PRIVACY INCIDENT REPORT For all HHSA Programs/Regions/Divisions and Article 14 Contractors STAFF INVOLVED IN PRIVACY INCIDENT Staff Involved were County Employees Contractors County Program/Region: If Contractor: Contractor/Program Name: Name of COR: COR Phone Number: Contract #: Name of Staff Involved: Privacy Training Job Title and Duties: Location/Worksite: Date: Name of Staff involved: Privacy Training Job Title and Duties: Location/Worksite: Date: If last privacy training in excess of 12 months: Date staff last signed a confidentiality statement: Reason annual training not completed timely: INCIDENT DETAILS Describe Incident (Include address and location of incident, what happened, and how you found out): DO NOT INCLUDE ANY PROTECTED INFORMATION ON THIS REPORT Date Incident Occurred: Date Discovered: Police Report Filed? Yes No If yes, report #: If privacy incident report is more than 1 day after incident, explain: DATA INVOLVED IN INCIDENT Summary of Data involved (such as type of documents): # of Individuals’ Data Involved: (check if estimate ) Type of Data Involved: Check all that apply. Provide a breakdown of the individuals whose data was involved: First Name or Initial Last Name # of Adults not on Medi-Cal # of adults on Medi-Cal CIN or Medi-Cal # SSN # of Minors not on Medi-Cal # of Minors on Medi-Cal Membership # DOB Type/s of Media Involved: Check all that apply: Address/Zip Code Telephone # Paper Desktop Smart Phone EBT Card Appointment Info Case number Email Laptop Other Cell Phone Appt Book Credit Card/Bank Acct# EBT Number Verbal Tablet Medication Bottle Label Driver’s License # Other ID # Computer System; system name (ie CalWIN): Diagnosis or Condition Medications Other media; explain: HIV/AIDS Test Results Other Labs Types of Data Involved: Check all that apply: User Name/Email Address & Password Mental Health Info Substance Abuse Records Health Plan Name (including Medi-Cal) Physical Health or Medical Data Case Status HIPAA Psychotherapy Notes (separate from EHR) Court or Police Reports Health Insurance Claims Info Other; explain: MITIGATIONS Do you suspect data was viewed by an unauthorized person?: Yes No Explain: Was data eventually recovered? Yes Explain how, when, and who has data now: No Explain why not recovered and attempts to retrieve: For email incidents: Date (or dates) staff requested recipient delete email: Date deletion of email was confirmed by recipient: For privacy incidents that involve loss or theft of assets (such as computer or phone): For Contractor incidents: For County incidents: Was data encrypted per NIST standards? Yes No County laptop, tablet, or phone asset #: Was device encrypted: Yes No Date device wipe request submitted to IT: Date device wipe confirmed by IT: Was device wiped: Yes No Date of wipe: If wipe request not sent to IT within one day, explain:

Describe Data Security, mitigating factors, and corrective actions taken (and dates, as applicable): Date written notification letter sent to client/s: If notification not sent to clients, explain rationale: For contractors only: Is your Program covered by HIPAA: Yes No (if no, skip this section) If yes, do you plan to notify OCR? Yes Note: Provide date of OCR notification and OCR report number via email once submitted. No Provide low risk analysis summary: SIGNATURE Name of Staff Completing Report (Staff completing form cannot be involved in incident): Job Title: Date: Phone #:

0dd90c5abc8c4bd33072d422defb669a.docx 1