Common use of Initial Notice to DHCS Clause in Contracts

Initial Notice to DHCS. Immediately upon discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county shall notify DHCS by email or telephone. Within one working day of discovery, the county shall notify DHCS by email or telephone of unsecured PHI or PI, if that PHI or PI was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department shall take:

Initial Notice to DHCS. Immediately (1) To notify DHCS immediately by telephone call plus email or fax upon the discovery of a breach of unsecured Medi-Cal PII in electronic media or in any other media if the PII was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county shall . (2) To notify DHCS within 24 hours by email or telephone. Within one working day fax of discoverythe discovery of any breach, the county shall notify DHCS by email or telephone of unsecured PHI or PI, if that PHI or PI was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Office Officer and the DHCS Information Security OfficeOfficer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PII, notice shall be provided by calling the DHCS ITSD Service Desk. Notice shall be made using the “DHCS Privacy Incident Report” form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “County Use” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department shall take:

Initial Notice to DHCS. Immediately (1) To notify DHCS immediately by telephone call plus email or fax upon the discovery of a breach of unsecured Medi-Cal PII in electronic media or in any other media if the PII was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county shall . (2) To notify DHCS within 24 hours by email or telephone. Within one working day fax of discoverythe discovery of any breach, the county shall notify DHCS by email or telephone of unsecured PHI or PI, if that PHI or PI was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Office Officer and the DHCS Information Security OfficeOfficer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PII, notice shall be provided by calling the DHCS ITSD Service Desk. Notice shall be made using the “DHCS Privacy Incident Report” form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (, then select “Privacy” in the left column and then “County Use” near the middle of the page) or use this link: Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department shall take:

Initial Notice to DHCS. The County Department will provide initial notice to DHCS with a copy to CDSS. The DHCS is acting on behalf of CDSS, for purposes of receiving reports of privacy and information security incidents and breaches. The County Department agrees to perform the following incident reporting to DHCS. Immediately upon discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county countyCounty Department shall notify DHCS by email or telephone. Within one working day of discovery, the county countyCounty Department shall notify DHCS by email or telephone of unsecured PHI or PIPIPII, if that PHI or PI PIPII was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxxxxx.xxxx.xx.xxx,(xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. When using this form to report PII incidents, the County Department shall also include in the report the system(s) and program(s) involved as known at the time of reporting. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department shall take:

Initial Notice to DHCS. Immediately (1) To notify DHCS immediately by telephone call plus email or fax upon the discovery of a breach of unsecured Medi-Cal Pll in electronic media or in any other media if the Pll was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county shall . (2) To notify DHCS within 24 hours by email or telephone. Within one working day fax of discoverythe discovery of any breach, the county shall notify DHCS by email or telephone of unsecured PHI or PI, if that PHI or PI was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII PI I in violation of this AgreementAgreement and this Addendum, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Office Officer and the DHCS Information Security OfficeOfficer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PII, notice shall be provided by calling the DHCS ITSD Service Desk. Notice shall be made using the "DHCS Privacy Incident Report" form, including all information known at the time. County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx .pov, then select "Privacy" in the left column and then "County Use" near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PIIPI I, the County Department shall take:

Initial Notice to DHCS. Immediately (1) To notify DHCS immediately by telephone call plus email or fax upon the discovery of a breach of unsecured Medi-Cal PII in electronic media or in any other media if the PII was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county shall . (2) To notify DHCS within 24 hours by email or telephone. Within one working day fax of discoverythe discovery of any breach, the county shall notify DHCS by email or telephone of unsecured PHI or PI, if that PHI or PI was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, AMZ0115 Page 7 of 13 June 25, 2015 use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Office Officer and the DHCS Information Security OfficeOfficer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PII, notice shall be provided by calling the DHCS ITSD Service Desk. Notice shall be made using the “DHCS Privacy Incident Report” form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “County Use” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department shall take:

Initial Notice to DHCS. The County Department will provide initial notice to DHCS with a copy to CDSS. The DHCS is acting on behalf of CDSS, for purposes of receiving reports of privacy and information security incidents and breaches. The County Department agrees to perform the following incident reporting to DHCS. Immediately upon discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county County Department shall notify DHCS by email or telephone. Within one working day of discovery, the county County Department shall notify DHCS by email or telephone of unsecured PHI or PIPII, if that PHI or PI PII was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the “DHCS Privacy Incident Report” (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (xxx.xxxx.xx.xxx, select “Privacy & HIPAA” and then “County Use”) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office. When using this form to report PII incidents, the County Department shall also include in the report the system(s) and program(s) involved as known at the time of reporting. A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal PII, the County Department shall take: