California Health and Human Services

Link to California State Web Portal
Link to the California Web State Portal
logo-web
Link to the California Health and Human Services homepage

Compliance Oversight Program

Logo for CalHHS Center for Data Insights and Innovation

The Center for Data Insights and Innovation (CDII) has statutory responsibility to evaluate, monitor, and report on state departments’ HIPAA compliance. The goals of CDII’s Compliance Oversight Program are to:

  • Create a collaborative culture of compliance for state departments
  • Keep Californian’s health information safe
  • Provide technical assistance and leadership on California’s HIPAA compliance

This page provides state departments (subject to HIPAA) with general information about the Compliance Oversight Program:

What is a Compliance Review?

The Compliance Oversight Program includes responsibity for conducting ongoing compliance reviews on state departments subject to HIPAA. The focus during the compliance review is to work with the state department to identify any gaps in HIPAA compliance (based on the Statewide Health Information Policy Manual) and monitor the resolution of all identified compliance gaps.

Who is Subject to a Compliance Review?

State departments assessed to be covered entities and/or business associates are subject to compliance reviews. For a list of the state departments subject to HIPAA and/or more information about the most recent assessment, refer to the 2022 Health Information Entity Status Assessment page.

What Happens during a Compliance Review?

State departments are notified several weeks before they are scheduled for a compliance review – the Compliance Review Schedule is under review at this time.

The compliance review begins with the department providing CDII with artifacts/documents (see the Compliance Review Artifact Request List) and answering compliance questions (see the Compliance Review Tool) within a specified time frame. CDII reviews all materials collected from the department (see the Compliance Review Artifacts Checklists) to document initial observations.

After the materials are reviewed, an onsite review may be scheduled with the department. During the onsite visit, the CDII team conducts follow-up meetings to clarify information received from the department and tours selected operational areas of the department.

All observations and findings are documented along with recommendations for addressing gaps. A draft document is provided to the department for review and comments before CDII finalizes the report.

Once the report is finalized, the review moves into the Corrective Action Plan phase. During this time, CDII works with the department to track and monitor the resolution of all gaps identified (see Corrective Active Plan Template).

Tips and Tools & How to Prepare for a Compliance Review?

CDII provides the following documents to assist departments prepare for a compliance review.

If you have any questions, contact the CDII Privacy Office at CDIIPrivacyOffice@chhs.ca.gov

CDII Navigation

CDII Policy and Governance – Home Page

Emergency Health Information Sharing

Statewide Health Information Policy Manual (SHIPM)

Compliance Oversight Program

State Health Information Guidance (SHIG)

2022 Health Information Entity Status Assessment

Federal and State Health Information Laws

Resources

About CDII

Contact CDII

Scroll to top button