Increased demands on the Health Services Department Privacy Office due to additional regulatory review and reporting requirements necessitate expansion of the current two person staff. This year through mid-October, there have been 109 breaches reported, potentially impacting thousands of individuals. Each reported breach requires the Privacy Office to review the details of the event, consult with counsel if necessary, review regulatory guidance, ask follow up questions of staff, and either mitigate the incident by conducting a risk analysis to document the event is not a breach, or report the breach to the Health and Human Services Office for Civil Rights, the California Department of Public Health, and to the victim(s) of the breach, plus work internally with staff to implement a plan of correction.
In addition, the Health Services Department has received numerous requests for information related to the COVID pandemic including data for outreach and for vaccination status/compliance, plus unrelated requests to share data for grants. These requests are directed to the Privacy Officer to review the privacy regulation component as it relates to the appropriate use and release of information stored in various registries and data bases used throughout Health Services. These requests involve extensive analysis, including a review of the Health Service Department’s contracts with the State related to the specific registry database, which often requires consultation with Counsel. The terms of these contracts with the State sets forth the information privacy and security requirements that Health Services, as the Contractor, is obligated to follow with respect to all personal and confidential information disclosed to the Contractor, or collected, created, maintained, stored, transmitted or used by the Contractor for, or on behalf of, the State.
The addition of a Health Services Administrator-Level B position will support the Privacy Officer by providing guidance to Health Services Divisions that maintain patient information as it relates to breach investigations and following up with Department Staff to ensure complete and accurate information is provided in response to investigative questions in a timely manner. These tasks are currently done by the Privacy Officer, thereby diverting time and resources that should be used to review and update Privacy and Compliance policies, develop and make additional training and education available to staff, conduct internal auditing and monitoring, and manage the overall operations of the Privacy Office.
If this action is not approved, the Privacy Officer will continue to be the only person performing these functions, taking time and resources away from higher level tasks which compromises the overall operations of the Privacy Office.