Skip to main content

California Health & Human Services

Link to California State Web Portal
Link to the California Web State Portal
Calhhs logo
Link to the California Health and Human Services homepage

Center for Data Insight and innovation logo

Compliance and Policy/Policy Privacy Unit

Center for Data Insight and innovation logo

Compliance and Policy/Policy Privacy Unit

Statewide Health Information Policy Manual (SHIPM) for State Departments

The Statewide Health Information Policy Manual (SHIPM) was developed in 2015 to guide agencies on protecting patient privacy while promoting coordinated care.

  • It provides guidance on how to protect patient privacy while promoting coordinated care
  • It promotes uniform interpretation and application of health information laws including those relating to security, patients’ rights, and transactions and code sets
  • It helps state entities avoid fines and sanctions resulting from unauthorized disclosures of health information

This SHIPM manual is updated annually to reflect the latest changes in state or federal law. View the latest version: SHIPM – revision 6/2025.

Questions or comments about the SHIPM can be sent to CDIIPolicy@chhs.ca.gov.

Statewide Health Information Guidance (SHIG)

The State Health Information Guidance (SHIG) is a collaboration of the Center for Data Insights and Innovation with various organizations to develop specific materials to help clarify federal and state laws that affect disclosure and sharing of health information. The SHIG efforts are composed of comprehensive research, drawing from a broad group of stakeholders that reflect cross-industry insights and experience, to get a clear understanding of the problems different groups were facing in the field.

Currently, there are five volumes of SHIG. Utilize the following links for additional information:

Sharing Behavioral Health Information in California

CDII, with support from the California Health Care Foundation, created the initial version of SHIG which focused on sharing behavioral health information in California.  This version of SHIG:

Provides an authoritative but non-binding guidance from the State of California written in plain language for a general audience

Explains when, where, and why mental health and substance use disorder information can be exchanged

Provides clarification of state and federal laws

Contains 22 scenarios derived from real user stories, which clarify how laws apply to actual situations that arise for care providers

Download SHIG Volume 1: State Health Information Guidance (SHIG) 1.3 (revised January 2025)

Sharing Health Information to Address Food and Nutrition Insecurity in California

CDII, in collaboration with Nourish California and the California Primary Care Association, launched the SHIG Volume 2 project to address the problem of food and nutrition insecurity among Californians.

SHIG Volume 2 provides clarification of federal and state law targeting the sharing of health and social services information to support the coordination of treatment/care and services related to food and nutrition insecurity.  Volume 2 contains 14 scenarios targeting:

General information sharing (name and contact information)

Health provider to health provider information sharing

Social services program-specific information sharing – including CalFresh, the Women, Infants, and Children (WIC) Program, Medically Tailored Meals, and Older Americans Act Nutrition Program

A special thank you to our funders for this effort who are Nourish California (with support from CommonSpirit Health), Archstone Foundation, the California Health Care Foundation, and the Centers for Medicare and Medicaid Services (CMS) who provided CDII with grants to augment the SHIG.

Download SHIG Volume 2: State Health Information Guidance (SHIG) 2.2 (revised January 2025)

Other Information: May 20, 2021 Webinar – Recording

Sharing HIV/AIDS Information in California

CDII is proud to announce the publication of State Health Information Guidance (SHIG) 3.0 – Sharing HIV/AIDS Information in California. Persons living with HIV/AIDS require coordination of care between health providers; community-based organizations; public health departments; and other entities.

SHIG Volume 3 gives health providers and other service providers the knowledge and confidence they need to share HIV/AIDS information that supports coordinated and integrated care and services. The SHIG clarifies federal and state laws by translating them into non-legal and non-technical language for a general audience. This clarity empowers secure and appropriate data sharing among health providers, ultimately leading to better care integration and health outcomes while protecting privacy.

SHIG Volume 3 contains four (4) scenarios:

Scenario 1 – Health Provider to Patient (electronically)

Scenario 2 – Public Health to Community-based Organization (CBO)

Scenario 3 – Health Provider to CBO

Scenario 4 – CBO to Partner

A special thank you to our funders for this effort who are the California Health Care Foundation (CHCF), Archstone Foundation, and the Centers for Medicare and Medicaid Services (CMS) who provided CDII with grants to augment the SHIG.

Download SHIG Volume 3.0: State Health Information Guidance (SHIG) 3.2 (revised January 2025)




Sharing Health Information of People Living with Intellectual and/or Developmental Disabilities in California

The Center for Data Insights and Innovation (CDII) is proud to announce the publication of State Health Information Guidance (SHIG) 4 – Sharing Health Information of People Living with Intellectual and/or Developmental Disabilities in California. Persons living with Intellectual and/or Developmental Disabilities require coordination of care between health providers; community-based organizations (CBO); public health departments; and other entities.

SHIG Volume 4 gives health providers and other service providers the knowledge and confidence they need to share Intellectual and/or Developmental Disabilities information that supports coordinated and integrated care and services. The SHIG clarifies federal and state laws by translating them into non-legal and non-technical language for a general audience. This clarity empowers secure and appropriate data sharing among health providers, ultimately leading to better care integration and health outcomes while protecting privacy.

