Common use of Initial Notice to DHCS Clause in Contracts

Initial Notice to DHCS. The County Department/Agency will provide initial notice to DHCS by email, or alternatively, by telephone if email is unavailable, of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of PII or potential loss of PII with a copy to CDSS. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform the following incident reporting to DHCS: 1. If a suspected security incident involves PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report (PIR) form, including all information known at the time. The County Department/Agency shall use the most current version of this form, which is available on the DHCS Privacy Office website at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All PIRs and supporting documentation are to be submitted to DHCS via email using the “DHCS Breach and Security Incidents Reporting” contact information found below in Subsection F. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of PII, the County Department/Agency shall take: 1. Prompt action to mitigate any risks or damages involved with the occurrence and to protect the operating environment; and 2. Any action pertaining to such occurrence required by applicable Federal and State laws and regulations.

Appears in 3 contracts

Samples: Data Privacy & Security, Privacy and Security Agreement, Data Sharing Agreement

AutoNDA by SimpleDocs

Initial Notice to DHCS. The County Department/Agency will provide initial notice to shall notify DHCS by email, or alternatively, by telephone if email is unavailable, using DHCS’ online incident reporting portal of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII or potential loss of PII with a copy to CDSSMedi-Cal PII. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform When making notification, the following incident reporting to DHCSapplies: 1. If a suspected security incident involves Medi-Cal PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve Medi-Cal PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) promptly and in no event later than one working day of discovery. If it is unclear discovery of: a. Unsecured Medi-Cal PII if the Medi-Cal PII is reasonably believed to have been accessed or acquired by an unauthorized person; b. Any suspected security incident involves SSA datawhich risks unauthorized access to Medi-Cal PII and/or; c. Any intrusion or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement; or d. Potential loss of Medi-Cal PII affecting this Agreement. Notice to DHCS shall include all information known at the time the incident is reported. The County Department/Agency shall immediately report can submit notice via the DHCS incident upon discovery. A County Department/Agency shall notify reporting portal which is available online at: xxxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/default.aspx If DHCS’ online incident reporting portal is unavailable, notice to DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall can instead be made via email using the DHCS Privacy Incident Report (PIR) form, including all information known at . The email address to submit a PIR can be found on the timePIR and in subsection H of this section. The County Department/Agency shall use the most current version of this formthe PIR, which is available on the DHCS Privacy Office website online at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspxxxxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Documents/Privacy- Incident-Report-PIR.pdf. All PIRs and supporting documentation are If the County Department/Agency is unable to notify DHCS the via the Incident Reporting Portal or email, notification can be submitted to DHCS via email made by telephone using the “DHCS Breach and Security Incidents Reporting” contact information found below listed in Subsection F. subsection H. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency shall take: 1. Prompt action to mitigate any risks or damages involved with the occurrence and to protect the operating environment; and 2. Any action pertaining to such occurrence required by applicable Federal and State laws and regulations.

Appears in 2 contracts

Samples: Medi Cal Privacy and Security Agreement, Medi Cal Privacy and Security Agreement

Initial Notice to DHCS. The County Department/Agency will provide initial notice to DHCS shall notify DHCS, by email, or alternatively, by telephone if email is unavailable, of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII or potential loss of PII with a copy to CDSSMedi-Cal PII. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform When making notification, the following incident reporting to DHCSapplies: 1. If a suspected security incident involves Medi-Cal PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve Medi-Cal PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) one working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report (PIR) form, including all information known at the time. The County Department/Agency shall use the most current version of this form, which is available on the DHCS Privacy Office website at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All PIRs and supporting documentation are to be submitted to DHCS via email using the “DHCS Breach and Security Incidents Reporting” contact information found below in Subsection F. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency shall take: 1. Prompt action to mitigate any risks or damages involved with the occurrence and to protect the operating environment; and 2. Any action pertaining to such occurrence required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Medi Cal Privacy and Security Agreement

Initial Notice to DHCS. The County Department/Agency will provide initial notice (1) To notify DHCS immediately by telephone call plus email or fax upon the discovery of a breach of unsecured Medi-Cal PII in electronic media or in any other media if the PII was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by email, the SSA. (2) To notify DHCS within 24 hours by email or alternatively, by telephone if email is unavailable, fax of the discovery of any suspected breach, security incident, intrusion, or unauthorized access, AMZ0115 Page 7 of 13 June 25, 2015 use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of PII with a copy to CDSS. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform the following incident reporting to DHCS: 1. If a suspected security incident involves PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of confidential data affecting this Agreement. 2. If a suspected security incident does not involve PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report (PIR) form, including all information known at the time. The County Department/Agency shall use the most current version of this form, which is available on the DHCS Privacy Office website at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All PIRs and supporting documentation are to be submitted to DHCS via email using the “DHCS Breach and Security Incidents Reporting” contact information found below in Subsection F. A breach shall be treated as discovered by the County Department/Agency Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and the DHCS Information Security Officer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PII, notice shall be provided by calling the DHCS ITSD Service Desk. Notice shall be made using the “DHCS Privacy Incident Report” form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “County Use” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency Department shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the occurrence breach and to protect the operating environment; and 2. Any action pertaining to such occurrence unauthorized disclosure required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Memorandum of Understanding

Initial Notice to DHCS. The County Department/Agency will provide initial notice to shall notify DHCS by email, or alternatively, by telephone if email is unavailable, using DHCS’ online incident reporting portal of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII or potential loss of PII with a copy to CDSSMedi-Cal PII. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform When making notification, the following incident reporting to DHCSapplies: 1. If a suspected security incident involves Medi-Cal PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve Medi-Cal PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) promptly and in no event later than one working day of discovery. If it is unclear discovery of: a. Unsecured Medi-Cal PII if the Medi-Cal PII is reasonably believed to have been accessed or acquired by an unauthorized person; b. Any suspected security incident involves SSA datawhich risks unauthorized access to Medi-Cal PII and/or; c. Any intrusion or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement; or d. Potential loss of Medi-Cal PII affecting this Agreement. DRAFT Notice to DHCS shall include all information known at the time the incident is reported. The County Department/Agency shall immediately report can submit notice via the DHCS incident upon discovery. A County Department/Agency shall notify reporting portal which is available online at: xxxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/default.aspx If DHCS’ online incident reporting portal is unavailable, notice to DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall can instead be made via email using the DHCS Privacy Incident Report (PIR) form, including all information known at . The email address to submit a PIR can be found on the timePIR and in subsection H of this section. The County Department/Agency shall use the most current version of this formthe PIR, which is available on the DHCS Privacy Office website online at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspxxxxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Documents/Privacy- Incident-Report-PIR.pdf. All PIRs and supporting documentation are If the County Department/Agency is unable to notify DHCS the via the Incident Reporting Portal or email, notification can be submitted to DHCS via email made by telephone using the “DHCS Breach and Security Incidents Reporting” contact information found below listed in Subsection F. subsection H. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency shall take: 1. Prompt action to mitigate any risks or damages involved with the occurrence and to protect the operating environment; and 2. Any action pertaining to such occurrence required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Medi Cal Privacy and Security Agreement

Initial Notice to DHCS. The County Department/Agency will provide initial notice to DHCS by email, or alternatively, by telephone if email is unavailable, of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of PII or potential loss of PII with a copy to CDSS. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform the following incident reporting to DHCS: 1. If a suspected security incident involves PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report (PIR) form, including all information known at the time. The County Department/Agency shall use the most current version of this form, which is available on the DHCS Privacy Office website at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All PIRs and supporting documentation are to be submitted to DHCS via email using the “DHCS Breach and Security Incidents Reporting” contact contract information found below in Subsection F. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of PII, the County Department/Agency shall take: 1. Prompt action to mitigate any risks or damages involved with the occurrence and to protect the operating environment; and 2. Any action pertaining to such occurrence required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Privacy and Security Agreement

Initial Notice to DHCS. The County Department/Agency Department will provide initial notice to DHCS by email, or alternatively, by telephone if email is unavailable, of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of PII or potential loss of PII with a copy to CDSS. The DHCS is acting on behalf of CDSS CDSS, for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency Department agrees to perform the following incident reporting to DHCS: 1. If a suspected security incident involves PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report Report” (PIR) form, including all information known at the time. The County Department/Agency Department shall use the most current version of this form, which is available posted on the DHCS Privacy Office website at(xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All Initial, Investigation, and Completed PIRs and supporting documentation are to be submitted to the DHCS via email Privacy Office and the DHCS Information Security Office. When using this form to report PII incidents, the “DHCS Breach County Department shall also include in the report the system(s) and Security Incidents Reporting” contact information found below in Subsection F. program(s) involved as known at the time of reporting. A breach shall be treated as discovered by the County Department/Agency Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of PII, the County Department/Agency Department shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the occurrence breach and to protect the operating environment; and 2. Any action pertaining to such occurrence unauthorized disclosure required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Data Privacy & Security

