Page Content Links:
Any violation or breach of your personal health information…
Any questions regarding release of your health information
Contact the entity that gave out your information or sent you someone else’s information so they can be made aware of the situation and correct it.
Office of HIPAA Compliance’s Information Protection Unit (IPU) and the Office of Legal Services’ Privacy Office work collaboratively with DHCS business associates, counties, and other state agencies to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII), and investigate privacy breaches and complaints involving unauthorized access or disclosure of PHI, PII, and the confidential information of members. They can be reached via email at PrivacyOfficer@dhcs.ca.gov
Office for Civil Rights (OCR) is responsible for investigating all violations of health information.
General information about your rights:
To file a complaint:
Medical or Dental records…
The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. Contact your provider – if your request is denied, it must be denied in writing. The provider is allowed to charge a reasonable fee.
Educational facilities – schools/colleges/universities
California Department of Education – Educational Data Management Division/Education Data Office
A full resource list can help with various health plan related items:
|Can a health care provider or health plan share your health information with family and friends?|
The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives.
However, the provider or plan can share your information with family or friends if:
For more information and a brief video, visit: http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html.
Any violation or breach of patient health information – including, but not limited to:
Refer to the Omnibus HIPAA Rulemaking for specifics of breach reporting requirements. See 45 CFR §§164.308(a)(6)(i)-(ii), §164.404, §164.406, §§164.408-164.410, §164.412, §164.414, §164.500.
If the patient is covered by Medi-Cal – Department of Health Care Services (DHCS) Privacy Office
|Questions regarding release of health information – provider, physician, or medical offices|
The Privacy Rule gives patients, with few exceptions, the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. See 45 CFR §164.524.
More information can be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/
Patient Authorization Guidance Tool
CalOHII, in partnership with stakeholders, has developed the Patient Authorization Guidance Tools. Recognizing the complexity of federal and state laws, this tool is envisioned to provide simplified decision support for providers.
The Authorization Tools provide guidance on when patient authorization is needed for the disclosure of health information in California, according to federal and state law. The required elements of a valid authorization are set forth in the Code of Federal Regulations Title 45 section §164.508(c)(3) and California Civil Code sections §§56.11-56.14, §56.21. The tool is designed to help healthcare providers determine when they need to obtain a patient’s authorization to send that patient’s information to another provider. The intent is to guide providers who are exchanging health information electronically, though the rules described also apply to information in paper form. This tool applies only to healthcare providers as defined by both HIPAA and the Confidentiality of Medical Information Act (CMIA).
The links below are the Patient Authorization Guidance tools:
- For Substance Abuse Treatment Records
- For Mental Health Treatment Records
- For treatment of records involving the Lanterman, Petris, Short Act
- For State Entities that are Covered Entities:
- If you have a breach affecting more than 500 individuals, notify CalOHII per SHIPM 2.1.4 – Breach and Breach Notification.
- At the end of each calendar year, submit your “Annual Breach Reporting Form”
- Contact the California Information Security Office
- For State Entities that are not Covered Entities: