CalOHII has oversight responsibility for the implementation and compliance of HIPAA by State Departments. CalOHII is focused on monitoring HIPAA compliance within state departments that are Covered Entities or HIPAA-impacted and providing policy updates, as needed.
- CalOHII assists State department to protect and secure access to health information.
- A statewide culture of compliance through leadership, education, and policy.
California Health and Safety Code (HSC) sections 130300 et seq. detail the authority and responsibility CalOHII has regarding implementation and compliance with state and federal medical privacy laws.
- HSC § 130303 mandates that CalOHII has “statewide leadership, coordination, policy formation, direction and oversight for HIPAA implementation and compliance” and “shall exercise full authority relative to state entities to establish policy, provide direction to state entities, monitor progress, and report on implementation and compliance activities.”
- HSC § 130302 defines state entities as “all state departments, boards, commissions, programs, and other organizational units of the executive branch of state government.” This includes the Department of Industrial Relations, which is in the executive branch of state government.
- HSC § 130311.5(a) defines CalOHII’s authority to determine which state or federal medical privacy laws must be complied with and which are preempted. “The office shall assume statewide leadership, coordination, direction, and oversight responsibilities for determining which provisions of state law concerning personal medical information are preempted by HIPAA….”
- HSC § 130311.5(a)(2) mandates that state entities are to “Conform to all determinations made by the office concerning HIPAA preemption issues.”
- HSC § 130310 expressly states that “All state entities shall cooperate with the efforts of the office to monitor HIPAA implementation and compliance activities and to obtain information on those activities.”
- HSC § 130306 states that CalOHII has the responsibility and authority to conduct ongoing evaluations, monitor state entities, provide technical assistance, and develop uniform state policy regarding HIPAA implementation and compliance with state and federal medical privacy laws.
- HSC § 130311 states that “All state entities affected by HIPAA shall comply with the decisions of the director in achieving compliance with HIPAA.”