

3. Definitions

Protected Health Information (PHI): This refers to any information that can identify an individual and relates to their physical or mental health condition, provision of healthcare, or payment for healthcare services. PHI is protected under HIPAA and relevant state laws, regardless of the format in which it is held or transmitted.

Accounting of Disclosures: This is a detailed record of specific instances where a member’s PHI has been disclosed by the CalAim ECM & CS Program. It includes information about the date of disclosure, the recipient of the PHI, a description of the information disclosed, and the purpose of the disclosure. Notably, disclosures made for treatment, payment, or healthcare operations, as well as those required by law, are excluded from this accounting.

Member: An individual who is enrolled in the CalAim ECM & CS Program and possesses rights under HIPAA and applicable state privacy laws regarding their PHI.

4. Policy Statement

CalAim ECM & CS Program is firmly committed to maintaining the privacy and security of its members’ PHI. In alignment with HIPAA and pertinent California state regulations, members are entitled to request a comprehensive accounting of disclosures of their PHI. This policy ensures that such requests are handled efficiently, transparently, and in strict adherence to all legal requirements.

5. Procedure for Requesting an Accounting of Disclosures

5.1 Submission of Request

Members wishing to obtain an accounting of disclosures of their PHI must follow a structured process to ensure accuracy and security. The first step involves completing the “Request for Accounting of Disclosures of PHI” form.

When completing the request form, members must provide essential information to facilitate the accurate retrieval of their PHI disclosures. This includes their full name, contact information, date of birth, and member identification details such as their member ID. Additionally, members should specify the time frame for which they are requesting the accounting, typically adhering to the six-year period mandated by HIPAA. Providing any additional details that could assist in locating the relevant PHI disclosures is also encouraged to ensure a comprehensive and accurate accounting.

Once the form is duly completed, members have the option to submit their request either by mailing it to the designated address

Alternatively, members may choose to submit the request electronically via email to privacy@mypacifichealth.com. When submitting electronically, it is imperative that all required information is provided securely to protect the member’s privacy.

5.2 Verification of Identity

Upon receipt of a request for an accounting of disclosures, the CalAim ECM & CS Program undertakes a thorough verification process to confirm the identity of the requester. This step is crucial to ensure that PHI is only disclosed to authorized individuals. Verification may involve cross-referencing the information provided on the request form with existing records. In instances where the provided information is insufficient or incongruent, the program may request additional documentation or information from the requester to authenticate their identity before proceeding with the accounting.

6. Timeframe for Response

The CalAim ECM & CS Program is committed to processing accounting requests promptly. In accordance with HIPAA regulations, the program aims to complete the processing of such requests within sixty (60) calendar days from the date of receipt. Should the program anticipate that additional time is required to fulfill the request, it will inform the requester within the initial sixty-day period. This notification will include the reasons for the delay and an estimated date by which the accounting will be provided. This commitment ensures that members receive timely responses while allowing adequate time to compile accurate disclosures.

7. Format of Accounting

Members may receive their accounting of disclosures in the format that best suits their preferences. The program offers the option of providing the accounting electronically as a secure PDF or in paper form. The choice of medium is determined based on the member’s stated preference at the time of the request.

The accounting itself will include detailed information for each disclosure, such as the date the PHI was disclosed, the name and address of the entity or individual who received the PHI, a concise description of the PHI disclosed, and the purpose behind the disclosure. It is important to note that disclosures made for purposes of treatment, payment, and healthcare operations are excluded from this accounting, as permitted under HIPAA regulations. This ensures that only discretionary disclosures are included, maintaining the focus on enhancing member privacy without impeding essential healthcare functions.

8. Fees

In alignment with HIPAA regulations, the CalAim ECM & CS Program may impose a reasonable, cost-based fee for providing an accounting of disclosures of PHI. These fees are designed to cover the costs associated with processing the request, including labor costs for preparing the accounting and any expenses related to the delivery method chosen by the member, such as postage for mailed documents.

Members will be informed of any applicable fees prior to the commencement of processing their request. In cases where members may face financial hardship, the program may offer fee waivers or reductions. Members seeking a waiver must provide appropriate documentation demonstrating their financial situation, and the Privacy Officer will evaluate such requests on a case-by-case basis to determine eligibility.

9. Contact Information

For any inquiries or assistance related to the process of requesting an accounting of disclosures of PHI, members are encouraged to reach out to the Privacy Officer. The Privacy Officer is available to provide guidance, answer questions, and facilitate the request process to ensure that members’ rights are fully respected and upheld.

10. Compliance and Privacy

CalAim ECM & CS Program strictly adheres to all federal and state laws governing the protection and disclosure of PHI. Every accounting request is handled with the utmost confidentiality and security to prevent unauthorized access or disclosure of sensitive information. The program employs robust safeguards, both administrative and technical, to ensure that PHI is protected throughout the request and accounting process. This commitment to compliance and privacy underscores the program’s dedication to maintaining the trust and confidence of its members.

11. Appeals Process

In the event that a member is dissatisfied with the response received regarding their accounting request, the CalAim ECM & CS Program provides a structured appeals process to address and resolve such concerns.

Submitting an Appeal:

Members must submit a written notice of their dissatisfaction to the Privacy Officer within sixty (60) days of receiving the initial response to their accounting request. The notice should clearly articulate the reasons for dissatisfaction and any specific aspects of the response that are in question.

Review of Appeal:

Upon receiving an appeal, the Privacy Officer will conduct a comprehensive review, which may include investigating the circumstances surrounding the original response and any additional relevant information. The Privacy Officer is responsible for ensuring that the appeal is addressed fairly and thoroughly. A written decision regarding the appeal will be provided to the member within thirty (30) days of receiving the appeal notice.

Further Actions:

If, after the internal appeals process, the member remains dissatisfied with the outcome, they retain the right to escalate their concerns. Members may file a formal complaint with the California Office of the Attorney General or the U.S. Department of Health and Human Services Office for Civil Rights. These bodies are responsible for enforcing privacy laws and can provide further avenues for resolution.

12. Policy Review and Updates

To ensure ongoing compliance with evolving legal standards and best practices in privacy protection, the CalAim ECM & CS Program will conduct an annual review of this policy. During each review, the program will assess the effectiveness of the current procedures, incorporate any changes in federal or state laws, and make necessary updates to enhance the policy. Members will be informed of significant changes to the policy, and updated versions will be made accessible through the program’s official communication channels.

1. Purpose

The CalAIM Enhanced Care Management (ECM) & Community Support (CS) Program is committed to safeguarding the privacy and security of its members’ Protected Health Information (PHI). This policy establishes a comprehensive framework for members to request restrictions on the use and disclosure of their PHI. By outlining clear procedures and guidelines, the policy ensures compliance with federal and state regulations, including the Health Insurance Portability and Accountability Act (HIPAA), while respecting and upholding the privacy rights of our members.

2. Scope

This policy applies to all individuals enrolled in the CalAIM ECM & CS Program, including members, employees, contractors, and affiliates who have access to PHI within the program. It encompasses all forms of PHI, whether in electronic, paper, or oral formats, and ensures that every member’s request for restrictions is handled consistently and respectfully across the organization.

3. Definitions

For clarity and consistency, the following definitions apply throughout this policy:

• Protected Health Information (PHI): Refers to any individually identifiable health information that is created, received, maintained, or transmitted by the CalAIM ECM & CS Program, in any form or medium, including electronic, paper, or oral communications.
• Member: An individual enrolled in the CalAIM ECM & CS Program who is entitled to receive care and services under the program.
• Restriction Request: A formal request submitted by a member to limit the use or disclosure of their PHI beyond the standard permissions granted under HIPAA regulations.
• Covered Entity: The CalAIM ECM & CS Program, as defined under HIPAA, which is responsible for ensuring the protection and privacy of PHI.

4. Policy Statement

Members of the CalAIM ECM & CS Program possess the right to request restrictions on how their PHI is used and disclosed. While the program is not obligated to agree to every requested restriction, it must carefully consider each request in accordance with HIPAA regulations and applicable state laws. The CalAIM ECM & CS Program is dedicated to balancing the privacy preferences of its members with the necessity of providing effective and coordinated care.

5. Procedures

5.1. Request Submission

Members wishing to request restrictions on their PHI must initiate the process by completing the “PHI Restriction Request Form.” This form is accessible through the CalAIM ECM & CS Program’s member portal, can be obtained by mail, or picked up in person at any program office. To ensure the request is processed efficiently, members must provide comprehensive information, including their identifying details, a specific description of the PHI they wish to restrict, the rationale behind the restriction, and the desired duration for which the restriction should remain in effect.