SHIG Volume 4 contains seven (7) scenarios:

Scenario 1 – Regional Center / Regional Center Vendor to Health Provider

Scenario 2 – Regional Center / Regional Center Vendor to Parent (or family member)

Scenario 3 – Regional Center / Regional Center Vendor to Caregiver

Scenario 4 – Health Provider to Regional Center / Regional Center Vendor

Scenario 5 – Behavioral Health Provider to Regional Center / Regional Center Vendor – Mental Health Information

Scenario 6 – Behavioral Health Provider to Regional Center / Regional Center Vendor – Substance Use Disorder Information

Scenario 7 – Health Provider to Health Provider

A special thank you to our funders for this effort who are the California Health Care Foundation (CHCF), Archstone Foundation, and the Centers for Medicare and Medicaid Services (CMS) who provided CDII with grants to augment the SHIG.


Download SHIG Volume 4: State Health Information Guidance (SHIG) 4.2 (revised January 2025)

 

Sharing Minors and Foster Youth Health Information in California

Sharing Minors and Foster Youth Health Information in California

The Center for Data Insights and Innovation (CDII) is proud to announce the publication of State Health Information Guidance (SHIG) 5 – Sharing Minors and Foster Youth Health Information in California.

SHIG Volume 5 gives health providers and other service providers the knowledge and confidence they need to share minors and foster youth health information to support coordinated and integrated care and services. The SHIG clarifies federal and state laws by translating them into non-legal and non-technical language for a general audience. This clarity empowers secure and appropriate data sharing among health providers, ultimately leading to better care integration and health outcomes while protecting privacy.

SHIG Volume 5 contains 15 scenarios targeting:

Minors – 11 scenarios

Foster Youth – four (4) scenarios

A special thank you to our funders for this effort who are the California Health Care Foundation (CHCF), Archstone Foundation, and the Centers for Medicare and Medicaid Services (CMS) who provided CDII with grants to augment the SHIG.

Download SHIG Volume 5: State Health Information Guidance (SHIG) 5.2 (revised January 2025)

 

For general information about the SHIG, refer to the SHIG Fact Sheet.

We strongly encourage all users of the SHIG to read it in its entirety and consult with your legal counsel if you have any questions.

For information about the SHIG, email shiginformation@chhs.ca.gov

Download SHIG Volume 5: State Health Information Guidance (SHIG) 5.2 (revised January 2025)

Compliance Review Program

The Center for Data Insights and Innovation (CDII) has statutory responsibility to evaluate, monitor, and report on state departments’ HIPAA compliance. The goals of CDII’s Compliance Oversight Program are to:

  • Create a collaborative culture of compliance for state departments
  • Keep Californians’ health information safe
  • Provide technical assistance and leadership on California’s HIPAA compliance

The Compliance Oversight Program includes conducting ongoing compliance reviews on state departments subject to HIPAA. The focus during the compliance review is to work with the state department to identify any gaps in HIPAA compliance (based on the Statewide Health Information Policy Manual) and monitor the resolution of all identified compliance gaps.

What is a Compliance Review?

The Compliance Oversight Program conducts ongoing compliance reviews on state departments subject to HIPAA. The focus during the compliance review is to work with the state department to identify any gaps in HIPAA compliance (based on the Statewide Health Information Policy Manual) and monitor the resolution of all identified compliance gaps.

Who is Subject to a Compliance Review?

State departments assessed to be covered entities and/or business associates are subject to compliance reviews. For a list of the state departments subject to HIPAA and/or more information about the most recent assessment, refer to the 2022 Health Information Entity Status Assessment page.

What Happens during a Compliance Review?

State departments are notified several weeks before they are scheduled for a compliance review – the Compliance Review Schedule is under review at this time.

The compliance review process is comprised of the following activities:

  • The compliance review begins with the department providing CDII with artifacts/documents and answering questions within a specified time frame.
  • CDII reviews all materials collected from the department to document initial observations.
  • CDII may schedule an onsite review with the department. During the onsite visit, the CDII team conducts follow-up meetings to clarify information received from the department (and may tour selected operational areas of the department).
  • CDII documents all observations and findings along with recommendations for addressing gaps. The draft document is provided to the department for review and comments before CDII finalizes the report.
  • Once the report is finalized, the review moves into the Corrective Action Plan phase. During this time, CDII works with the department to track and monitor the resolution of all gaps identified.

Tools and templates used during the compliance review are available by contacting the CDII Privacy Office at CDIIPolicy@chhs.ca.gov. We encourage CA state departments to review and use these tools, templates, and checklists in your own compliance program efforts and for preparing for a CDII compliance review. By reviewing these tools and templates now, you will have a good understanding of what is expected to be HIPAA compliant.

If you have any questions, contact the CDII Policy Office at  CDIIPolicy@chhs.ca.gov.

View the 2022 Health Information Entity Status Assessment.

Resources

CDII provides the following resources to assist state departments as well as California patients, physicians, and health care providers with general questions and issues related to HIPAA.

State Departments

Breach Notification- refer to the following resources for the specific actions to be taken:

Annual Breach Reporting

At the beginning of each calendar year, state entities that are covered entities or business associates must report ALL breaches to CDII and HHS OCR. Refer to the following resources for the specific actions to be taken: