California Office of Health Information Integrity Logo    Resources

       

Page Content Links:

For Individuals

Question/IssueContact Information

Any violation or breach of your personal health information…

  • Your health information was given out to someone without your permission
  • Your health record was released without your permission
  • You received another person’s medical information
Any questions regarding release of your health information

Contact the entity that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it.

Office of HIPAA Compliance’s Information Protection Unit (IPU) and the Office of Legal Services’ Privacy Office work collaboratively with DHCS business associates, counties, and other state agencies to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII), and investigate privacy breaches and complaints involving unauthorized access or disclosure of PHI, PII, and the confidential information of members.  They can be reached via email at PrivacyOfficer@dhcs.ca.gov

Office for Civil Rights (OCR) is responsible for investigating all violations of health information.

General information about your rights:

To file a complaint:

Medical or Dental records…

  • You requested a copy of your record but your doctor won’t provide a copy. 

The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.  Contact your provider – if your request is denied, it must be denied in writing.  The provider is allowed to charge a reasonable fee. 

You can also contact the HHS Office of Civil Rights and file a complaint.

Educational facilities – schools/colleges/universities

  • Can student health information be released to staff, students, etc.?

California Department of Education - Educational Data Management Division/Education Data Office

Health Plans

  • General coverage information
  • Issues with care/treatment
  • Cancellation of coverage

Department of Managed Health Care

Department of Insurance (if PPO health plan)

A full resource list can help with various health plan related items:

Medi-Cal

  • General coverage information
  • Issues with care/treatment

Department of Health Care Service

General information about privacy rights:

Can a health care provider or health plan share your health information with family and friends?

The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives

However, the provider or plan can share your information with family or friends if: 

  • They are involved in your health care or payment for your health care, 
  • You tell the provider or plan that they can share your information,
  • You do not object to sharing of the information, or 
  • If, using its professional judgment, a provider or plan believes that you do not object. 
For more information and a brief video, visit:  http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html.


 

 

For Physicians, Providers, Medical Offices or Organizations

Question/IssueContact Information

Any violation or breach of patient health information – including, but not limited to:

  • Health information sent to the wrong patient or an unauthorized person or entity
  • Computer systems or other electronic media is hacked, lost, or stolen and patient data is stolen or compromised

Refer to the Omnibus HIPAA Rulemaking for specifics of breach reporting requirements.  See 45 CFR §§164.308(a)(6)(i)-(ii), §164.404, §164.406, §§164.408-164.410, §164.412, §164.414, §164.500. 

Office for Civil Rights – Breach Notification

California Attorney General – Data Security Breach Reporting

If the patient is covered by Medi-Cal – Department of Health Care Services (DHCS) Privacy Office

Questions regarding release of health information – provider, physician, or medical offices

The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.  See 45 CFR §164.524.

More information can be found at:  http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/

If the patient is covered by Medi-Cal – DHCS Privacy Office


     

Patient Authorization Guidance Tool

 
CalOHII, in partnership with stakeholders, has developed the Patient Authorization Guidance Tools. Recognizing the complexity of federal and state laws, this tool is envisioned to provide simplified decision support for providers.

The Authorization Tools provide guidance on when patient authorization is needed for the disclosure of health information in California, according to federal and state law.  The required elements of a valid authorization are set forth in the Code of Federal Regulations Title 45 section §164.508(c)(3) and California Civil Code sections §§56.11-56.14, §56.21. The tool is designed to help healthcare providers determine when they need to obtain a patient’s authorization to send that patient’s information to another provider.  The intent is to guide providers who are exchanging health information electronically, though the rules described also apply to information in paper form.  This tool applies only to healthcare providers as defined by both HIPAA and the Confidentiality of Medical Information Act (CMIA). 

The links below are the Patient Authorization Guidance tools:

 

Breach Notification