5.2. Acknowledgment of Request

Upon receiving a restriction request, the CalAIM ECM & CS Program will promptly acknowledge receipt of the request in writing within fifteen (15) business days. This acknowledgment serves to inform the member that their request is under review and provides an initial timeline for the evaluation process.

5.3. Review Process

The Privacy Officer of the CalAIM ECM & CS Program is responsible for overseeing the review of each restriction request. The review involves assessing the validity and scope of the requested restriction and evaluating its potential impact on the program’s operations and the member’s care. The Privacy Officer will consider whether the requested restriction is reasonable and whether it would interfere with the program’s ability to provide necessary care and services. After a thorough assessment, the Privacy Officer will communicate the decision to the member in writing within sixty (60) days of receiving the request. If additional time is required to make a determination, the member will be informed of the delay and provided with an updated timeline.

5.4. Implementation of Approved Restrictions

When a restriction request is approved, the CalAIM ECM & CS Program will document the restriction in the member’s PHI records. The program will ensure that all relevant staff and departments are informed of the restriction and understand their responsibilities in adhering to it. To facilitate compliance, staff members will receive targeted training regarding the specific restrictions placed on the member’s PHI. Additionally, the Privacy Officer will continuously monitor adherence to the approved restrictions and address any instances of non-compliance promptly to maintain the integrity of the member’s privacy preferences.

5.5. Denial of Restrictions

In instances where a restriction request cannot be accommodated, the member will receive a written notice explaining the reasons for the denial. This notice will also inform the member of their right to file a complaint with the Secretary of the Department of Health and Human Services (HHS) if they believe their rights under this policy have been violated. The CalAIM ECM & CS Program strives to provide clear and transparent communication to members regarding the outcomes of their restriction requests.

6. Member Rights

Members of the CalAIM ECM & CS Program are entitled to several rights concerning their PHI, including:

• The right to request restrictions on the use and disclosure of their PHI.
• The right to receive a written response to their restriction request, detailing whether it has been approved or denied.
• The right to revoke a previously granted restriction at any time, provided the revocation is submitted in writing.
• The right to file a complaint if they believe their rights under this policy have been infringed upon.

These rights empower members to have greater control over their personal health information and ensure that their privacy preferences are respected.

7. Responsibilities

The effective implementation of this policy relies on the commitment of various roles within the CalAIM ECM & CS Program:

• Privacy Officer: The Privacy Officer is charged with overseeing the entire restriction request process, ensuring that all procedures are followed meticulously, and maintaining compliance with this policy. They serve as the primary contact for all privacy-related inquiries and are responsible for training staff on privacy matters.
• Program Staff: All staff members who handle PHI must comply with any approved restrictions, participate in relevant training sessions, and promptly report any breaches or violations of PHI privacy to the Privacy Officer.
• Members: Members are responsible for submitting accurate and complete restriction requests and notifying the program of any changes to their privacy preferences. By providing detailed and timely information, members facilitate the effective processing of their requests.

8. Compliance

The CalAIM ECM & CS Program adheres strictly to the HIPAA Privacy Rule and all other applicable federal and state laws governing the protection of PHI. Compliance is not only a legal obligation but also a fundamental aspect of maintaining the trust and confidence of our members. Failure to comply with this policy may result in disciplinary actions, including termination of employment or contractual agreements, and may lead to legal consequences for both individuals and the organization.

9. Exceptions

There are certain circumstances under which the CalAIM ECM & CS Program may be unable to accommodate restriction requests. These exceptions are primarily related to ensuring the safety and well-being of members and the effective operation of the program. Key exceptions include:

• Emergency Situations: In cases where immediate access to PHI is necessary to prevent serious harm to the member or others, restrictions may be overridden to facilitate timely and appropriate care.
• Legal Requirements: When disclosure of PHI is mandated by law, such as through court orders or mandatory public health reporting, the program must comply regardless of any requested restrictions.
• Program Operations: If a restriction would significantly impede the program’s ability to operate effectively and deliver necessary services, the request may be denied to maintain the integrity and functionality of care provision.

These exceptions are carefully considered to balance the privacy rights of members with the imperative to provide safe and effective care.

