Skip to Main Content

Resources

CDII provides the following resources to assist state departments as well as California patients, physicians, and health care providers with general questions and issues related to HIPAA.

For general HIPAA information, visit Office for Civil Rights (OCR) Helpful links or Federal and State Health Laws.

On this page:

Individuals/Patients

What are my personal rights with regard to my personal health information?

The California Attorney General provides a consumer guide regarding patient privacy rights – this guide includes various scenarios to help the individual/patient understand their specific rights.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) provides a number of resources for understanding your rights under HIPAA.

What should I do if there is a violation or breach of my personal health information?

Examples include: My health information was given out to someone without my permission? My health record was released without my permission? I received another person’s medical information?

For any questions regarding the release of your health information – begin by contacting the organization that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it. If the issue is not corrected, you may be able to file a formal complaint with the organization.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for investigating all violations of health information. A complaint can be filed with them.

What if I requested a copy of my medical record but my provider won’t provide a copy?

The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and doctors/providers covered by the Privacy Rule.

Contact your provider – if your request is denied, it must be denied in writing.

You can also contact the HHS OCR to file a complaint.

Can a student’s health information (kept by educational facilities – such as schools, colleges, universities) be released?

Health information and other education related records retained by educational facilities is regulated by the Family Educational Rights and Privacy Act (FERPA). All questions related to privacy of this health information should be directed to:

California Department of Education, Education Data Office – email: privacy@cde.ca.gov or phone: 916-319-0586
U.S. Department of Education

Can a health care provider or health plan share my health information with family and friends?

The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives.

However, the provider or plan can share your information with family or friends if:

  • They are involved in your health care or payment for your health care,
  • You tell the provider or plan that they can share your information,
    You do not object to sharing of the information, or
  • If, using their professional judgment, a provider or plan believes that you do not object.

Physicians/Providers

Where can I find general information on HIPAA?

HHS OCR provides resources for professional regarding various components of HIPAA.

What should I do if there is a violation or breach of one or more of my patient’s health information?

Examples include, but are not limited to: Health information is sent to the wrong patient or an unauthorized person or entity? Computer systems or other electronic media is hacked, lost, or stolen and patient data is stolen or compromised?

Resources for reporting the breach:

Refer to the Omnibus HIPAA Rulemaking for specifics on breach reporting requirements.

What should I do if a patient asks for a copy of their health or billing records?

The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. HHS OCR provides specific information on an individuals’ rights to access their information.

What should I do if someone other than the patient requests health information?

HHS OCR provides guidance materials for covered entities on the uses and disclosures of protected health information.

In addition, refer to the Patient Authorization Tool on this web page.

State Departments

Breach Notification

Refer to the following resources for the specific actions to be taken:

Annual Breach Reporting

At the beginning of each calendar year, state entities that are covered entities or business associates must report ALL breaches to CDII and HHS OCR. Refer to the following resources for the specific actions to be taken:

Emergency Declaration

Guidance on HIPAA and Resellers of Cloud Computing Services

CDII has published guidance for state departments that are HIPAA covered entities (CE) or business associates (BA) about on how to navigate the contracting arrangements with a reseller of Cloud Service Provider (CSP) services, focusing specifically who signs the Business Associate Agreement.

Patient Authorization Guidance Tool

CDII, in partnership with various industry stakeholders, developed the Patient Authorization Guidance Tools to assist providers understand the complexity of federal and state laws related to uses and disclosures of specially protected health information.

These tools assist providers with guidance on when patient authorization is needed for the disclosure of health information in California (according to federal and state law). These tools apply only to providers covered by both HIPAA and the Confidentiality of Medical Information Act (CMIA).

The tool is designed to help providers determine when they need to obtain a patient’s authorization to send that patient’s health information to another provider. The required elements of a valid authorization are set forth in the 45 C.F.R. § 164.508(c)(3) and California Civil Code §§ 56.11-56.14 and § 56.21. The specific intent is to guide providers who are exchanging health information electronically, even though the rules described also apply to information in paper form.

The links below are the Patient Authorization Guidance tools: