Provider Privacy and Security
Medi-Cal recommends the following security measures when providers mail documents or packages:
- Use a nylon-reinforced envelope when possible.
- Double-envelope the contents of the package. Both envelopes must be sealed so that tampering would be clearly noticed.
- Tape the corners of both envelope flaps in order to ensure that the package is properly sealed and help prevent tearing.
- Place a rubber band around the contents of the package to ensure that pages are not separated, as an extra security measure.
- Include a manifest that clearly describes the contents of the package.
- Write the name and address of the recipient on the outside of the envelope.
- Write the following information in the inside of the envelope:
- Name of recipient
- “This package should be opened by the addressee only.”
- Sender’s name and contact information (phone number)
- Consider a tracked mailing method that includes verification of delivery and receipt.
Medi-Cal recommends the following security measures when providers send faxes:
- Make sure the correct fax number was provided.
- Provide an update in a timely manner when a fax number changes.
- Contact the intended recipient to make sure that the fax number is correct.
- Make sure that the recipient’s fax number was dialed correctly.
- Always use an updated fax cover page that includes:
- Your name and contact number
- Number of pages (include the cover page in the total)
- Name of the recipient
- A confidentiality statement, such as: “The information contained in this fax document is confidential and intended only to be viewed by the recipient(s) listed on this cover page. If you are not the intended recipient (or an authorized representative of the intended recipient), you are hereby notified that any distribution or copying of this document is strictly prohibited. If you have received this document in error, please contact the sender as noted on this cover page and destroy the corresponding documentation immediately.”
- Confirm that the recipient will be waiting to receive the information when it’s sent.
- Contact the intended recipient to confirm that all pages were received.
Encryption is one of the best ways to protect the security of Protected Health Information (PHI) and Personal Information (PI) in a message or file by scrambling the contents so that it can be read only by someone who has the right encryption key to unscramble the message or file data. Both federal and state laws recognize that encryption will protect data from unauthorized access.
All desktop and laptop computers that process and/or store PHI and PI for Medi-Cal must be encrypted. The encryption software must be full disk and use a FIPS 140-2 certified algorithm that is a minimum of 128-bit preferably 256-bit or higher, such as Advanced Encryption Standard (AES). Software that can be used to encrypt desktop and laptop computers is left to the discretion of the provider. Providers using a Windows 7 Operating System may also review information about the Bit Locker feature available with its software.
If a computer containing PHI and PI is stolen and the PHI and PI data stored on it was fully encrypted, it will not be classified as a breach under federal or state law. However, it will still be a security incident. Providers are reminded that computer security measures should be followed to prevent the unauthorized disclosure of PHI and PI or the ability to obtain PHI and PI from a stolen computer. These measures were outlined in the January 2010 Medi-Cal Update to help providers understand the importance of the PHI and PI protection.
Providers should also understand that they can be fined for not complying with PHI and PI protection requirements as stated in Sections 130200 through 130205 of the California Health and Safety Code and Section 17939 of the Federal Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 U.S.C.A. 17921 et seq.
Medi-Cal Website User Requirements
All Medi-Cal website users agree to the following security requirements. All computers that access Medi-Cal data must meet the following requirements, in addition to any State and Federal required administrative, technical, physical, and organizational safeguards:
- Antivirus software. All workstations, laptops and other systems that access the Medi-Cal website or process and/or store Medi-Cal Protected Health Information (PHI) must install and actively use a comprehensive anti-virus software solution with automatic updates scheduled at least daily.
- Patch Management. All workstations, laptops and other systems that access the Medi-Cal website or process and/or store Medi-Cal PHI must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process, which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release.
- System Timeout. The systems that access the Medi-Cal website or process and/or store Medi-Cal PHI must provide an automatic timeout, requiring re-authentication of the user session. It is recommended that the automatic timeout be after no more than 20 minutes of inactivity.
- User Name and Password Controls. Systems that access the Medi-Cal website or process and/or store Medi-Cal PHI should be accessed using a unique user name. The user name must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password. Passwords are not to be shared. Passwords must be:
- At least eight characters,
- A non-dictionary word,
- Not be stored in readable format on the computer,
- Changed every 90 days, preferably every 60 days,
- Changed if revealed or compromised, and
- Composed of characters from at least three of the following four groups from the standard keyboard:
- Upper case letters (A–Z)
- Lower case letters (a–z)
- Arabic numerals (0–9)
- Non-alphanumeric characters (punctuation symbols)
For additional questions or concerns about protecting Protected Health Information (PHI) and Personal Information (PI), providers may call the Telephone Service Center (TSC) from 8 a.m. to
5 p.m. Monday through Friday at 1-800-541-5555. Out-of-State providers may call (916) 636-1200.