AutoNDA by SimpleDocs

Initial Notice to DHCS. The Immediately upon discovery of a suspected security incident that involves data provided to DHCS by the SSA, the countyThe County Department/Agency will provide initial notice to DHCS shall notify DHCS, by email, or alternatively, by telephone telephone. Within one working day of discovery, the county shall notify DHCS by if email is or telephone of unsecured PHI or PI, if that PHI or PI was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, unavailable, of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of PII with a copy to CDSSconfidentialMedi-Cal PII. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform When making notification, the following incident reporting to DHCSapplies: 1. If a suspected security incident involves Medi-Cal PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA datadata affecting, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve Medi-Cal PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) one working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report Report” (PIR) form, including all information known at the time. The County Department/Agency shall use the most current version of this form, which is available postedavailable on the DHCS Privacy Office website at(, select “Privacy & HIPAA” and then “County Use”) or use this linkat: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. .. Initial, Investigation, and Completed All PIRs and supporting documentation are to be submitted to the DHCS Privacy Office and the DHCS Information via email using the “DHCS Breach and Security Office Incidents Reporting” contact information found below in Subsection F. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the occurrence breachoccurrence and to protect the operating environment; and 2. Any action pertaining to such occurrence unauthorized disclosureoccurrence required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Medi Cal Privacy and Security Agreement

Initial Notice to DHCS. The County Department/Agency Department will provide initial notice to DHCS with a copy to CDSS. The DHCS is acting on behalf of CDSS, for purposes of receiving reports of privacy and information security incidents and breaches. The County Department agrees to perform the following incident reporting to DHCS. Immediately upon discovery of a suspected security incident that involves data provided to DHCS by emailthe SSA, the countyCounty Department shall notify DHCS by email or telephone. Within one working day of discovery, the countyCounty Department shall notify DHCS by email or telephone of unsecured PHI or PIPII, if that PHI or PIPII was, or alternativelyis, reasonably believed to have been accessed or acquired by telephone if email is unavailablean unauthorized person, of any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of PII with a copy to CDSS. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform the following incident reporting to DHCS: 1. If a suspected security incident involves PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of confidential data affecting this Agreement. 2. If a suspected security incident does not involve PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report Report” (PIR) form, including all information known at the time. The County Department/Agency Department shall use the most current version of this form, which is available posted on the DHCS Privacy Office website at(xxx.xxxx.xx.xxx,(xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs and supporting documentation are to be submitted to the DHCS via email Privacy Office and the DHCS Information Security Office. When using this form to report PII incidents, the “DHCS Breach County Department shall also include in the report the system(s) and Security Incidents Reporting” contact information found below in Subsection F. program(s) involved as known at the time of reporting. A breach shall be treated as discovered by the County Department/Agency Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency Department shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the occurrence breach and to protect the operating environment; and 2. Any action pertaining to such occurrence unauthorized disclosure required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Medi Cal Privacy and Security Agreement

Initial Notice to DHCS. The County Department/Agency will provide initial notice (1) To notify DHCS immediately by telephone call plus email or fax upon the discovery of a breach of unsecured Medi-Cal PII in electronic media or in any other media if the PII was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by email, the SSA. (2) To notify DHCS within 24 hours by email or alternatively, by telephone if email is unavailable, fax of the discovery of any suspected breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of PII with a copy to CDSS. The DHCS is acting on behalf of CDSS for purposes of receiving reports of privacy and information security incidents and breaches. The County Department/Agency agrees to perform the following incident reporting to DHCS: 1. If a suspected security incident involves PII provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of confidential data affecting this Agreement. 2. If a suspected security incident does not involve PII provided or verified by SSA, the County Department/Agency shall notify DHCS within one (1) working day of discovery. If it is unclear if the security incident involves SSA data, the County Department/Agency shall immediately report the incident upon discovery. A County Department/Agency shall notify DHCS of all personal information, as defined by California Civil Code Section 1798.3(a), that may have been accessed, used, or disclosed in any suspected security incident or breach, including but not limited to case numbers. Notice shall be made using the DHCS Privacy Incident Report (PIR) form, including all information known at the time. The County Department/Agency shall use the most current version of this form, which is available on the DHCS Privacy Office website at: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. All PIRs and supporting documentation are to be submitted to DHCS via email using the “DHCS Breach and Security Incidents Reporting” contact information found below in Subsection F. A breach shall be treated as discovered by the County Department/Agency Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department/Agency. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and the DHCS Information Security Officer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PII, notice shall be provided by calling the DHCS ITSD Service Desk. Notice shall be made using the “DHCS Privacy Incident Report” form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “County Use” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department/Agency Department shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the occurrence breach and to protect the operating environment; and 2. Any action pertaining to such occurrence unauthorized disclosure required by applicable Federal and State laws and regulations.

Appears in 1 contract

Samples: Medi Cal Privacy and Security Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!