Resources

Page Content Links:

Resources for:
- Individuals
- Physicians, Providers, Medical Offices or Organizations

**For Individuals**
Question/Issue	Contact Information
Any violation or breach of your personal health information… Your health information was given out to someone without your permission Your health record was released without your permission You received another person’s medical information Any questions regarding release of your health information	Contact the entity that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it. Office of HIPAA Compliance’s Information Protection Unit (IPU) and the Office of Legal Services’ Privacy Office work collaboratively with DHCS business associates, counties, and other state agencies to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII), and investigate privacy breaches and complaints involving unauthorized access or disclosure of PHI, PII, and the confidential information of members. They can be reached via email at PrivacyOfficer@dhcs.ca.gov Office for Civil Rights (OCR) is responsible for investigating all violations of health information. General information about your rights: http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html https://oag.ca.gov/privacy/facts/medical-privacy/patient-rights To file a complaint: http://www.hhs.gov/hipaa/filing-a-complaint/index.html
Medical or Dental records… You requested a copy of your record but your doctor won’t provide a copy.	The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. Contact your provider – if your request is denied, it must be denied in writing. The provider is allowed to charge a reasonable fee. You can also contact the HHS Office of Civil Rights and file a complaint.
Educational facilities – schools/colleges/universities Can student health information be released to staff, students, etc.?	California Department of Education – Educational Data Management Division/Education Data Office privacy@cde.ca.gov 916-319-0586
Health Plans General coverage information Issues with care/treatment Cancellation of coverage	Department of Managed Health Care Department of Insurance (if PPO health plan) A full resource list can help with various health plan related items: https://www.dmhc.ca.gov/HealthCareinCalifornia/ResourceList.aspx#keeping
Medi-Cal General coverage information Issues with care/treatment	Department of Health Care Service General information about privacy rights:
Can a health care provider or health plan share your health information with family and friends?	The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives. However, the provider or plan can share your information with family or friends if: They are involved in your health care or payment for your health care, You tell the provider or plan that they can share your information, You do not object to sharing of the information, or If, using its professional judgment, a provider or plan believes that you do not object. For more information and a brief video, visit: http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html.

**For Physicians, Providers, Medical Offices or Organizations**
Question/Issue	Contact Information
Any violation or breach of patient health information – including, but not limited to: Health information sent to the wrong patient or an unauthorized person or entity Computer systems or other electronic media is hacked, lost, or stolen and patient data is stolen or compromised	Refer to the Omnibus HIPAA Rulemaking for specifics of breach reporting requirements. See 45 CFR §§164.308(a)(6)(i)-(ii), §164.404, §164.406, §§164.408-164.410, §164.412, §164.414, §164.500. Office for Civil Rights – Breach Notification California Attorney General – Data Security Breach Reporting If the patient is covered by Medi-Cal – Department of Health Care Services (DHCS) Privacy Office
Questions regarding release of health information – provider, physician, or medical offices	The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. See 45 CFR §164.524. More information can be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ If the patient is covered by Medi-Cal – DHCS Privacy Office

Patient Authorization Guidance Tool

CalOHII, in partnership with stakeholders, has developed the Patient Authorization Guidance Tools. Recognizing the complexity of federal and state laws, this tool is envisioned to provide simplified decision support for providers.

The Authorization Tools provide guidance on when patient authorization is needed for the disclosure of health information in California, according to federal and state law. The required elements of a valid authorization are set forth in the Code of Federal Regulations Title 45 section §164.508(c)(3) and California Civil Code sections §§56.11-56.14, §56.21. The tool is designed to help healthcare providers determine when they need to obtain a patient’s authorization to send that patient’s information to another provider. The intent is to guide providers who are exchanging health information electronically, though the rules described also apply to information in paper form. This tool applies only to healthcare providers as defined by both HIPAA and the Confidentiality of Medical Information Act (CMIA).

The links below are the Patient Authorization Guidance tools:

Breach Notification

For State Entities that are Covered Entities:
- If you have a breach affecting more than 500 individuals, notify CalOHII per SHIPM 2.1.4 – Breach and Breach Notification.
- At the end of each calendar year, submit your “Annual Breach Reporting Form”
- Contact the California Information Security Office