APPENDIX D
Policy on Protecting Personally Identifiable Information and Personal Health Information
Personally Identifiable Information
These Policies and Procedures (Policies) are established pursuant to and in accordance with the regulatory mandates of 2 CFR Part 200; as derived from The Privacy Act of 1974, 5 U.S.C. Section 522a, as amended, and guidance provided by the U.S. Department of Housing and Urban Development (HUD) Handbook 1325.01, as amended.
The Privacy Act establishes information practices governing the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.
The Privacy Act prohibits disclosure of a record about an individual absent the written consent of the individual unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency recordkeeping requirements.
As a recipient of federal funding, the requirements of The Privacy Act are imposed through the requirements of 2 CFR Part 200 in the handling, collection, maintenance, use, and dissemination of personal information; with a critical focus on Personally Identifiable Information (PII).
These Policies and Procedures establish San Bernardino County’s Community Development and Housing Department’s (Department) policies regarding the proper handling of PII for the San Bernardino County Rent Relief Program and measures to be taken in the event of a policy breach.
COUNTY POLICY
The Department is committed to ensuring that all PII is collected, accessed, used, maintained, stored, disclosed, and disposed of in accordance with the provisions of these Policies and Procedures. These Policies shall apply to all department employees, subrecipients, consultants, contractors, vendors, and other third-party or governmental departments or agencies, receiving, distributing, or sharing information generated by, or as a result of this federally funded program. These policies apply to PII that is received or stored in all forms, including, but not limited to paper, electronic documents, electronic devices, electronic media, email, images, audio or video files or documents.
DEFINITIONS
The following definitions apply for terms used in these Policies and Procedures:
Personally Identifiable Information
“Personally Identifiable Information” (PII) is defined at 2 CFR 200.79 as: “PII means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information that is considered to be PII is available in public sources such as telephone books, public Web sites, and university listings. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual”.
Protected Personally Identifiable Information
2 CFR 200.82 defines “Protected Personally Identifiable Information” (PPII) as “Protected PII” means an individual's first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical and financial records, educational transcripts. This does not include PII that is required by law to be disclosed.” PPII is a sub-set of PII that when lost, compromised or disclosed could substantially harm an individual.
Privacy Breach
A privacy breach is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where persons other than authorized users and for other than an authorized purpose have access or potential access to PII or PPII, whether physical or electronic.
PROCEDURES FOR PROTECTING PII and PPII
The provisions of 2 CFR 200.303(e) require that the Department take reasonable measures to safeguard protected personally identifiable information and other information designated as sensitive, consistent with applicable Federal, state, and local laws regarding privacy and obligations of confidentiality. In accordance with these requirements, the following procedures are implemented to address the protection of PII and PPII.
Collection of PII and PPII
The collection of PII and PPII shall be limited to only the information needed for the purpose for which it is being collected. All PII and PPII that is received by any means, shall be protected in accordance with the requirements of these Policies and Procedures.
TASK: Receive PII and PPII:
CDH staff will collect a sample of program and project applications and supporting documentation from Subgrantee for the purpose of determining compliance and complying with the various recordkeeping responsibilities associated with the SB County RRP program.
Staff/Organization:
CDH authorized personnel
Auditors
Sub-grantee
Contractors/Consultants
Timeframe: Ongoing
Approval: CDH Director or Deputy Director
Documents:
All documents and records containing PII and PPII including but not limited to: Program Application, Supporting income and asset documentation, SSNs and Driver’s Licenses, bank records, etc.
Records Retained: Application and supporting eligibility determination documentation
Retention Period: Five (5) years after funds have been expended or returned to the Treasury
Retention Location: Lockable file cabinets at grantees and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee
Handling and Storage of PII
a. Access to PII and PPII
Access to PII and PPII shall be minimized, with access only to those who have a verified need or permitted access. The following protocols shall be observed for limiting access to PII or PPII:
i. Only those who have passed a background check satisfactorily may be provided access to systems that contain PII or PPII.
ii. Systems where PII or PPII are stored electronically by grantee and subgrantee shall only be accessible by those whom have been provided a unique, assigned log-in/password and policies shall be in place that expressly prohibit sharing of log-in credentials.
iii. When working on computer files containing PII or PPII, personnel are to ensure that such files are closed, and computer is locked upon leaving workspace unattended.
iv. Only share or discuss PII and PPII with those who have a need to know for work purposes or objectives; with disclosure of only the minimum information necessary to perform the required task.
v. Do not distribute or release PII or PPII to others until release is authorized.
vi. Before discussing PII or PPII on the telephone, confirm that you are speaking to the right person and inform them that the discussion will include PII or PPII. Do not leave messages containing PII or PPII on voicemail.
vii. Avoid discussing PII or PPII if there are unauthorized persons in adjacent areas who may overhear your conversations.
viii. Conduct meetings in secure spaces that limit unauthorized access or eavesdropping, if PII or PPII will be discussed.
ix. Treat notes and minutes from such meetings as confidential unless you can verify that they do not contain PII or PPII.
With regard to public access to PII or PPII, note that 2 CFR 200.337 provides that “no Federal awarding agency may place restrictions on the non-Federal entity that limit public access to the records of the non-Federal entity pertinent to a Federal award, except for protected personally identifiable information (PII) or when the Federal awarding agency can demonstrate that such records will be kept confidential and would have been exempted from disclosure pursuant to the Freedom of Information Act (5 U.S.C. 552) or controlled unclassified information pursuant to Executive Order 13556 if the records had belonged to the Federal awarding agency. The Freedom of Information Act (5 U.S.C. 552) (FOIA) does not apply to those records that remain under a non-Federal entity's control except as required under §200.315 Intangible property. Unless required by Federal, state, local, and tribal statute, non-Federal entities are not required to permit public access to their records. The non-Federal entity's records provided to a Federal agency generally will be subject to FOIA and applicable exemptions.”
2 CFR 200.507(c) and 2 CFR 200.512 (a)(2) address audits, and requires that where the Department must make report copies available for public inspection, the auditors and auditees “…must ensure that their respective parts of the reporting package do not include protected personally identifiable information.” In furtherance of this requirement, Department staff shall review and approve all audit reports under their purview, prior to public release, to ensure that they do not contain any protected personally identifiable information.
TASK:
Access PII and PPII:
Access PII and PPII for monitoring of its Participating Cities and Subgrantees, audit reports.
Staff/Organization:
CDH authorized personnel
Auditors
Subgrantees
Contractors/Consultants
Auditors
Timeframe: Ongoing
Approval: CDH Director or Deputy Director
Documents:
All documents and records containing PI & PPII including but not limited to: Program Applications, Supporting income and asset documentation, Social Security Numbers and Driver’s Licenses, Bank records, other Miscellaneous PII and PPII, audits reports.
Records Retained: Application and supporting eligibility. Determination documentation, audit reports
Retention Period: Five (5) years after funds have been expended or returned to the Treasury.
Retention Location: Lockable file cabinets at grantee and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee
b. Protecting Hard Copy and Electronic Files Containing PII and PPII
i. Label all files containing PII and PPII. Examples of appropriate labels might include: “For Official Use Only,” or “For [Name of Individual/Office] Use Only”.
ii. Lock up all hard copy files containing PII and PPII in secured file cabinets. Do not leave files or documents containing PII or PPII in unattended open areas.
iii. Protect all media (e.g., flash drives, etc.) that contain PII or PPII, and do not leave unattended. This information should be maintained either in secured file cabinets or in computers that have been secured.
iv. Keep accurate records of where PII and PPII is stored, used and maintained.
v. Periodically audit all PII and PPII holdings to ensure that all such information remains secure and can be readily located.
vi. Secure digital copies of files containing PII and PPII. Potential protections include encryption, enhanced authentication mechanisms such as two-factor authentication, and limiting the number of people allowed access to the files.
vii. Store PII and PPII only on workstations that can be secured, such as workstations located in areas that have restricted physical access.
