Resources
CDII provides the following resources to assist state departments as well as California patients, physicians, and health care providers with general questions and issues related to HIPAA.
For general HIPAA information, visit Office for Civil Rights (OCR) Helpful links or Federal and State Health Laws.
On this page:
- Individuals/Patients
- Physicians/Providers
- State Departments identified as covered entities or business associates
- Reporting a Breach
- Annual Breach Reporting
- Emergency Declarations
- Guidance on HIPAA and Resellers of Cloud Computing Service
- Patient Authorization Guidance Tool
Individuals/Patients
What are my personal rights with regard to my personal health information?
The California Attorney General provides a consumer guide regarding patient privacy rights – this guide includes various scenarios to help the individual/patient understand their specific rights.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) provides a number of resources for understanding your rights under HIPAA.
What should I do if there is a violation or breach of my personal health information?
Examples include: My health information was given out to someone without my permission? My health record was released without my permission? I received another person’s medical information?
For any questions regarding the release of your health information – begin by contacting the organization that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it. If the issue is not corrected, you may be able to file a formal complaint with the organization.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for investigating all violations of health information. A complaint can be filed with them.
What if I requested a copy of my medical record but my provider won’t provide a copy?
The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and doctors/providers covered by the Privacy Rule.
Contact your provider – if your request is denied, it must be denied in writing.
You can also contact the HHS OCR to file a complaint.
Can a student’s health information (kept by educational facilities – such as schools, colleges, universities) be released?
Health information and other education related records retained by educational facilities is regulated by the Family Educational Rights and Privacy Act (FERPA). All questions related to privacy of this health information should be directed to:
California Department of Education, Education Data Office – email: privacy@cde.ca.gov or phone: 916-319-0586
U.S. Department of Education
Can a health care provider or health plan share my health information with family and friends?
The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives.
However, the provider or plan can share your information with family or friends if:
- They are involved in your health care or payment for your health care,
- You tell the provider or plan that they can share your information,
You do not object to sharing of the information, or - If, using their professional judgment, a provider or plan believes that you do not object.
Physicians/Providers
Where can I find general information on HIPAA?
HHS OCR provides resources for professional regarding various components of HIPAA.
What should I do if there is a violation or breach of one or more of my patient’s health information?
Examples include, but are not limited to: Health information is sent to the wrong patient or an unauthorized person or entity? Computer systems or other electronic media is hacked, lost, or stolen and patient data is stolen or compromised?
Resources for reporting the breach:
- Office for Civil Rights – Breach Notification
- California Attorney General – Data Security Breach Reporting
Refer to the Omnibus HIPAA Rulemaking for specifics on breach reporting requirements.
What should I do if a patient asks for a copy of their health or billing records?
The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. HHS OCR provides specific information on an individuals’ rights to access their information.
What should I do if someone other than the patient requests health information?
HHS OCR provides guidance materials for covered entities on the uses and disclosures of protected health information.
In addition, refer to the Patient Authorization Tool on this web page.
State Departments
Breach Notification
Refer to the following resources for the specific actions to be taken:
- SHIPM policy 2.1.4 – Breach and Breach Notification
- HHS OCR – Submitting Notice of a Breach to the Secretary
- California Department of Technology – Office of Information Security – SIMM 5340-A: Incident Reporting and Response Instructions
- California Attorney General – Data Security Breach Reporting
Annual Breach Reporting
At the beginning of each calendar year, state entities that are covered entities or business associates must report ALL breaches to CDII and HHS OCR. Refer to the following resources for the specific actions to be taken:
- SHIPM policy 2.1.4 – Breach and Breach Notification and attachment SHIPM 2.4.1 CDII Annual Breach Reporting Form (DOC)
- HHS OCR – Submitting Notice of a Breach to the Secretary
Emergency Declaration
Refer to the Emergency Information Sharing page.
Guidance on HIPAA and Resellers of Cloud Computing Services
CDII has published guidance for state departments that are HIPAA covered entities (CE) or business associates (BA) about on how to navigate the contracting arrangements with a reseller of Cloud Service Provider (CSP) services, focusing specifically who signs the Business Associate Agreement.