10. Review and Revision

To ensure ongoing compliance with legal requirements and alignment with best practices, this policy will undergo an annual review conducted by the Privacy Officer. During the review process, the policy will be assessed for any necessary updates or modifications. Revisions will be made as needed to address changes in laws, regulations, or organizational practices, thereby ensuring that the policy remains current and effective in protecting members’ PHI.

1. Purpose

The purpose of this policy is to delineate a clear and comprehensive procedure for members of the CalAIM ECM (Comprehensive Care Management) Program to request amendments to their Protected Health Information (PHI). Accurate and complete PHI is crucial for delivering effective care, fostering patient trust, and ensuring compliance with federal and state regulations, including the Health Insurance Portability and Accountability Act (HIPAA). This policy ensures that members have a straightforward and transparent pathway to correct any inaccuracies in their health information, thereby supporting the integrity of the CalAIM ECM & CS Program’s data management practices.

2. Scope

This policy is applicable to all members enrolled in the CalAIM ECM & CS Program, as well as to all staff and third-party entities that handle PHI within the program. It encompasses all forms of PHI as defined by HIPAA and relevant California state laws, ensuring that every piece of individually identifiable health information maintained by the program can be accurately amended upon the member’s request.

3. Definitions

Protected Health Information (PHI): PHI refers to any information about an individual’s health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. This includes data in any form—electronic, paper, or oral—that is maintained or transmitted by the CalAIM ECM & CS Program.

Member: A member is an individual who is enrolled in the CalAIM ECM & CS Program and is the subject of PHI held by the program.

Amendment Request: This is a formal request made by a member to correct or modify their PHI. Such requests aim to rectify inaccuracies or update incomplete information within the member’s health records.

Covered Entity: Under HIPAA, the CalAIM ECM & CS Program qualifies as a covered entity, meaning it is responsible for protecting the privacy and security of PHI and ensuring compliance with relevant laws and regulations.

4. Policy Statement

The CalAIM ECM & CS Program is unwavering in its commitment to maintaining the accuracy and integrity of each member’s PHI. Recognizing the vital role that precise health information plays in effective care delivery, the program empowers members with the right to request amendments to their PHI. This policy outlines the procedures and responsibilities involved in processing such requests, ensuring that they are handled efficiently, respectfully, and in full compliance with HIPAA and applicable state laws.

5. Procedures

5.1. Submission of Amendment Request

Members wishing to amend their PHI can initiate the process through several avenues. The preferred method is to submit a written request, which can be delivered via traditional mail, email, fax, or through a secure online portal specifically designed for the CalAIM ECM & CS Program. While written requests are ideal for maintaining clear documentation, the program also accommodates verbal requests. In such cases, members must follow up their verbal initiation with a written request to ensure proper documentation and processing.

5.2. Required Information for the Request

To facilitate the amendment process, members must provide comprehensive information within their request. This includes:

• Identification Information: Members must clearly identify themselves by providing their full name, date of birth, member ID, and current contact information. This information is essential to accurately locate and verify the relevant PHI within the program’s records.
• Description of the PHI to be Amended: A detailed description of the specific information that is believed to be incorrect or incomplete should be included. This helps in pinpointing the exact data that needs review and potential modification.
• Reason for the Amendment: Members should explain why they believe the information is inaccurate or incomplete. Providing a clear rationale aids in the assessment of the request’s validity.
• Supporting Documentation: Any evidence or documentation that substantiates the request for amendment should be attached. This could include medical records, correspondence, or other relevant materials that support the member’s claim.

5.3. Processing the Request

Upon receipt of an amendment request, the CalAIM ECM & CS Program undertakes a systematic process to ensure the request is handled appropriately:

1. Acknowledgment of Receipt: Within five business days of receiving the request, the program sends an acknowledgment to the member, confirming that the request has been received and is being processed.
2. Review of the Request: The program carefully examines the request to determine its validity. This involves identifying the specific PHI in question and assessing the nature of the requested amendment.
3. Investigation and Determination of Eligibility: A thorough investigation is conducted to evaluate whether the requested amendment is justified based on the evidence provided and the existing records. The program considers the accuracy, completeness, and relevance of the PHI in question.
4. Amending PHI if Appropriate: If the request is deemed appropriate and justified, the program updates the PHI accordingly. This ensures that all relevant systems and records reflect the accurate and up-to-date information.
5. Notification of Relevant Parties: In instances where the amended PHI has been shared with other parties, the program informs those parties of the changes, ensuring that all stakeholders have the most current and accurate information.

5.4. Response Timeline

The CalAIM ECM & CS Program is committed to responding to amendment requests within a 60-day period from the date of receipt. This timeframe allows for a comprehensive review and accurate processing of the request. If additional time is necessary to complete the review, the program will inform the member in writing within the initial 60-day window, providing the reason for the delay and an estimated completion date. Extensions may be granted for up to an additional 30 days if needed, ensuring that members are kept informed throughout the process.

5.5. Denial of Amendment Request

In cases where an amendment request cannot be approved, the CalAIM ECM & CS Program provides a written explanation to the member. This explanation includes the specific reasons why the amendment cannot be made, ensuring transparency in the decision-making process. Additionally, the member is informed of their right to submit a written statement, which the program will include in the member’s PHI to present the member’s perspective. The notice also outlines the member’s right to appeal the decision, including detailed instructions on how to proceed with an appeal, relevant timelines, and the necessary procedures to follow.

5.6. Appeal Process

If a member is dissatisfied with the response to their amendment request, they have the right to file an appeal. The appeal process involves several steps to ensure that the member’s concerns are thoroughly reviewed and addressed:

1. Submission of a Written Appeal: The member must submit a written appeal addressed to the designated privacy officer. This appeal should include details of the original amendment request, the response received, and the reasons for disagreement with the decision.
2. Review of the Appeal: The privacy officer conducts a comprehensive review of the appeal, re-evaluating the original request and the program’s response. This review is conducted impartially to ensure that the member’s concerns are fairly considered.
3. Final Decision: After completing the review, the privacy officer communicates the final decision to the member in writing. This notice includes information on any further steps the member can take if they remain dissatisfied, ensuring that the member is fully informed of their options.

6. Roles and Responsibilities

Ensuring the effective implementation of this policy involves clearly defined roles and responsibilities:

• Privacy Officer: The privacy officer plays a pivotal role in overseeing the amendment request process. They ensure that all procedures comply with relevant policies and regulations, manage the appeal process, and serve as the primary point of contact for members seeking to amend their PHI.
• Program Staff: Staff members are responsible for assisting members in submitting their amendment requests. They provide necessary information, guide members through the process, and implement approved amendments in the program’s records.
• IT Department: The IT department ensures that all systems housing PHI are updated to reflect approved amendments. They also maintain the security and integrity of PHI, safeguarding it against unauthorized access or breaches.

7. Confidentiality

Maintaining the confidentiality of all amendment requests and related communications is paramount. The CalAIM ECM & CS Program ensures that only authorized personnel have access to information pertaining to amendment requests, in strict accordance with HIPAA and program-specific confidentiality policies. This commitment to confidentiality upholds the trust that members place in the program and protects their sensitive health information from unauthorized disclosure.

8. Training

To guarantee that all staff members are equipped to handle amendment requests effectively and compliantly, the CalAIM ECM & CS Program provides regular training. This training covers the details of this policy, relevant federal and state laws, and best practices for managing PHI. Continuous education ensures that staff remain knowledgeable about current regulations and are proficient in implementing the procedures outlined in this policy.

9. Recordkeeping

Comprehensive recordkeeping is essential for accountability and compliance. The CalAIM ECM & CS Program maintains detailed records of all amendment requests, including the requests themselves, responses provided, and any related communications. These records are securely stored and retained for a minimum of six years, in line with HIPAA and state regulations. Access to these records is restricted to authorized personnel only, ensuring that sensitive information is protected at all times.

10. References

This policy is informed by and adheres to the following regulations and guidelines:

• Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule: Federal regulations that establish standards for the protection of PHI and outline members’ rights regarding their health information.
• California Confidentiality of Medical Information Act (CMIA): State laws that provide additional protections for the confidentiality and security of medical information in California.
• CalAIM ECM & CS Program Guidelines and Regulations: Internal guidelines and regulatory requirements specific to the CalAIM ECM & CS Program that govern the handling and management of PHI.

Review Cycle: This policy is subject to annual review or as necessitated by changes in applicable laws and regulations to ensure ongoing compliance and effectiveness.