TASK: Protecting Files Containing PII and PPII:
Protect all files containing PII and PPII in accordance with processing protocols.
Staff Person/Organization:
CDH Staff
Subgrantee
Contractors/Consultants
Auditors
Timeframe: Ongoing
Approval: N/A
Documents:
All documents and records containing PII and PPII including but not limited to: Program Application, Supporting income and asset documentation, SSNs and Driver’s Licenses, bank records, etc.
Records Retained: All documents and records containing PII and PPII
Retention Period: Five (5) years after funds have been expended or returned to the Treasury.
Retention Location: Lockable file cabinets at grantee and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee.
c. Protecting Electronic Transmissions of PI or PPII
i. When faxing PII or PPII, confirm the fax number, verify that the intended recipient is available, and confirm that they have received the fax. Ensure that none of the transmission is stored in memory on the fax machine, and that all paper waste is disposed of properly (shredded). If possible, use a fax machine that uses a secure transmission line.
ii. When sending PII or PPII via email or via an unsecured information system make sure the information and any attachments are encrypted.
iii. If a secure line is not available, contact the recipient office prior to faxing to inform them that information is coming. Then, contact the recipient office following transmission to ensure they received it. For each event, the best course of action is to limit access of PII only to those individuals authorized to handle it, create a paper trail, and to verify information reached its destination.
iv. If receiving a fax containing PII or PPII, quickly retrieve the fax. If you are expecting a fax, and have not received it, contact the sender to determine the cause for the delay.
v. Do not forward work emails with PII or PPII to personal email accounts.
vi. Do not place PII or PPII on shared drives, multi-access calendars, the Intranet, or the Internet.
vii. Do not let PII or PPII documents sit on a printer where unauthorized employees or contractors can have access to the information.
TASK: Protecting Electronic Transmission of Files Containing PII and PPII:
1. Ensure that electronic transmissions of documents containing PII or PPII are performed in a secure manner
Staff All CDH authorized personnel
Person/Organization:
Subgrantee
Contractors/Consultants
Timeframe: Ongoing
Approval: N/A
Documents:
All documents and records containing PII and PPII including but not limited to: Program Application, Supporting income and asset documentation, SSNs and Driver’s Licenses, bank records, etc.
Records Retained: All documents and records containing PII and PPII
Retention Period: Five (5) years after funds have been expended or returned to the Treasury.
Retention Location: Lockable file cabinets at grantee and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee.
d. Handling Protocols for Hard Copy Files Containing PII or PPII
Do not remove records with PII or PPII from facilities where information is authorized to be stored, or access remotely (i.e., from locations other than such physical facilities), unless approval is first obtained from CDH Deputy Executive Officer or Director.
i. When mailing PII or PPII by U.S. Postal Service, use sealable opaque envelopes. Mark the envelope to the person’s attention.
ii. If transmitting documents containing PII or PPII, deliver in person when possible, or alternatively, send in a confidential envelope addressed to the recipient and follow-up to ensure receipt.
iii. If PII or PPII needs to be sent by courier, mark “signature required” when sending documents, in order to create a paper trail in the event items are misplaced or lost.
iv. Obtain authorization prior to removal of any records from the office.
TASK: Protecting Paper Files Containing PII and PPII:
1. Ensure that hard copy files are handled in a manner that provides for secure transmittal, and that any approved removal from office facilities is in accordance with established protocols
Staff /Organization:
All CDH authorized personnel
Subgrantee
Contractors/Consultants
Timeframe: Ongoing
Approval: N/A
Documents:
All documents and records containing PII and PPII including but not limited to: Program Application, Supporting income and asset documentation, SSNs and Driver’s Licenses, bank records, etc.
Records Retained: All documents and records containing PII and PPII
Retention Period: Five (5) years after funds have been expended or returned to the Treasury.
Retention Location: Lockable file cabinets at grantee and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee.
e. Records Management, Retention and Disposition
i. Follow all applicable records management laws, regulations, and policies.
ii. Do not maintain records longer than required.
iii. Destroy records after retention requirements are met.
iv. Dispose of PII and PPII appropriately – permanently erase electronic records. Shred hard copy records.
TASK: Retaining Records and Records Disposal in Accordance with Established Protocols
1. Ensure that all records, hard copies, digital, and other, are maintained in accordance with regulatory requirements, and that disposal of records is performed in conformance with regulatory retention periods, with scheduled destruction in accordance with established Department protocols
Staff/Organization:
All CDH authorized personnel
Subgrantee
Contractors/Consultants
Timeframe: Ongoing
Approval: N/A
Documents:
All documents and records containing PII and PPII including but not limited to: Program Application, Supporting income and asset documentation, SSNs and Driver’s Licenses, bank records, etc.
Records Retained: All documents and records containing PII and PPII
Retention Period: Five (5) years after funds have been expended or returned to the Treasury.
Retention Location: Lockable file cabinets at grantee and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee.
f. Authorizations, Approvals, and Oversight
The Department has designated the CDH Deputy Executive Officer to serve as the PII and PPII Oversight Official, who will be responsible for the following:
a. Authorizing internal and external access to PII and PPII, including obtaining written consent for release of PII or PPII.
b. Authorizing the removal of records containing PII or PPII from the office.
c. Ensuring that PII and PPII storage location records are updated and accurately maintained.
d. Ensuring that an annual security audit is performed to ensure the integrity of storage systems and work practices.
e. Ensuring that all applicable parties receive a copy of the Department’s PII Policies and Procedures.
f. Coordinating the development of training materials, and provision of initial PII training for department employees, Participating Cities, subrecipients, grantees, consultants, contractors, vendors, and other third-party or governmental departments or agencies, receiving, distributing, or sharing information generated by, or as a result of, federally funded programs and activities under the purview of the Department.
g. Securing organizational and employee agreements for all non-Department personnel, that provide for their commitment to adhere to the provisions of the Department’s PII and PPII Policies and Procedures.
h. Coordinating the provision of annual PII and PPII training to all applicable parties, to reinforce Policies and Procedures requirements, provide any regulatory updates, and amended Department procedures.
i. Coordinating the monitoring of all external parties to ensure that the Department’s PII Policies and Procedures are being followed.
j. Ensuring that security protocols are observed for departing employees of the Department and external parties, which will restrict their access to PII or PPII.
k. Receiving and addressing all reports of Privacy Breaches, and implementing an appropriate response or corrective measures, and also including, but not limited to disciplinary action for responsible parties.
l. Coordinating through management with the County Counsel for matters requiring legal reviews, interpretation, or determinations.
m. Provide initial determinations regarding Privacy Act requests.
n. Ensuring that a master calendar for records retention requirements is maintained, and that records disposal is performed in accordance with calendar requirements.
o. Providing technical assistance for all inquiries regarding PII and PPII.
p. Reviewing the Department PII and PPII Policies and Procedures to determine their effectiveness in complying with applicable regulatory requirements.
TASK:
Perform Oversight Responsibilities for PII and PPII Policies and Procedures:
Coordinate the implementation of all PII and PPII Policies and Procedures through the designated PII and PPII Oversight Official
CDH Director - Perform authorization, approval, and oversight responsibilities detailed in this Section.
Staff/Organization: CDH Director
Timeframe: Ongoing
Approval: N/A
Documents: All documents and records containing PII and PPII including but not limited to: Program Application, Supporting income and asset documentation, SSNs and Driver’s Licenses, bank records, etc.
Records Retained: All documents and records containing PII and PPII
Retention Period: Five (5) years after funds have been expended or returned to the Treasury.
Retention Location: Lockable file cabinets at grantee and/or subgrantees offices or Encrypted and/or secure Cloud storage, stored with grantee and/or subgrantee.
g. Incident Response.
A data breach occurs when PII is viewed, leaked, or accessed by anyone who is not the individual or someone authorized to have access to this information as part of his/her official duties. Supervisors should ensure that all personnel are familiar with data breach reporting procedures. All suspected compromises of sensitive PII and PII are to be promptly reported to subgrantee management and CDH Deputy Executive Officer.
Subgrantee shall cooperate fully with CDH personnel in the investigation of a breach of data. The Subgrantee shall be responsible for the containment, control and safeguarding of information to prevent the breach from reoccurring.
The following scenarios may warrant disciplinary actions, parallel enforcement investigations, or litigation regarding subgrantee and/or their subcontractors:
Failure to take appropriate action upon discovering the breach.
Failure to take required steps to prevent a breach from occurring.
Failure to notify CDH of a breach.
Failure to cooperate in the investigation.
Failure to duly notice the impacted party(s) of the breach.
Notification Requirements:
Notifying Individuals If Data Is Breached
Notification must be made as soon as possible without unnecessary delays.
Notices must contain plain language and use a 10-point font size or larger, as well as the following information:
Name and contact information for your entity
Types of covered information that were breached
Date or estimated date range of the breach
Date of the notice
Whether notification was delayed due to law enforcement deeming that notification would interfere with an investigation
A general description of the breach
Toll-free numbers and addresses for entities or agencies that manage Social Security numbers, driver’s licenses, and related information if such information was breached.
The individual notification requirements do not apply to information that is encrypted, provided that the encryption key is not acquired or accessed. Notification must be provided either in written form or electronic format consistent with E-SIGN.
Identify theft prevention and mitigation services must be provided by the Sub-grantee at no charge to impacted individuals for a minimum of 12 months if a breach includes Social Security numbers, driver’s license numbers, or state identification card numbers.
AMENDMENTS TO POLICIES AND PROCEDURES
Changes to these Policies and Procedures involving administrative procedures or accommodations to adapt to regulatory changes may be performed with the approval of the CDH Deputy Executive Officer, or his/her designee (e.g. CDH Director). All changes shall conform to all statutory requirements for their respective funding sources.
PERSONAL HEALTH INFORMATION
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
EFFECTIVE APRIL 2021
Your health information is personal and private, and we must protect it. This notice tells you how the law requires or permits us to use and disclose your health information. It also tells you what your rights are and what we must do to use and disclose your health information. All Community Development and Housing Department (CDH) employees, staff, and contracted entities who have access to client health information will follow this notice.
We must by law:
· Maintain the privacy and security of your health information (also known as “protected health information” or “PHI”, sometimes commonly referred to as Health Insurance Portability and Accountability Act or "HIPAA", hereinafter referred to as "PHI").
· Provide you this Notice of our legal duties and privacy practices regarding your PHI.
· Follow the duties and privacy practices described in this Notice.
· Notify you promptly if a breach occurs that may have compromised the privacy or security of your information.
Changes to this Notice: We have the right to make changes to this Notice and to apply those changes to your PHI. If we make changes, you have the right to receive a copy of them in writing. To obtain a copy, you may ask your service provider or any CDH staff person.
HOW THE LAW PERMITS US TO USE AND DISCLOSE INFORMATION ABOUT YOU
We may use or share your PHI for the purposes of considering your application for financial assistance. These are some examples:
· For Payment and Program Operations: We may need to use and disclose health information about you to demonstrate eligibility for financial services provided to your household. For example, a program case worker, the funding entity or an auditor may ask to review the protected health information collected in connection with your application that documents your household’s COVID-19 related financial hardship.
· To Other Government Agencies or Agencies That Provide You Benefits or Services: We may disclose information about your application for assistance to other government agencies that are funding similar benefits or services.
· To Keep You Informed: We or our contracted service provider may call or write to discuss your Program qualification.
· As Required by Law: We will disclose your PHI when required to do so by federal or state law.
· Lawsuits and Other Legal Actions: If you have a lawsuit or legal action, we may release your PHI in response to a court order.
· Law Enforcement: We may disclose your PHI when asked to do so by law enforcement officials:
In response to a court order, warrant, or similar process;
To find a suspect, fugitive, witness, or missing person;
If you are a victim of a crime and unable to agree to give information;
To report criminal conduct; or
To give information about a crime or criminal in emergency circumstances.
We must keep records of the financial service provided to you for 5 years from the date program funding is closed out with the U.S. Treasury.
YOUR RIGHTS ABOUT YOUR PROTECTED HEALTH INFORMATION (PHI)
· Right to See and Copy: Federal regulations say that you have the right to ask to see and copy your PHI. If approved, we may charge a reasonable cost-based fee of copying and sending out your PHI. We may also ask if a summary, instead of the complete record may be given to you. The information will usually be provided within thirty (30) days. If your request is denied, you may appeal and ask for another review of your request.
· Right to Ask for an Amendment: If you believe that the information we have about you is incorrect or incomplete, you may request changes be made to your PHI as long as we maintain this information. While we will accept requests for changes, we are not required to agree to the changes. We may deny your request to change PHI if it came from another health care provider, if it is part of the PHI that you were not permitted to see and copy, or if your PHI is found to be accurate and complete.
· Right to Know to Whom We Released Your PHI: You have the right to ask us to let you know to whom we may have released your PHI. Under federal guidelines, we must maintain a list of anyone that was given your PHI not used for payment and program operations or as required by law mentioned above. To get the list, you must ask in writing for it. You cannot ask for a list during a time period over six years ago. We will provide one accounting per year for free but will charge you a reasonable cost-based fee if there is a second request within a 12-month period. We will let you know the cost, and you may choose to stop or change your request before it costs you anything.
· Right to Ask Us to Limit PHI: You have the right to ask us to limit the PHI that the law lets us use or release about you for payment or program operations. We do not have to agree to your request. If we do agree, we will comply with your request. To request limits, you must ask in writing. You must tell us (1) what PHI you want to limit; (2) whether you want to limit its use, disclosure or both; and (3) to whom you want the limits to apply.
· Right to Ask for Privacy: You have the right to ask us to tell you about matters related to your PHI in a specific way or at a specific location. For example, you can ask that we contact you at a certain phone number or by mail. To request that certain information be kept private, you must ask your in writing. You must tell us how or where you wish to be contacted.
· Right to a Paper Copy of This Notice: You may ask us for a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, we will provide you a paper copy of this Notice, upon request. You may ask any program staff person for a copy.
· Right to choose someone to act for you: If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.
COMPLAINTS
If you believe your privacy rights have been violated, you may submit a complaint with:
To file a complaint with the Community Development and Housing Department, contact:
County of San Bernardino
Community Development and Housing Department
RE: SBCRRP HIPAA Complaints
385 N. Arrowhead Avenue, 3rd Floor
San Bernardino, CA 92415
Phone # (909) 387-4305
Fax# (909) 387-4415
E-mail: ESG@cdh.sbcounty.gov
To file a complaint with the County of San Bernardino, contact:
County of San Bernardino
HIPAA Complaints Official
157 W. 5th Street, 1st Floor
San Bernardino, CA 92415
Phone # (909) 387-5584
Fax # (909) 387-8950
E-mail: HIPAAComplaints@cao.sbcounty.gov
To file a complaint with the State Govt, contact:
Privacy Officer
Department of Health Care Services
P.O. Box 997413, MS0010
Sacramento, CA 95899-7412
(916) 445-4646; (877) 735-2929 TTY/TDD
FAX: (916) 440-7680
To file a complaint with the Federal Govt, contact:
Secretary of the U.S. Department of Health and Human Services, Office of Civil Rights,
Attention: Regional Manager,
90 7th Street, Suite 4-100
San Francisco, CA 94103
(800) 368-1019; (800) 537-7697 TTY/TDD
FAX: (415) 437-8329
Filing a complaint will not affect your right to services or future services.