Resources
CDII provides the following resources to assist state departments as well as California citizens (patients) and physicians/providers with general questions and issues related to HIPAA.
- For general HIPAA information
- Specific resources for:
- Individuals/Patients
- Physicians/Providers
- State Departments identified as covered entities or business associates
- Reporting a Breach
- Annual Breach Reporting
- Emergency Declarations
- Guidance on HIPAA and Resellers of Cloud Computing Service
Individuals/Patients
Question/Issue | Resources |
What are my personal rights with regard to my personal health information? | The California Attorney General provides a consumer guide regarding patient privacy rights – this guide includes various scenarios to help the individual/patient understand their specific rights. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) provides a number of resources for understanding your rights under HIPAA. |
What should I do if there is a violation or breach of my personal health information? Examples include:
| For any questions regarding the release of your health information – begin by contacting the organization that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it. If the issue is not corrected, you may be able to file a formal complaint with the organization. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for investigating all violations of health information. A complaint can be filed with them. |
What if I requested a copy of my medical record but my provider won’t provide a copy? | The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and doctors/providers covered by the Privacy Rule. Contact your provider – if your request is denied, it must be denied in writing. You can also contact the HHS OCR to file a complaint. |
Can a student’s health information (kept by educational facilities – such as schools, colleges, universities) be released? | Health information and other education related records retained by educational facilities is regulated by the Family Educational Rights and Privacy Act (FERPA). All questions related to privacy of this health information should be directed to:
|
Can a health care provider or health plan share my health information with family and friends? | The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives. However, the provider or plan can share your information with family or friends if:
For more information and a brief video, visit: http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html. |
Physicians/Providers
Question/Issue | Resources |
Where can I find general information on HIPAA? | HHS OCR provides resources for professional regarding various components of HIPAA. |
What should I do if there is a violation or breach of one or more of my patient’s health information – examples include, but are not limited to:
| Resources for reporting the breach:
Refer to the Omnibus HIPAA Rulemaking for specifics on breach reporting requirements. |
What should I do if a patient asks for a copy of their health or billing records? | The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. HHS OCR provides specific information on an individuals’ rights to access their information. |
What should I do if someone other than the patient requests health information? | HHS OCR provides guidance materials for covered entities on the uses and disclosures of protected health information. In addition, refer to the Patient Authorization Tool on this web page. |
State Departments
Question/Issue | Resources |
Breach Notification | Refer to the following resources for the specific actions to be taken:
|
Annual Breach Reporting | At the beginning of each calendar year, state entities that are covered entities or business associates must report ALL breaches to CDII and HHS OCR. Refer to the following resources for the specific actions to be taken:
|
Emergency Declaration | Refer to the Emergency Information Sharing page. |
Guidance on HIPAA and Resellers of Cloud Computing Services
CDII has published guidance for state departments that are HIPAA covered entities (CE) or business associates (BA) about on how to navigate the contracting arrangements with a reseller of Cloud Service Provider (CSP) services, focusing specifically who signs the Business Associate Agreement.
Patient Authorization Guidance Tool
CDII, in partnership with various industry stakeholders, developed the Patient Authorization Guidance Tools to assist providers understand the complexity of federal and state laws related to uses and disclosures of specially protected health information.
These tools assist providers with guidance on when patient authorization is needed for the disclosure of health information in California (according to federal and state law). These tools apply only to providers covered by both HIPAA and the Confidentiality of Medical Information Act (CMIA).
The tool is designed to help providers determine when they need to obtain a patient’s authorization to send that patient’s health information to another provider. The required elements of a valid authorization are set forth in the 45 C.F.R. § 164.508(c)(3) and California Civil Code §§ 56.11-56.14 and § 56.21. The specific intent is to guide providers who are exchanging health information electronically, even though the rules described also apply to information in paper form.
The links below are the Patient Authorization Guidance tools: