Skip to Main Content
  1. Home
  2. Compliance and Policy
  3. Compliance Review Program

Compliance Review Program

The Center for Data Insights and Innovation (CDII) has statutory responsibility to evaluate, monitor, and report on state departments’ HIPAA compliance. The goals of CDII’s Compliance Oversight Program are to:

  • Create a collaborative culture of compliance for state departments
  • Keep Californian’s health information safe
  • Provide technical assistance and leadership on California’s HIPAA compliance

This page provides state departments (subject to HIPAA) with general information about the Compliance Oversight Program:

What is a Compliance Review?

The Compliance Oversight Program includes responsiblity for conducting ongoing compliance reviews on state departments subject to HIPAA. The focus during the compliance review is to work with the state department to identify any gaps in HIPAA compliance (based on the Statewide Health Information Policy Manual) and monitor the resolution of all identified compliance gaps.

A training video is available that describes the CDII Compliance Oversight Program, with an emphasis on the process to complete reviews and assess compliance. A 1-page description of the training is available to provide an overview of the training. The Compliance Oversight Program training takes approximately 1 hour to complete.

Who is Subject to a Compliance Review?

State departments assessed to be covered entities and/or business associates are subject to compliance reviews. For a list of the state departments subject to HIPAA and/or more information about the most recent assessment, refer to the 2022 Health Information Entity Status Assessment page.

A brief (approximately 15 minutes) video to describe the entity assessment to identify state entities for compliance reviews is available for departments to review.

What Happens during a Compliance Review?

State departments are notified several weeks before they are scheduled for a compliance review – the Compliance Review Schedule is under review at this time.

The compliance review process is comprised of the following activities:

  • The compliance review begins with the department providing CDII with artifacts/documents and answering questions within a specified time frame.
  • CDII reviews all materials collected from the department to document initial observations.
  • CDII may schedule an onsite review with the department. During the onsite visit, the CDII team conducts follow-up meetings to clarify information received from the department (and may tour selected operational areas of the department).
  • CDII documents all observations and findings along with recommendations for addressing gaps. The draft document is provided to the department for review and comments before CDII finalizes the report.
  • Once the report is finalized, the review moves into the Corrective Action Plan phase. During this time, CDII works with the department to track and monitor the resolution of all gaps identified.

Tools and templates used during the compliance review are available by contacting the CDII Privacy Office at We encourage CA state departments to review and use these tools, templates, and checklists in your own compliance program efforts and for preparing for a CDII compliance review. By reviewing these tools and templates now, you will have a good understanding of what is expected to be HIPAA compliant.

The following is the full list of compliance review materials available:

  • Compliance Review Artifact Request List
  • Compliance Review Tool
  • Compliance Review Artifacts Checklists
    • Authorizations
    • Breach Notification
    • Business Associate Agreement
    • Business Associate Oversight
    • Contingency Plan – Business Continuity Plan
    • Contingency Plan – Data Backup Plan
    • Contingency Plan – Technology Recovery Plan
    • Device and Media Controls
    • Facility Security Plan
    • Health Information Locations
    • Incident Reporting
    • Individuals Right to Access Health Information
    • Individuals Right to Amend Medical Records
    • Notice of Privacy Practices (NPP)
    • Privacy Training
    • Risk Assessment Policy and Procedures (P&Ps)
    • Risk Assessment
    • Security Awareness and Training
    • Security Evaluations
  • Corrective Action Plan Template
  • Tips and Tools: Risk Analysis/Assessment
  • Tips and Tools: Policy and Procedures

If you have any questions, contact the CDII Privacy Office at