Resources

CDII provides the following resources to assist state departments as well as California citizens (patients) and physicians/providers with general questions and issues related to HIPAA.

For general HIPAA information
- Office for Civil Rights (OCR) Helpful links
- Patient Authorization Guidance Tool
Specific resources for:
- Individuals/Patients
- Physicians/Providers
- State Departments identified as covered entities or business associates
  - Reporting a Breach
  - Annual Breach Reporting
  - Emergency Declarations
  - Guidance on HIPAA and Resellers of Cloud Computing Service

Individuals/Patients

Question/Issue	Resources
What are my personal rights with regard to my personal health information?	The California Attorney General provides a consumer guide regarding patient privacy rights – this guide includes various scenarios to help the individual/patient understand their specific rights. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) provides a number of resources for understanding your rights under HIPAA.
What should I do if there is a violation or breach of my personal health information? Examples include: My health information was given out to someone without my permission My health record was released without my permission I received another person’s medical information	For any questions regarding the release of your health information – begin by contacting the organization that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it. If the issue is not corrected, you may be able to file a formal complaint with the organization. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for investigating all violations of health information. A complaint can be filed with them.
What if I requested a copy of my medical record but my provider won’t provide a copy?	The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and doctors/providers covered by the Privacy Rule. Contact your provider – if your request is denied, it must be denied in writing. You can also contact the HHS OCR to file a complaint.
Can a student’s health information (kept by educational facilities – such as schools, colleges, universities) be released?	Health information and other education related records retained by educational facilities is regulated by the Family Educational Rights and Privacy Act (FERPA). All questions related to privacy of this health information should be directed to: California Department of Education, Education Data Office – email: privacy@cde.ca.gov or phone: 916-319-0586 U.S. Department of Education
Can a health care provider or health plan share my health information with family and friends?	The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives. However, the provider or plan can share your information with family or friends if: They are involved in your health care or payment for your health care, You tell the provider or plan that they can share your information, You do not object to sharing of the information, or If, using their professional judgment, a provider or plan believes that you do not object. For more information and a brief video, visit: http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html.

Physicians/Providers

Question/Issue	Resources
Where can I find general information on HIPAA?	HHS OCR provides resources for professional regarding various components of HIPAA.
What should I do if there is a violation or breach of one or more of my patient’s health information – examples include, but are not limited to: Health information is sent to the wrong patient or an unauthorized person or entity Computer systems or other electronic media is hacked, lost, or stolen and patient data is stolen or compromised	Resources for reporting the breach: Office for Civil Rights – Breach Notification California Attorney General – Data Security Breach Reporting Refer to the Omnibus HIPAA Rulemaking for specifics on breach reporting requirements.
What should I do if a patient asks for a copy of their health or billing records?	The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. HHS OCR provides specific information on an individuals’ rights to access their information.
What should I do if someone other than the patient requests health information?	HHS OCR provides guidance materials for covered entities on the uses and disclosures of protected health information. In addition, refer to the Patient Authorization Tool on this web page.

State Departments

Question/Issue	Resources
Breach Notification	Refer to the following resources for the specific actions to be taken: SHIPM policy 2.1.4 – Breach and Breach Notification HHS OCR – Submitting Notice of a Breach to the Secretary California Department of Technology – Office of Information Security – SIMM 5340-A: Incident Reporting and Response Instructions California Attorney General – Data Security Breach Reporting
Annual Breach Reporting	At the beginning of each calendar year, state entities that are covered entities or business associates must report ALL breaches to CDII and HHS OCR. Refer to the following resources for the specific actions to be taken: SHIPM policy 2.1.4 – Breach and Breach Notification and attachment SHIPM 2.4.1 CDII Annual Breach Reporting Form (DOC) HHS OCR – Submitting Notice of a Breach to the Secretary
Emergency Declaration	Refer to the Emergency Information Sharing page.

Guidance on HIPAA and Resellers of Cloud Computing Services

CDII has published guidance for state departments that are HIPAA covered entities (CE) or business associates (BA) about on how to navigate the contracting arrangements with a reseller of Cloud Service Provider (CSP) services, focusing specifically who signs the Business Associate Agreement.

Patient Authorization Guidance Tool

CDII, in partnership with various industry stakeholders, developed the Patient Authorization Guidance Tools to assist providers understand the complexity of federal and state laws related to uses and disclosures of specially protected health information.

These tools assist providers with guidance on when patient authorization is needed for the disclosure of health information in California (according to federal and state law). These tools apply only to providers covered by both HIPAA and the Confidentiality of Medical Information Act (CMIA).

The tool is designed to help providers determine when they need to obtain a patient’s authorization to send that patient’s health information to another provider. The required elements of a valid authorization are set forth in the 45 C.F.R. § 164.508(c)(3) and California Civil Code §§ 56.11-56.14 and § 56.21. The specific intent is to guide providers who are exchanging health information electronically, even though the rules described also apply to information in paper form.

The links below are the Patient Authorization Guidance tools: