Compliance Review Program

Page Content Links:

One of CalOHII’s primary statutory responsibilities is to monitor State Departments’ HIPAA compliance. This is achieved through conducting ongoing compliance reviews on State Departments subject to HIPAA.  Our goals are to:

  • Create a culture of compliance for State Departments
  • Keep California’s health information safe
  • Ensure health information gets into the right place when needed

What is the Compliance Review Program?
CalOHII’s focus in conducting compliance reviews is to work with State Departments to identify any gaps in Federal or State HIPAA compliance, rectify those identified areas, and to adopt best practices to protect patient’s medical information and prevent unauthorized disclosure to ensure safe transmission of medical information for patient care.

CalOHII created the Statewide Health Information Policy Manual (SHIPM), which provides practical guidance on how to follow HIPAA, the Confidentiality of Medical Information Act (CMIA), the Information Practices Act (IPA), and other applicable state and federal health information laws.  SHIPM is the foundation upon which compliance reviews are based.

Who is Subject to a Compliance Review?
State Departments assessed to be Covered Entities and/or Business Associates are subject to a Compliance Review. In June 2017, CalOHII completed an assessment of all State Departments within the Executive Branch of government to determine each department’s current status – see 2017 HIPAA Assessment Results (PDF).

CalOHII has developed a schedule for the Round 1 compliance reviews – see CalOHII Compliance Program Compliance Review Schedule (Round 1) (PDF).

What Happens during a Compliance Review?
State Departments are notified each year if they are scheduled for a Compliance Review in the coming calendar year.

The Compliance Review begins with the State Department providing CalOHII with artifacts as requested via the Compliance Review Policy Request List as well as completing and submitting the Compliance Review Questionnaire within a specified time frame.

Once all information is collected from the State Department, an onsite review is scheduled and the CalOHII team conducts an onsite visit.  All observations and findings are documented along with recommendations for addressing gaps.  A draft document is provided to the department for review and comments before CalOHII finalizes the report.

Tips and Tools & How to Prepare for a Compliance Review? 
CalOHII has prepared a number of tips, tools and templates to assist State Departments to ensure ongoing compliance as well as prepare for a compliance review.

Accessibility Issues or Questions about the Compliance Program can be sent to: 
Virginia Franco-Varela (

Suggested Links: