Chapter 2 – Patients’ Entitlements and Responsibilities

Policy

• The California Correctional Health Care Services supports and observes a set of patient rights in agreement with standard medical practices and ethical conduct, and are consistent with the reasonable limitation of federal and state rules and regulations as they apply to the patient. Certain rights may be limited by reasonable application of security regulations.

Purpose

• To ensure that the individual patient’s rights are maintained in concurrence with established medical ethics and to preserve the basic human dignity of the patient.

Responsibility

• The Chief Executive Officer, or designee, and the Warden of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Policy

• California Correctional Health Care Services (CCHCS) shall ensure effective communication (EC) is reached and documented when there is an exchange of health information involving patients with a hearing, vision, or speech impairment; learning disability, developmental disability, or functional disability; reading level score of 4.0 (fourth grade level) or lower, which includes zero or no reading score; or Limited English Proficiency (LEP), and in health care grievance communications with such patients. In the exchange of health information and in health care grievance communications with such patients, the patients’ primary method of communication shall be used. If necessary, alternate methods and auxiliary aids which are reasonable, effective, and appropriate to the needs of the patient shall be provided and documented when simple written or oral communication is not effective. If EC is not reached, that shall also be documented.

Purpose

• To ensure EC is reached and documented when there is an exchange of health information and in health care grievance communications, including the delivery of the grievance outcome.

Applicability

• This policy applies to all CCHCS and contracted staff who, in the performance of their duties, are required to communicate health information with patients in the custody of California Department of Corrections and Rehabilitation identified in Section (a). This policy shall also apply to patient specific communication provided through health care grievance interviews, or health care grievance responses, rejections, or withdrawal letters.

Responsibility

• The Chief Executive Officer (CEO), or designee, is responsible for the implementation, monitoring, and evaluation of this policy. The CEO or designee shall ensure a Local Operating Procedure (LOP) is established to implement this policy and its corresponding procedure.

• The CEO is responsible for ensuring staff receive training on EC and for reviewing monthly SLI and EC audits of documented exchanges of health information submitted by medical, dental, and mental health services, and health care grievance communications with patients identified in Section (a).

Procedure

• Determining the EC need for the patient

  • Health care staff shall verify the primary accommodation or assistance required to reach EC by reviewing information in one or more of the following areas:

    • Strategic Offender Management System

    • Reading Score

    • LEP

    • CDC 128-B, General Chrono

    • Electronic Health Record System

    • Effective Communication/ Americans with Disabilities Act (ADA) section of the Patient Summary

  • Health care staff shall consider whether additional steps are necessary to reach EC with a specific patient even if EC information is not identified in the areas listed above. 

  • If the patient’s primary method of communication is unavailable (with the exception of patients needing an SLI), staff shall document the reason and utilize the alternative method of communication if one is listed. If an alternative method of communication is not listed, staff shall consult with the patient to determine their preferred method of communication for the encounter.

  • Health care staff shall document how EC was achieved, including the patient’s preferred method of communication.

• Accommodation or Assistance

  • Health care staff shall provide the necessary accommodation or assistance to reach EC at each exchange of health information with patients identified in Section (a), giving primary consideration to the patient’s documented primary method form of EC documented of communication. Accommodations may be facilitated by sign language interpretation, certified bilingual health care staff, certified bilingual California Department of Corrections and Rehabilitation staff, or certified contracted language interpreters, assistive devices, or other methods of assistance and accommodation.

  • Assistive Devices

    • Health care staff shall, in consultation with the patient, determine the need for any assistive device(s). These assistive devices include, but are not limited to, the following:

      • Sound amplification devices (e.g., hearing aids)

      • Corrective lenses

      • Reading magnifier

    • During an exchange of health information with a patient, health care staff shall determine and document the presence and the efficacy of the assistive device(s).

    • When a patient presents without their prescribed assistive device, health care staff shall:

      • Consult with the patient about the best alternative method of effective communication;

      • Document the reason;

      • Provide alternate methods of accommodation; and

      • Document the alternate method utilized during the encounter, including whether it is the method the patient requested.

    • A patient reporting malfunctioning or lost assistive devices shall be referred to designated staff as identified in the LOP to assess or discuss repair or replacement of the assistive devices.

  • Accommodations

    • Accommodations shall be documented and may include one or more of the following:

      • Additional Time – The patient was given additional time to respond or complete a task

      • Equipment – Special Equipment was used to facilitate EC (Note the type and efficacy of equipment used in the “Comments” section of the standard EC sticker, label, document, or health record.)

      • SLI – Sign Language Interpreter

      • Louder – The provider spoke louder

      • Slower – The provider spoke slower

      • Basic – The provider used basic language

      • Transcribe – Communication was written down (All written notes shall be retained in the health record.)

      • Reading Assistance – The provider read a document out loud to the patient (e.g., discharge instructions, test results.)

      • Other – Any other method that was used to facilitate EC (Note the type of accommodation used in the “Comments” section of the standard EC sticker, label, document, or health record.)

    • A patient with a learning disability; a reading level score of 4.0 or lower, which includes zero or no reading score; or determined limited English proficient shall be queried to determine their cognitive ability to engage in conversation and understand information presented during an exchange of health care information, health care grievance interview, or health care grievance communication. Through the query, health care staff shall determine the patient’s ability to understand and participate in the exchange of health care information. If no assistance or accommodation is needed, the reason shall be documented.

    • Reading assistance may be provided (e.g., documents read aloud in the presence of the patient) and a determination made as to whether the patient understood during exchanges of health information, health care grievance interviews, and when providing a health care grievance communication to a patient that is developmentally disabled, visually impaired, has a learning disability, or has a reading level score of 4.0 or lower, which includes zero or no reading score.

  • SLIs are required for exchanges of health information with patients whose primary method of communication is American Sign Language.

    • For prescheduled appointments and programs, SLI Services shall be primarily provided by the onsite SLI Services Support Assistant. If the onsite SLI is not available, one of the following methods may be used:

      • Statewide State employee – SLI Services Support Assistant through conferencing application(e.g., MS Teams)

      • Local contractors who provide SLI services

      • “On-demand” Video Remote Interpretation (VRI) services, through contracted services)

    • If the patient refuses the assistance of an SLI (onsite, contracted, or VRI), all attempts to provide SLI shall be documented in the health record. If the patient waives the assistance of an SLI, the waiver of SLI services shall be documented and staff shall consult with the patient and employ the most effective form of communication available, including written notes honoring the patient’s request for a particular auxiliary aid or service whenever practicable. All attempts to accommodate the patient during the encounter shall be documented.

    • In restricted housing or segregated units (e.g., Administrative Segregation), during daily Psychiatric Technician rounds, if sign language interpretation is accomplished via video remote, custody staff shall escort patients to a private setting, away from the cell front where the patient can clearly see the SLI. If the patient refuses, the Psychiatric Technician shall refer the patient to a mental health clinician (refer to the Mental Health Services Delivery System Program Guide at 12-1-5, outlining the Mental Health referral process).

    • When existing institution SLI Services are unavailable, staff can then utilize the “on-demand” VRI interpreters using the following steps:

      • Log into the approved equipment (e.g., tablet, laptop, or desktop computer) installed with a camera.

      • Open the SLI contract service link icon for remote video services.

      • Open the SLI Log on the desktop and enter required information.

      • Verify successful operation of VRI equipment with interpreter and patient prior to the exchange of information.

    • When all above SLI resources have been addressed and determined not available, the reason the SLI was not utilized shall be documented, and health care staff shall consult with the patient to determine the appropriate alternative method of communication. Health care staff shall also consider whether the appointment can reasonably be delayed without causing patient harm. The alternate method of accommodation provided shall be documented. When written notes are used, the written notes shall be retained in the health record.
      NOTE: During Emergent situations, after business hours, on weekends and holidays, utilize “on-demand” VRI services (refer to Section (e)(2)(C)5.d.).

    • Security and Storage of “on-demand” VRI devices

      • Nursing staff shall be responsible for the security and storage of “on-demand” VRI devices.

      • “On-demand” VRI devices shall be stored and secured in accessible areas at all times.

      • Nursing staff shall maintain an Equipment Accountability Log (Appendix 1, “Sample” Equipment Accountability Log) to account for each time the “on-demand” VRI device is removed from the designated storage area.

      • “On-demand” VRI devices shall not be removed from the institution at any time.

      • In the event the SLI devices are not located, follow institutional protocol for missing equipment.

    • During each shift, nursing staff shall document that equipment and tools are accounted for during their daily tool control accountability checks and ensure the following:

      • “On-demand” VRI devices are powered up and internet connectivity verified.

      • “On-demand” VRI devices are fully charged and have available power strips.

      • Equipment is checked with identified tool inventory.

    • Monthly audits of all SLI encounters shall be conducted by Field Operations, Corrections Services.

      • Any allegations of non-compliance shall be reported to the institution where the non-compliance occurred.

      • All allegations shall be placed on the Allegation Log Tracking System and an inquiry conducted.

      • A monthly SLI audit report shall be produced by Field Operations, Corrections Services.

      • Each institution shall have three calendar days upon receipt to verify audit findings.

      • The monthly audit data will be displayed on the CCHCS Dashboard for the “Effective Communication: Sign Language Interpreter (SLI) Provided” domain or other appropriate performance reports.

  • LEP Services

    • Interpretation and translations service shall be provided to patients who have a limited ability to speak, read, write, or understand English. The LEP accommodation provided during each encounter shall be documented.

    • Each facility shall designate an LEP coordinator (Correctional Business Manager) to ensure interpretation and translation services are available, current, and operational.

    • LEP services shall be made available through the following:

      • Telephonic interpretation service available 24 hours a day, seven days a week for staff requiring interpretation services for most commonly spoken languages used by non-English speaking patients.

      • List of certified bilingual staff and other local interpreters or interpreters from neighboring institutions or agencies competent to interpret and translate. Certified staff must provide the following: contact information, language(s) spoken, staff duty hours, and availability maintained by the LEP coordinator.

      • Collection of translated forms and documents which have been translated into commonly spoken languages available to staff and patients.

    • The designated LEP coordinator is responsible for providing and posting the following in areas where health care services are provided:

      • I-Speak posters, used to help patients identify their spoken language

      • Institution specific telephonic interpretation service phone number and associated user identification or Personal Identification Number (PIN), and

      • Notice of Interpretation and Translation Service Information (Appendix 2), used to help identify the institution’s bilingual staff and list of translated forms available.

• Documentation

  • Health care staff shall document or complete the EC section of the health record when documenting exchanges of health information and in health care grievance communications.

  • For face-to-face patient encounters, clinical staff need to only document EC on one document completed during the encounter (e.g., Progress Notes). All other documents completed during the same encounter (e.g., Physician Orders) do not require documentation of EC.

  • Health care encounters that require EC documentation in the health record, with the exception of routine testing and rounding, include, but are not limited to, the following:

    • Determination of the patient’s medical history or description of the ailment or injury.

    • Provision of the patient’s rights, informed consent, or permission for treatment (including refusal of treatment forms).

    • Diagnosis or prognosis of the ailment or injury (including upon the return from outside clinics).

    • Explanation or response to questions from the patient concerning procedures, tests, treatment, treatment options, or surgery (e.g., Tuberculosis test, Human Immunodeficiency Virus testing, Sexually Transmitted Diseases testing, vaccinations).

    • Explanation or response to questions from the patient concerning medications prescribed (such as dosage, instructions for how and when to be taken, side effects, food or drug interactions).

    • Blood donations and apheresis.

    • Admit and discharge instructions.

    • Pre and Post-procedure instructions, including nothing to eat or drink instructions.

    • DKD (requires dialysis) class members receiving dialysis treatment.

    • Triage and Treatment Area return following discharge from an outside hospital. Patient has received orders from the discharging hospital. If they did not, EC is to be provided upon arrival to inform the patient of explanation of discharge and when orders are reconfirmed with a CCHCS provider.

    • Provision of mental health evaluations, group and individual therapy, including psychiatric technician rounds, Interdisciplinary Treatment Team meetings, and all therapeutic activities, and educational counseling including self-care instructions. 

    • Nursing behavioral checks for patient on suicide watch; any interaction to provide, share, or elicit information (e.g., Registered Nurse who does the assessments, discusses criteria for release from restraints, conducts range of motion, etc., does require EC documentation).

    • Initial admit to an Outpatient Housing Unit, inpatient area, and nursing routine duties (e.g., call light, IV).

    • Health Care Grievance Interviews and delivery of grievance responses.

  • Clinical staff assigned to the inpatient unit shall document EC once per patient per shift (e.g., a Registered Nurse conducting rounds several times per shift would only need to document EC the first time conducting rounds.)

  • EC documentation shall include the following:

    • Disability Code – A patient may have a documented disability, multiple disabilities, a reading level score of 4.0 or lower, which includes zero or no reading score, a learning disability, developmental disability, or functional disability; or any combination thereof. It is only after a determination of the patient’s disability, disabilities, or cognitive ability, that a conclusion can be drawn as to the accommodation(s) or assistance required in order to establish EC. The disability codes include the following:

      • Reading level score lower than or equal to 4.0, which includes zero or no reading score

      • DPH – Permanent hearing impaired

      • DNH – Permanent hearing impaired; improved with hearing aids

      • DPS – Permanent speech impaired

      • DPV – Permanent vision impaired

      • DDP – Developmental Disability Program (DD1, DD2, DD3)

      • LD – Learning Disability, verified and unverified

      • LEP

      • Not Applicable – No Disability

    • Accommodation – The accommodation or assistance is determined by the patient’s disability or cognitive abilities. Each checkbox under this category is an EC attribute related to a disability identifier in Column 1 of the EC label and includes the following:

      • Additional Time – The patient was given additional time to respond or complete a task

      • Equipment – Special Equipment was used to facilitate EC (Note the type and efficacy of equipment used in the “Comments” section of the standard EC sticker, label, document, or health record.)

      • SLI – Sign Language Interpreter

      • Louder – The provider spoke louder

      • Slower – The provider spoke slower

      • Basic – The provider used basic language

      • Transcribe – Communication was written down (All written notes shall be retained in the health record.)

      • Reading Assistance – The provider read aloud any written material or aurally described any visual information.

      • Other – Any other tool that was used to facilitate EC (Note the type of tool used in the “Comments” section of the standard EC sticker, label, document, or health record.)

    • Effective Communication – Health care staff shall document the assessment method that validated the patient understood or did not understand the health information as well as the corresponding EC checkboxes:

      • Reached – EC validated

        • Patient asked pertinent questions pertaining to the exchange of health information

        • Patient summarized the exchange of health information in their own words

        • Other: Elaborate in the “Comments” section

      • Not reached – EC not validated

        • Other: Elaborate in the “Comments” section

    • Any written notes with health information exchanged between a patient and health care staff shall be retained in the health record with the EC documentation.

• Accountability

  • Monthly health record audits shall be conducted to determine compliance with the EC policy.

    • The audit sample shall include medical, dental, and mental health encounters.

    • The audit sample shall include health care grievance documents and health records of patients with hearing, vision, speech impairments, a documented LD, a DDP code or those with a reading level score of 4.0 or lower which includes zero or no reading score.

  • EC documentation shall be deemed deficient if absent or incomplete. 

  • EC documentation shall be required if the patient refuses the encounter.

  • EC documentation deficiencies shall be reported in accordance with the Health Care Department Operations Manual, Section 5.1.5, Disability Placement Program and Developmental Disability Program Staff Accountability.

Policy

• California Department of Corrections and Rehabilitation (CDCR) shall maintain a process for the distribution of over-the-counter (OTC) products, as identified in the OTC Products List, to the incarcerated population through the canteen services system.

Purpose

• To ensure all incarcerated persons have access to frequently needed OTC products that have evidence-based utility without cost to the incarcerated person, the need for nurse protocol, or a health care provider’s prescription.

Responsibility

• The Chief Executive Officer and Warden, or their designees, are responsible for implementation, monitoring, and evaluation of this policy and procedure.

• The Director, Corrections Services, California Correctional Health Care Services (CCHCS) shall maintain controlling authority over the parameters of the OTC policy.

• The Systemwide Pharmacy and Therapeutics (P&T) Committee shall maintain controlling authority over the parameters of the OTC procedure.

Procedure Overview

• CDCR shall provide and distribute approved OTC health care products through the canteen services system process.

• This procedure is not intended to limit the patient’s ability to access primary care services by submitting a CDCR 7362, Health Care Services Request Form, or to receive prescribed medications for a condition that may be treated by similar OTC products when necessary.

• All patients housed within CDCR institutions shall have access to approved OTC products regardless of custody level or other demographic identifiers. However, certain exceptions exist for patients admitted to licensed inpatient health care facilities including, but not limited to:

  • Correctional Treatment Centers (CTCs)

  • Skilled Nursing Facilities (SNFs)

  • Psychiatric Inpatient Program (PIP)

  • Mental Health Crisis Beds (MHCBs)

• These exceptions are identified in Section (e)(3)(B). In all other patient areas or levels of care, patient access to OTC products shall only be restricted on an individual, case-by-case basis by health care or custody staff and with appropriate documentation in the health record and on the CDCR 128B, General Chrono, and submitted to the institution’s Trust Office.

Procedure

• Product Procurement and Supply

  • The list of OTC products shall be maintained by the Systemwide P&T Committee.  The current list of approved medicated and non-medicated OTC products is available on the CCHCS Pharmacy Services Lifeline page at:   OTC-Products-List.pdf (sharepoint.com) and on the internet at: https://cchcs.ca.gov/clinical-resources/ under the Related Resources section.

  • Prison Canteen Managers (PCMs) shall ensure adequate stock of OTC products is ordered and available for distribution based on the maximum weekly quantity guidelines. Maximum weekly unit quantities are established by the Statewide Chief, Pharmacy Services, for the OTC products based on the institutions’ weekly product demands which is available on the CCHCS Pharmacy Services Lifeline page at: OTC-Order-Form.xlsx (sharepoint.com).

    • OTC weekly orders shall not exceed the maximum unit quantities established without prior approval from the Statewide Chief, Pharmacy Services, or designee.

    • The PCM shall submit a canteen OTC product order form to the Pharmacist-in-Charge (PIC), or designee, of quantities needed of each OTC product. OTC product ordering shall be conducted on a weekly basis to ensure supply stability.

    • If an institution has a need to adjust their weekly maximum unit quantities, a written exemption justification signed by the institution Warden or designee must be submitted to the Statewide Chief, Pharmacy Services, or designee for approval.

  • The PIC, or designee, shall place the weekly order according to the PCM’s request utilizing the institution OTC program account number and pharmacy OTC ordering template established by the pharmaceutical medical supplier and the Statewide Chief, Pharmacy Services, or designee.

  • The PIC, or designee, shall inform the Statewide Chief, Pharmacy Services, or designee immediately if any discrepancies arise related to the OTC program account numbers, OTC product ordering templates, OTC maximum weekly unit quantities, or any other related discrepancies.

  • If an item is on back order or not available, the PIC, or designee, shall contact headquarters Pharmacy Services who shall work to identify alternate vendors and communicate to the PIC of the outcome.

  • The PIC shall communicate shortages to providers so that a prescription can be ordered for an alternative item if there is a CDCR 7362 request from the patient.

  • If an item needs to be added to the OTC Product List, health care staff shall complete the CDCR 7375, OTC Canteen Request Form, which is available on the CCHCS Pharmacy Services Lifeline Page at: OTC Products (sharepoint.com), for submission and review by the Systemwide P&T Committee.

• Logistics

  • Patients shall access OTC products as a function of normal programming.

  • Patients in the Reception Center shall have access to OTC products through the canteen within 30 calendar days of arrival

  • If a program modification or lockdown is in effect, OTC product access and distribution will be limited in the same manner as established for canteen services, per the CDCR 3022-A, B, C, D, or E, Daily Progress Status Report, for that institution.

• Distribution and Limitations

  • All incarcerated persons shall access OTC products free of charge via normal canteen access.

  • Patients admitted to licensed inpatient health care facilities including, but not limited to, CTC, SNF, PIP, MHCB, shall have access to all non-medicated comfort products only. These specific items are listed within the OTC Product List. All other medicated OTC products shall be provided by Pharmacy Services as ordered by licensed health care providers as appropriate, pursuant to Title 22.

  • Patients shall obtain OTC products through the normal canteen process utilizing the standard canteen pick list which shall include products from the approved OTC Product List.

  • Pick lists shall be made readily available to all patients in all housing areas.

  • Patients shall be allowed to receive up to three OTC products (units) per canteen period but shall not be permitted to receive more than two units of a single OTC product per draw. For example, a patient may receive one unit each of three different products, or two units of the same product and one unit of another product, but not three units of the same product.

  • Patients unable to receive their OTC products during their scheduled canteen draw shall be allowed to receive their allowable OTC products during open line of the current month.

  • Patients in restricted housing units shall have access to OTC products as a function of canteen programming in those units. OTC orders shall be bagged by canteen staff for distribution by custody staff as with any other canteen purchases.

• Custodial Security and Controls and Safety Considerations

  • Proper enforcement of the maximum possession limitations shall rely entirely upon custody cell searches and confiscation of any OTC products in excess of two full units of the same product.

    • OTC products shall be considered a portion of each patient’s personal property and shall not be exempted from the property volume restrictions specified in California Code of Regulations, Title 15, Authorized Personal Property Schedule. OTC products shall be handled/packed as with all other personal property.

    • Custody staff shall not confiscate OTC products within the allowable limitations without a legitimate custodial safety and/or security concern which shall be documented on a CDC 115, Rules Violation Report.

  • Removal of excess packaging, plastics, and containers from OTC products due to security concerns is not permitted, with the exception of patients within a restricted housing environment who are placed on container restriction.

  • OTC products issued through this program and confiscated by custody staff for any reason shall be disposed of by depositing the confiscated products in a standard blue-and-white pharmaceutical waste container. Pharmaceutical waste containers shall be located in appropriate clinical areas, readily accessible to custody staff for this purpose. All products on the approved OTC Product List shall be disposed of in this manner.

• Patient-Specific Restrictions

  • No blanket restriction is to be placed on any portion of the patient population based on nationality, ethnicity, Security Threat Group membership or affiliation, or other overarching considerations. Restriction of access to OTC products shall be on an individual, case-by-case basis only. The only exception is for patients admitted to inpatient health care facilities.

  • The placement and removal of restrictions for any patient’s access to OTC products shall be accomplished via written communication with the institution’s Trust Office.

    • The Trust Office shall provide a current list of all patients with OTC product restrictions upon request by a custody manager. The list shall include the items restricted for each patient for the purposes of conducting custody cell and property searches to enforce any restrictions in place.

    • Patients may be restricted from access to OTC products on the basis of a documented health care concern or a documented custody concern (i.e., safety and security).

    • If a clinician determines that a specific patient does not possess the ability to utilize an OTC product responsibly and safely, they shall document that assessment and restrict that specific patient from access to any OTC products deemed unsafe in their professional opinion.

    • If a clinician with prescribing privileges determines that providing a specific patient an OTC product may pose a health risk to that patient, that clinician shall document that assessment and restrict that specific patient from access to any OTC products deemed unsafe in their professional opinion.

      • These restrictions shall be documented in the health record, on a CDCR 128B, and routed to the Trust Office to enter into the Trust Restitution Accounting and Canteen System (TRACS).

      • Restoration of access to restricted OTC products shall be made by a licensed health care clinician as the result of a documented assessment of the patient. Optimally, this assessment shall include consultation with the clinician who originally established the restrictions.

    • If custody staff places a restriction for safety and security reasons, it must be supported by a guilty finding in a disciplinary hearing for a serious rule violation involving the misuse of an OTC product or its packaging.

      • The disposition of the rule violation shall include a CDCR 128B identifying the specific OTC products to be restricted and routed to the institution’s Trust Office to enter into TRACS.

      • Restrictions on this basis shall remain in effect until restored.

      • Restoration of access to OTC products restricted in this manner shall be initiated by the written recommendation of a custody supervisor (e.g., Correctional Sergeant or Correctional Lieutenant) and shall require review and approval by the facility Captain.

• Required Documentation

  • Pharmacy Services shall maintain data regarding the cost of the OTC program’s procurement of products.

  • The PCM at each institution shall ensure that all OTC product distributions are expediently entered into TRACS.

  • The Inmate Accounting, Sacramento Accounting Services Branch, Office of Fiscal Services designee, shall utilize the data from TRACS and provide a report of all OTC product distribution indicating the total units of each OTC product distributed within the previous canteen period at each institution.

  • The Department of Finance requires the Inmate Accounting, Sacramento Accounting Services Branch monitor the Inmate Welfare Fund (IWF) associated costs with each program or benefit provided by IWF.

  • The distribution of OTC products through the canteen services shall be treated as a separate program/benefit, and shall therefore require separate tracking of all associated costs and revenue by PCMs at each institution.

Policy

• California Department of Corrections and Rehabilitation (CDCR) shall provide and distribute approved reading glasses through the canteen services system process without cost to the patient or a need for a health care provider’s prescription.

Responsibility

• The Chief Executive Officer (health care), Warden, and Regional Health Care Executives, or designees, are responsible for implementation, monitoring, and evaluation of this policy and procedure.

Procedure

• Product Procurement, Logistics, Replenishment, and Issuance

  • Designated health care staff, in coordination with Prison Canteen Managers (PCMs), shall ensure reading glasses are ordered through California Prison Industry Authority (CALPIA) for distribution within the canteen.

  • PCMs shall ensure an adequate stock of reading glasses is available for distribution based on the maximum quantity guidelines established in California Code of Regulations (CCR), Title 15, Authorized Personal Property Schedule.

  • Patients shall access reading glasses as a function of normal programming.

  • The canteen managers shall ensure that a sign, which is provided by CALPIA is installed next to the canteen to allow patients to self-identify which strength they need.

  • Patients in the Reception Center (RC) shall have access to reading glasses through the canteen within 30 calendar days of arrival.

    • Licensed health care staff shall provide patient education regarding reading glasses within the RCs during the initial health screening.

  • If a program modification or lockdown is in effect, access to and distribution of reading glasses shall be limited in the same manner as established for canteen services, per the CDCR 3022-A, B, C, D, and/or E, Daily Progress Status Report, for that institution.

  • If a patient loses canteen privileges as the result of a disciplinary hearing, the patient will not be excluded from obtaining reading glasses. Each institution shall modify their local canteen operation plan to address how patients with a loss of canteen privileges will be provided access to reading glasses through the canteen.

  • All patients shall be allowed to acquire one pair of reading glasses every 12 months free of charge through the normal canteen process by utilizing the standard canteen pick list which shall be made readily available to all patients in all housing areas. A replacement pair of reading glasses shall be provided if loss or damage was not the fault of the patient.

  • Patients unable to receive their reading glasses during their first canteen draw shall be allowed to receive their reading glasses during open line of the current month. A newly arrived patient may, within 30 calendar days of arrival, request a canteen draw at the discretion of the institution.

  • Patients in restricted housing units (e.g., Administrative Segregation Unit, Psychiatric Services Unit, and Security Housing Unit) shall have access to reading glasses as a function of canteen programming in those units.

• Custodial Security, Controls, and Safety Considerations

  • Proper enforcement of the maximum possession limitations, including confiscation of any reading glasses in excess of the maximum possession limitation, shall be enforced via custody cell searches.

    • Reading glasses shall be considered a portion of each patient’s personal property and shall not be exempted from the property volume restrictions as specified in California Code of Regulations, Title 15, Authorized Personal Property Schedule. Reading glasses shall be handled/packed as with all other personal property.

    • Custody staff shall not confiscate reading glasses within the allowable limitations without a legitimate custodial safety and security concern which shall be documented on a CDC 115, Rules Violation Report.

  • No blanket restriction is to be placed on any portion of the patient population based on nationality, ethnicity, Security Threat Group membership or affiliation, or other overarching considerations. Restriction of access to reading glasses shall be on an individual, case-by-case basis only.

  • The placement and removal of restrictions for any patient’s access to reading glasses shall be accomplished via written communication with the institution’s Trust Office.

    • The Trust Office shall provide a current list of all patients with reading glasses restrictions upon request by a custody supervisor (e.g., Correctional Sergeant or Correctional Lieutenant). The list shall include the reading glasses restricted for each patient for the purposes of conducting custody cell and property searches to enforce any restrictions in place.

    • Patients may be restricted from access to reading glasses on the basis of a documented health care concern and a documented custody (i.e., safety and security) concern.

    • If a licensed health care clinician determines that a specific patient does not possess the ability to utilize reading glasses responsibly and safely, the patient shall be restricted from access to any reading glasses deemed unsafe in their professional opinion.

      • These restrictions shall be documented in the health record, on a CDCR 128B, General Chrono, and routed to the Trust Office to enter into the Trust Restitution Accounting and Canteen System (TRACS).

      • Restoration of access to the restricted reading glasses shall be made by a licensed health care clinician as the result of a documented assessment of the patient. Optimally, this assessment shall include consultation with the clinician who originally established the restrictions.

    • If custody places a restriction for safety and security reasons it must be supported by a guilty finding in a disciplinary hearing for a serious rule violation involving the misuse of reading glasses.

      • The disposition of the rule violation shall include a CDCR 128B identifying the reading glasses to be restricted and routed to the institution’s Trust Office to enter into TRACS.

      • Restoration of access to reading glasses restricted for safety and security reasons shall be initiated by the written recommendation of a custody supervisor (e.g., Correctional Sergeant or Correctional Lieutenant) and requires review and approval by the facility captain.

• Tracking Data

  • The PCM shall access data from TRACS related to reading glasses inventory levels and distribution information as needed. The Inmate Accounting, Sacramento Accounting Services Branch, Office of Fiscal Services’ designee, shall utilize the data from TRACS and provide a report of product distribution indicating the total of each product distributed within the previous month or 30-calendar day canteen period for each institution’s records.

Policy

• California Correctional Health Care Services (CCHCS) shall not participate in or allow its employees, independent contractors, or other persons or entities, including other health care providers, to participate in activities under the End of Life Option Act (California Health and Safety Code, Division 1, Part 1.85, Section 443-443.22) on premises owned or under the management or direct control of California Department of Corrections and Rehabilitation (CDCR) or while acting within the course and scope of any employment by, or contract with, CDCR or CCHCS. Consistent with this policy, patients shall not be permitted to access aid-in-dying drugs under the End of Life Option Act. CCHCS shall continue to offer patients end of life care including counseling, hospice, and palliative care.

Responsibility

• The Chief Executive Officer, or designee, is responsible for the implementation, monitoring, and evaluation of this policy.

Policy

• Protected Health Information (PHI) maintained by California Correctional Health Care Services (CCHCS) is private and confidential. CCHCS workforce members may not use or disclose PHI, except as permitted or required by this chapter or as otherwise permitted or required by law.

Purpose

• To provide guidance regarding general use and disclosure of PHI.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for the general use and disclosure of PHI.

• CCHCS workforce members shall report incidents of inappropriate disclosure of PHI to the CCHCS Office of Information Security Office (ISO) via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal for fact-finding, analysis, intake, and response, except for those currently delegated to the CCHCS Privacy Office pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.11, Privacy Incidents and Breach Reporting.

Use and Disclosure of PHI

• Use and Disclosure of PHI at Patient or Personal Representative Request

  • CCHCS workforce members may use or disclose PHI to the patient or the patient’s personal representative when requested pursuant to the HCDOM Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization.

• Use and Disclosure of PHI for Treatment, Payment or Health Care Operations (TPO) Purposes

  • CCHCS workforce members may use or disclose PHI without patient authorization as follows:

    • For TPO activities related to CCHCS patients.

    • To communicate with or notify a patient’s family member or others involved in the patient’s care if the disclosure is in the best interest of the patient and it can be reasonably inferred the patient does not object.

    • To an entity conducting research, provided that the research has been approved by the California Health and Human Services Agency Committee for the Protection of Human Subjects or a legally authorized institutional review board or a privacy board as set forth in Health Insurance Portability and Accountability Act, Section 164.512(i).

    • To another covered entity (health care organization) or health care provider for its payment activities.

    • To another covered entity for its health care operations activities if CCHCS workforce members and the other covered entity have or had a relationship with the patient who is the subject of the PHI being requested, and the disclosure includes, but is not limited to, conducting the following:

      • Quality assessments and improvement activities, including developing clinical guidelines.

      • Competency assessments during practitioner and provider performance evaluations.

      • Approved health care fraud and abuse detection or compliance by CCHCS or another federal or state agency.

  • CCHCS workforce members shall process routine requests for all or a subset of patients’ PHI pursuant to the HCDOM, Sections 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information, and 2.3.4, Release of Protected Health Information.

  • Requests to access mental health records may be denied when:

    • A licensed health care professional determined that access could endanger the life or physical safety of the patient or another person.

    • The request is made by the patient’s representative, and a licensed health care professional has determined that access is reasonably likely to cause substantial harm to the patient or another person.

    • The report would be made to the patient’s representative, and the state entity determines the patient’s representative may be responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the patient.

    • For more information regarding the privacy and confidentiality of mental health records, contact m_MHPolicyUnit@cdcr.ca.gov.

• Use and Disclosure of PHI for Non-TPO Purposes

  • CCHCS workforce members shall not use or disclose PHI for non-TPO purposes unless the disclosure is pursuant to a valid written authorization from the patient or the personal representative of the patient, or meets an exception in one of the following HCDOM, Sections:

  • 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization

  • 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions

  • 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets

  • 2.2.9, Business Associate Use and Disclosure of Protected Health Information

  • 2.2.13, Handling Protected Health and Personally Identifiable Information

• Requirements for Use and Disclosures of Specially Protected Health Information

  • Specially Protected Health Information as defined in California’s Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information, is subject to further limitations pursuant to the HCDOM, Sections 2.3.4, Release of Protected Health Information, and 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization.

• Third Party or Media Inquiries

  • CCHCS workforce members shall not use or disclose PHI pursuant to the HCDOM, Section 2.2.13 Handling Protected Health and Personally Identifiable Information.

• Health Records Disclosure

  • Disclosure of all or part of a patient’s health record shall be performed pursuant to the HCDOM, Chapter 2, Article 3, Health Information Management.

Policy

Purpose

• To authorize specific uses or disclosures of PHI based on patient’s authorization and to identify applicable requirements for such patient authorizations.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI maintained by CCHCS.

When Patient Authorization is Required

• As outlined in detail in the HCDOM, Section 2.2.1, General Use and Disclosure of Protected Health Information, CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain treatment, payment, or health care operations activities. In addition, privacy law permits the release of PHI without a patient’s authorization pursuant to specific exceptions outlined in the HCDOM, Section 2.2.6, Use and Disclosure of Protected Health Information Special Exceptions, or pursuant to a Business Associate Agreement as provided in the HCDOM, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information. CCHCS workforce members shall require a signed authorization for all other uses and disclosures of PHI.

• Disclosure of the Health Record

• Health Information Management (HIM) is the custodian of the health record and shall have the sole authority to disclose the health record, in whole or in part, pursuant to patient authorization.

• Valid Authorizations

  • A patient’s or their personal representative’s authorization is considered valid if it contains at least the following elements:

    • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

    • The name or other specific identification of the person(s) authorized to make the requested use or disclosure.

    • The name or other specific identification of the person(s) to whom CCHCS may make the requested use or disclosure.

    • A description of each purpose of the requested use or disclosure and the specific uses and limitations on the use of the health information by the persons or entities authorized to receive it.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.

    • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure after which disclosure is no longer authorized.

    • A signature which serves no other purpose than to execute the document and date.  If the authorization is signed by a personal representative of the patient, a description of such representative’s authority to act for the individual must also be provided.

    • A statement that the patient has the right to revoke the authorization in writing and a description of how the individual may revoke the authorization.

    • A statement that CCHCS may not condition treatment on whether the patient signs the authorization.

    • A statement concerning the potential for the information disclosed to be subject to redisclosure by the recipient and no longer protected by applicable federal and state law.

    • A statement advising the patient of their right to receive a copy of the authorization.

    • The authorization must be in writing in at least 14-point type and must be clearly separate from any other language present in the same document.

  • The CDCR 7385, Authorization for Release of Protected Health Information, satisfies the above requirements and is the preferred form for disclosures pursuant to patient authorization.  Other authorization forms are disfavored but may be accepted if they conform to all the requirements listed above in section (d)(3)(A)1. through 11.

  • An authorization is considered defective and invalid if any material information in the authorization is known to be false by CCHCS or its workforce members or if any of the following defects exist:

    • The expiration date has passed.

    • The authorization has not been filled out completely or lacks a required element.

    • The authorization is known to have been revoked.

• Authorization for Specially Protected Health Information

• A valid written authorization to disclose specially protected health information shall be obtained before making such a disclosure.  Each specific type of specially protected health information disclosure requires a separate authorization and cannot be combined with an authorization requesting general health information.  Further information regarding specially protected health information including any exceptions can be found in the HCDOM Section, 2.3.4, Release of Protected Health Information.

• Revocation or Restriction of Authorization

  • A patient may revoke an authorization at any time in writing.  No such revocation shall apply to information already released while the authorization was valid and in effect.

  • Patients have the opportunity to agree or object to certain or specific uses and disclosures of their health information.

  • Exception: Alcohol and drug treatment participants may verbally revoke authorization to disclose information obtained from alcohol and drug treatment programs. Verbal authorizations and revocations must be documented and maintained in the health record.

• Verification of Individuals Receiving Information.

• Information about a patient may only be disclosed pursuant to a written authorization after verifying the identity of the person receiving the information.

Policy

Purpose

Responsibility

• The Chief Privacy Officer (CPO) shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI, PII, and HRCI maintained by CCHCS and is responsible for recommending sanctions for violations of privacy and information security laws, regulations, or policies.

• The Hiring Authority (HA) is responsible for imposing appropriate sanctions and informing the CPO of the sanction imposed.

• CCHCS workforce members shall safeguard PHI, PII, and HRCI against improper uses or disclosures and supervisors are responsible for assuring workforce members who have access to PHI, PII, and HRCI are informed of their responsibilities.

Procedure

• Sanctions and Penalties

  • The CPO shall consult with the Chief Information Security Officer, Performance Management Unit manager, HA, and CCHCS Office of Legal Affairs Privacy Attorney after fact-finding to make a recommendation regarding sanctions and progressive discipline.

  • CCHCS shall apply appropriate sanctions against workforce members who fail to comply with privacy and security laws, regulations, or policies, which include, but are not limited to, improperly viewing, using, disclosing, or allowing access to health information, failing to report a known breach, or reporting a privacy or information security incident in bad faith or for malicious reasons.  Sanctions shall be determined in accordance with civil service and departmental progressive discipline laws, regulations, and policies and shall be appropriate to the severity of the violation, up to and including termination.

  • Depending on the severity of the violation, law enforcement notification may be required.  Workforce members may be charged with a misdemeanor or incur fines and civil penalties, depending on the economic loss to the patient and the degree of malice.

• Confidentiality and Record Keeping of Privacy and Security Violations

  • All deliberations of privacy or security violations may be subject to a claim of exemption under the Public Records Act regardless of level. Deliberations shall be treated confidentially for both the workforce member and the patient whose protected confidential information is impacted. For all violations, all supporting documentation shall be stored in a confidential electronic file in the Privacy Office (PO).

  • All confirmed violations shall be tracked by the PO in the Disclosure Log for PHI or PII.

  • CCHCS is responsible for documenting any sanctions that were applied and maintaining the documentation for a minimum of six years.

Policy

• California Correctional Health Care Services (CCHCS) and its workforce shall make reasonable efforts to limit the use, access, request, and disclosure of Protected Health Information (PHI) to the minimum necessary to accomplish the intended purpose.  CCHCS shall determine what access to PHI is relevant and necessary by workforce members to carry out job duties.

Purpose

• To ensure CCHCS workforce members have appropriate access to PHI and only use, request, or disclose the minimum necessary PHI required to accomplish the missions, goals, and objectives of CCHCS while maintaining compliance with privacy and related health information law.

Responsibility

• The Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI maintained by CCHCS.

When Minimum Necessary Uses or Disclosures of PHI Applies

• Unless an exception set forth in this policy applies, CCHCS workforce members may only use, access, request, and disclose the minimum amount of PHI necessary to perform their duties including the fulfillment of a request for the use or disclosure of PHI.

  • Uses or disclosures of entire health records

    • CCHCS workforce members shall not use, access, request, or disclose a patient’s entire health record except when use or disclosure of the entire health record is specifically justified as reasonably necessary to accomplish the use, request, or disclosure.

  • Routine and recurring disclosures

    • CCHCS program areas shall determine the minimum PHI accessible to staff that is reasonably necessary to achieve the purpose of the disclosure or in order for staff to fulfill their job duties.

  • Non-routine disclosures

    • CCHCS program areas  shall determine the minimum PHI accessible to staff that is reasonably necessary to achieve the purpose of the disclosure . Requests for non-routine disclosures shall be reviewed on an individual basis in accordance with such criteria.

• Reasonable Reliance

  • CCHCS workforce members may rely on the judgment of the party requesting a disclosure in determining the minimum amount of information that is needed when:

  • Making disclosures to public officials pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions, if the public official represents that the PHI requested is the minimum necessary for the stated purpose.

  • The information is requested by another covered entity.

  • The information is requested by a professional who is a member of the CCHCS workforce or is a CCHCS business associate for the purpose of providing professional services if the professional represents that the information requested is the minimum necessary for the stated purpose.

• Role Based Access and Use

  • CCHCS program areas shall establish role-based access controls that provide only the minimum amount of information necessary for workforce members to perform their job duties.  CCHCS program areas shall safeguard information accessible by computer, information kept in files, or other forms of information consistent with CCHCS policy.

When Minimum Necessary Uses or Disclosures of PHI Does Not Apply

• Disclosures to or requests by a health care provider for treatment.

• Disclosures to the patient who is the subject of the information.

• Uses and disclosures based upon a valid authorization to use and disclose PHI, limited to the scope of what is covered by the authorization.

• Uses and disclosures required for compliance with the Health Insurance Portability and Accountability Act Administrative Simplification Rule.

• Disclosures to the Secretary of the U.S. Department of Health and Human Services when disclosure of information is required under the Privacy Rule for enforcement purposes.

• Uses or disclosures required by law.

Policy

• California Correctional Health Care Services (CCHCS) shall take steps to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII) from intentional or unintentional violation of federal and state privacy laws and CCHCS privacy policies.

Purpose

• To specify the safeguards required to minimize the risk of unauthorized access, use, or disclosure of PHI and PII.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with laws, policies, and standards for protecting the privacy rights of individuals.

Safeguards

• CCHCS workforce members shall take all necessary precautions to safeguard PHI and PII pursuant to the State Health Information Policy Manual and the Statewide Information Management Manual Chapter 5300.

• All CCHCS workforce members with assigned job duties requiring the access, use, or disclosure of PHI shall apply administrative, technical, and physical safeguards to protect PHI.

• Each program shall have information technology (IT) and information security controls to safeguard PHI and PII, including administrative, technical, and physical controls.

• CCHCS programs shall conduct internal reviews periodically to evaluate the effectiveness of these safeguards.

Specific Safeguarding Procedures

• Paper Practices

  • CCHCS workforce members shall be educated on the risks of creating paper documents and how they shall be used, handled, shared, stored, and destroyed.

  • Each CCHCS program shall ensure all paper documents including those awaiting disposal or destruction in locked desk-site containers, storage rooms, centralized waste and shred bins, or other storage devices are labeled, disposed of regularly, and secured through reasonable measures to prevent unauthorized access.

  • Each CCHCS program shall ensure that shredding of paper documents is performed on a timely basis consistent with record retention requirements.

• Verbal Practices

  • CCHCS workforce members shall take reasonable steps to protect the privacy of all verbal exchanges or discussions of PHI and PII regardless of where the discussion occurs.

    • CCHCS workforce members shall provide only the minimally necessary verbal information to fulfill their job functions.

  • Each CCHCS program shall use enclosed offices or interview rooms to verbally exchange PHI and PII if available.

    • In open office environments, incidental use or disclosure is not considered a privacy violation if CCHCS workforce members have complied with the reasonable safeguards and minimum necessary requirements.

    • Each CCHCS program shall ensure workforce members are educated on the potential for inadvertent verbal disclosure of PHI and PII.

• Visual Practices

  • CCHCS workforce members shall ensure PHI and PII are adequately shielded from unauthorized visual disclosure.

  • CCHCS programs and workforce members shall use best practices to ensure that PHI and PII in any visual medium such as photos, videos, images, or documents displayed on computer screens are not visible to unauthorized persons.

• Electronic Practices

  • Format of PHI and PII (e.g., databases, email, phone, fax) shall be protected through IT-related controls. 

  • CCHCS workforce members shall be assigned to electronic groups that provide access only to the minimum necessary information to fulfill their job functions.

Policy

• California Correctional Health Care Services (CCHCS) workforce members may use or disclose Specially Protected Health Information (PHI) as permitted or required by the special exceptions specified in this policy and the Statewide Health Information Policy Manual (SHIPM), Section 2.3.0, Specially Protected Information.

Purpose

• To provide guidance on certain uses or disclosures of PHI based on specified exceptions in the law authorizing disclosure of PHI without patient authorization.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy including privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of personal information maintained by CCHCS.

Use and Disclosure of PHI

• General Rules

  • As outlined in the Health Care Department Operations Manual  (HCDOM), Section 2.2.1, General Use and Disclosure of Protected Health Information and the HCDOM, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization, CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain Treatment, Payment or Health Care Operations (TPO) activities, pursuant to and in compliance with a valid patient authorization, without a patient’s authorization pursuant to the specific exceptions in this policy, or as otherwise specifically permitted or required by law.

• When Patient Authorization is not Required

  • PHI may be used or disclosed without a valid authorization pursuant to an exception required or permitted by law.  All disclosures of health records under this policy shall be performed by Health Information Management (HIM) workforce members in accordance with HIM policies and procedures including requirements related to tracking of disclosures.

  • CCHCS workforce members may use or disclose PHI without patient authorization for reasons other than for TPO including, but not limited to:

    • PHI when required to do so by federal, state, or local law.

    • When the use or disclosure is otherwise specifically permitted by law including, for example, the voluntary reporting to the U.S. Food and Drug Administration of adverse events related to drug products or medical device problems.

    • A coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or conducting other duties authorized by law pursuant to the SHIPM, Section 2.2.1, Decedents.

    • Health oversight activities authorized by law, including audits; civil, criminal, or administrative investigations, prosecutions, or actions; and licensing or disciplinary actions.

    • Judicial or administrative proceedings, in response to an order of a court, a valid subpoena, search warrant, or other lawful process unless prohibited or otherwise limited by federal or state law applicable to the program or activity requirements.

    • Limited law enforcement purposes, to the extent authorized by applicable federal or state law, CCHCS workforce members may report certain injuries or wounds; provide information to identify or locate a suspect, victim, or witness; alert law enforcement of a death because of criminal conduct; and provide information which constitutes evidence of criminal conduct on CCHCS premises.

    • Organ procurement organizations or other entities engaged in procuring, banking, or transplantation of cadaver organs, eyes, or tissue for the purpose of facilitating transplantation.

    • A local health department for the purpose of preventing or controlling disease, injury, or disability including, but not limited to, the reporting of disease, injury, vital events, including death, and the conduct of public health surveillance, public health investigations, and public health interventions as authorized or required by federal or state law or regulations.

    • Entities providing mere courier services without requiring routine access to such PHI, e.g., the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers providing mere data transmission services.

Policy

• California Correctional Health Care Services (CCHCS) shall provide patients’ rights related to the use and disclosure of their Protected Health Information (PHI) and Personally Identifiable Information (PII) as outlined in this policy.

Purpose

• To provide guidance with respect to the privacy rights of patients regarding the use and disclosure of their PHI and PII.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI and PII maintained by CCHCS.

• CCHCS program areas shall ensure that procedures are developed and consistent with this policy while also ensuring workforce member compliance.

Patient Privacy Rights

• Right to Access PHI and PII

  • CCHCS and Business Associates (BA) shall provide patients with access to inspect, review, and obtain a copy of their PHI and PII in their health record for as long as they are maintained in the health record except for when:

    • Compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding.

    • Determined by the patient’s mental health provider to present a substantial risk of significant adverse or detrimental consequences to the patient in seeing or receiving a copy of the requested records. Such a denial of access is subject to procedures set forth in the Health Care Department Operations Manual (HCDOM), Chapter 2, Article 3, Health Information Management.

    • Protected by attorney work-product privilege.

    • Endangering the health, safety, security, custody, or rehabilitation of the individual or of other patients or the safety of any officer, employee, other person at the correctional institution, or individual responsible for the transporting of the patient.

    • Prohibited by law.

  • For access purposes, patient representatives are treated in the same manner as the patient, except if CCHCS is aware the patient has been or may be subject to domestic violence, abuse, neglect, or other endangerment by the individual and CCHCS decides it is not in the best interest to do so.

  • Information about a patient’s right to access specially protected health information can be found in the Statewide Health Information Policy Manual (SHIPM) Section, 2.3.0, Specially Protected Information.

  • Workforce members shall follow procedures pursuant to the HCDOM, Section 2.3.4, Release of Protected Health Information, when responding to a patients’ request to access their health record.

• Right to Amend PHI and PII

  • A patient or patient’s representative may request any portion of the patient’s health record to be changed, corrected, or amended by CCHCS.

    • All requests for amendments shall be made in writing and submitted to Health Information Management (HIM) staff at the patient’s institution by utilizing the CDCR 7236, Request to Amend Health Records.

    • CCHCS is not obligated to agree to an amendment and may deny requests or partially accept amendments.

    • The patient or patient’s representative may file a statement of disagreement if they do not agree with the denial or partial approval of their request.

      • CCHCS shall prepare and provide a written rebuttal to the patient or patient’s representative to the statement of disagreement.

  • Workforce members shall follow procedures pursuant to the HCDOM Section 2.3.16, Patient’s Right to Amend Health Record, when responding to a patient’s request to amend their health record.

• Right to Request an Accounting of Disclosures

  • Patients have the right to request and receive an accounting of disclosures CCHCS has made of their PHI for up to six years prior to the date of requesting such accounting.  CCHCS shall account for all disclosures of PHI except for disclosures:

    • To carry out Treatment, Payment, or Health Care Operations (TPO) activities.

    • Made to the patient.

    • Authorized by the patient.

    • To persons involved in the patient’s care.

    • For national security or intelligence purposes.

    • Made to correctional institutions or law enforcement officials having lawful custody of a patient.

    • Made as part of a Limited Data Set (LDS) pursuant to the HCDOM, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets.

  • Patients have the right to receive an accounting of disclosures CCHCS has made of their non-medical PII for up to three years after the disclosure or until the disclosed information is destroyed, whichever is shorter.  CCHCS shall account for all disclosures of PII except for disclosures:

    • Made to the patient or the patient’s duly appointed guardian, representative, or conservator.

    • Authorized by the patient.

    • To CCHCS workforce members where disclosure is necessary for the performance of official duties and is related to the purpose for which the information was acquired.

    • Pursuant to the California Public Records Act.

    • Made as part of a LDS pursuant to the HCDOM, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets.

  • Workforce members shall follow procedures pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information, when responding to a patient’s request for an accounting of disclosures.

• Right to Request a Restriction on Uses and Disclosures of PHI and PII

  • Patients have the right to request restrictions on the uses and disclosures of their PHI and PII while carrying out TPO activities.  All requests shall be submitted in writing.

  • CCHCS is not obligated to agree to a restriction and may deny the request or agree to a restriction more limited than the patient requested.  HIM staff shall be responsible for receiving and processing any requests for restriction.

• Right to Request Confidential Communication

  • CCHCS shall ensure confidential communications to the patient are made at the appropriate patient location within a CDCR facility. Patients have a right to request to receive confidential communications related to health information by alternative means or at an alternative location under the following conditions:

    • The confidential communication can be accommodated after considering the need to maintain the safety and security of patients or staff and the safety and good order of the institution.

    • The request is provided in writing.

    • An alternative address or other method of contact is provided.

    • Information as to how payment, if any, shall be handled.

  • Any written requests received shall be forwarded to HIM for processing.

  • CCHCS and BAs shall communicate the request for confidential communication within two business days of the request to each other.

  • CCHCS shall not ask for an explanation from the patient as to why the request is being made, as an explanation is not required. The request cannot be denied solely because an explanation was not given.

  • Workforce members shall follow procedures pursuant to SHIPM, Section 5.5.2, Confidential Communication when responding to a patient’s request for confidential communication.

Notice to Patients of Privacy Rights

• The requirements of the Code of Federal Regulations, Title 45, Section 164.520(a)(3) do not apply to CCHCS patients. CCHCS is not required to provide a Notice of Privacy Practices to patients.

• CCHCS notifies patients of their privacy rights in various ways including, but not limited to, notices in the clinics, law libraries, and the CCHCS Patient Orientation to Health Care Services handbook.

• Right to File Complaints

  • Patients may object to specific uses and disclosures of their health information through the health care grievance process.

  • Patients have the right to submit complaints if they believe their PHI or PII has been improperly used or disclosed or if they have concerns regarding compliance with the CCHCS privacy policies. Such complaints may be filed through the health care grievance process.

  • Patients have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services if they believe there has been non-compliance with the Health Insurance Portability and Accountability Act or other applicable law. This right cannot be waived.  CCHCS is prohibited from requesting that a patient waive this right for any reason, including as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits.

Policy

• California Correctional Health Care Services (CCHCS) workforce members may use and disclose health information as appropriate without authorization if CCHCS workforce members or another entity has taken steps to de-identify the health information consistent with the requirements and restrictions of this policy unless restricted or prohibited by federal or state law. CCHCS workforce members may use or disclose a Limited Data Set (LDS) if a Data Use Agreement (DUA) is obtained.

Purpose

• To provide guidance regarding standards under which patient information may be used and disclosed after information that can identify a person has been removed or restricted to an LDS.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of Protected Health Information (PHI) maintained by CCHCS.

De-Identification of Patient Information

• Requirements

• Patient health information is sufficiently de-identified so it cannot be used to identify the patient only if:

  • Done by CCHCS workforce members with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

    • Applying such principles and methods, determines that there is minimal risk the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.

    • Documents the methods and results of the analysis that justify such determination.

  • CCHCS workforce members have ensured the following identifiers of the patient or of relatives, employers, and household members of the patient are removed:

    • Names.

    • All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes.  However, the initial three digits of a zip code may remain on the information if, according to current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contain more than 20,000 people; and the initial three digits for all such geographic unit containing 20,000 or fewer people is changed to 000.

    • All elements of dates (except year) directly relating to the patient, including birth date, dates of admission and discharge from a health care facility, and date of death.  For persons aged 90 and older, all elements of dates (including year) that would indicate such age must be removed, except that such ages and elements may be aggregated into a single category of “aged 90 or older.”

    • Telephone numbers.

    • Fax numbers.

    • Electronic mail addresses.

    • Social security numbers.

    • Health record numbers.

    • Health plan beneficiary numbers.

    • Account numbers.

    • Certificate or license numbers.

    • Vehicle identifiers and serial numbers, including license plate numbers.

    • Device identifiers and serial numbers.

    • Web URLs.

    • IP address numbers.

    • Biometric identifiers including fingerprints and voiceprints.

    • Full face photographic images and any comparable images.

    • Any other unique identifying number, characteristic, or codes, except as permitted under section (d)(2)(A) and (B).

  • CCHCS workforce members have no actual knowledge the information could be used alone or in combination with other information to identify the patient who is the subject of the information.

• Re-identification

  • CCHCS workforce members may assign a code or other means of record identification to allow information de-identified under this policy to be re-identified provided that:

  • The code or other means of record identification is not derived from or related to information about the patient and cannot otherwise be translated to identify the patient.

  • CCHCS workforce members do not use or disclose the code or other means of record identification for any other purpose and does not disclose the mechanism for re-identification.

Use of Limited Data Sets

• Contents of a Data Use Agreement

  • CCCHCS workforce members may disclose an LDS only if the receiving entity enters a written DUA agreement with CCHCS.  A DUA is to ensure such entity shall use or disclose the PHI only as specified in the written agreement and it is only for the purposes of research, public health, or health care operations.  A DUA between CCHCS and the recipient of the LDS must:

  • Specify the permitted uses and disclosures of such information by the LDS recipient.  CCHCS workforce members shall not use the DUA to authorize the LDS recipient to use or further disclose the information in a manner that would violate the requirements of this policy.

  • Specify who is permitted to use or receive the LDS.

  • Specify that the LDS recipient shall:

    • Not use or further disclose the information other than as specified in the DUA or as otherwise required by law.

    • Use appropriate safeguards to prevent use or disclosure of the information other than as specified in the DUA.

    • Report to CCHCS when the recipient becomes aware of any use or disclosure of the information not specified in its DUA with CCHCS.

    • Ensure any CCHCS workforce members to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient with respect to such information.

    • Not identify the information or contact the patient whose data is being disclosed.

• Compliance

  • CCHCS workforce members are in compliance with the LDS standard if they are aware of a pattern of activity or practice of the LDS recipient that constitutes a material breach or violation of the DUA and takes reasonable steps to cure the breach or end the violation. If CCHCS workforce members are unable to cure the breach or end the violation, they shall:

  • The Privacy Office shall report the problem to the Secretary of the U.S. Department of Health and Human Services.

Policy

• California Correctional Health Care Services (CCHCS) is permitted to disclose Protected Health Information (PHI) to a business associate (BA) when CCHCS enters into a written Business Associate Agreement (BAA) with the BA.

Purpose

• To specify when CCHCS may disclose a patient’s PHI to a CCHCS BA and provisions that shall be included in CCHCS contracts requiring a BAA.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) shall have oversight of this policy and facilitate annual review to comply with privacy laws, policies, and standards respecting the privacy rights of individuals, and shall collaborate with the CCHCS Office of Legal Affairs (COLA) and elevate to executive leadership to decide on matters of organizational risk.

Procedure

• Use and Management of Business Associate Agreements

  • The current approved version of the CCHCS BAA shall be distributed to contracting units and posted on the intranet.

  • When another state agency, another entity, or a contracted organization requests access or use of PHI, the CCHCS programs shall notify the Privacy Office (PO), and the applicable CCHCS programs, such as, Direct Care Contracts Section, Acquisitions Management Services, Information Technology Services Division, Healthcare Invoicing Section, and Health Information Management.

  • The CCHCS program shall:

    • Execute the BAA.

    • Track and log all executed contracts that contain a BAA.

    • Send a report of all contracts, Data Sharing Agreements (DSAs), or Memorandum of Understandings (MOUs) containing BAAs to the PO on a quarterly basis or as required for operational need.

  • The PO shall:

    • Maintain a current list of all contracts, DSAs, and MOUs containing BAAs.

    • Generate a current list upon request, based on contracting unit updates.

  • When CCHCS enters into an agreement with another government entity, CCHCS may fulfill the BAA requirement through an Interagency Agreement, MOU, or DSA that contains terms that accomplish the objectives of a BAA.

  • A BAA, DSA, or MOU shall be executed prior to exchange, access, use, disclosure, movement, or storage of PHI.

• CCHCS Responsibilities Prior to Disclosure of PHI

  • Prior to disclosing PHI, CCHCS shall:

    • Enter into written agreements with the contractors who access PHI as part of the services they are providing. The agreement shall fulfill the minimum requirements of a valid BAA or comparable DSA and obligations of a BA regarding the privacy, security, and administrative activities relating to health information.

    • Ensure written agreements safeguard electronic health information created, received, maintained, or transmitted to or by other organizations on behalf of CCHCS, and provides protections for electronic health information as for any other health information shared.

  • The current published version of the CCHCS BAA shall be used as the primary document when contracting with a BA.

    • The CPO, in consultation with COLA, may consider a BA’s proposed alternative language within the current published version of the BAA if the proposed language does not violate CCHCS or state privacy policy.

    • Only if the CCHCS BAA is not agreed to in Sections (d)(2)(B) or (d)(2)(B)(1), an alternate form of a BAA, such as the third party’s BAA, may be used following a legal review and recommendation by COLA.

  • CCHCS shall utilize the CDII-approved BAA template when conducting business with a No View Host Services Provider or a Cloud Services Provider.

• Exceptions to the Requirement to Execute a Business Associate Agreement

  • For BA functions required by law, including, but not limited to, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, technology services, financial services and similar services, CCHCS may disclose the minimum PHI necessary to comply with the legal mandate without meeting the requirements of a BA contract.  The CCHCS program in consultation with COLA shall attempt in good faith to obtain satisfactory assurances that the BA shall protect health information to the extent required by a CCHCS BAA.  If such an attempt fails, CCHCS shall document the attempt and the reasons that such assurances cannot be obtained.

  • A BAA is not required between CCHCS and the subcontractors of a BA when a valid CCHCS BAA is maintained.

  • The following situations may still require an agreement containing the requirements of this policy when CCHCS discloses PHI:

    • Based on a patient’s or patient representative’s authorization.

    • To a health care provider concerning the treatment of an individual.

    • As a plan sponsor to the extent that CCHCS is acting in the capacity of a group health plan as defined in the Health Insurance Portability and Accountability Act of 1996.

    • To a government agency to determine eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting PHI for such purposes, to the extent such activities are authorized by law.

    • To a covered entity participating in an organized health care arrangement that performs the function or activity of a BA to or for such organized health care arrangement by virtue of such contracted activities or services.

    • To a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to CCHCS and does not require access on a routine basis to such PHI.

    • Or patient information such as personally identifiable information.

    • Or health information that is de-identified in accordance with the Health Care Department Operations Manual (HCDOM), Section 2.2.8, De-identification of Patient Information and Use of Limited Data Sets Policy.

• CCHCS Responsibilities Post Execution of Business Associate Agreements

  • CCHCS’ responsibilities include, but are not limited to:

    • Receiving, logging, and reporting a patient’s complaints regarding the uses and disclosures of PHI by the BA.

    • Receiving, logging, and reporting notices from the BA of possible violations of the BA contract.

    • Instructing the BA on the process to notify CCHCS if or when any violations of law, policy, or contract occurs.

    • Monitoring BA performance to detect and ensure that the BA is not engaged in a pattern or practice that violates their obligations under the BAA.

    • Implementing corrective action plans, as needed.

    • Mitigating, if necessary, known violations up to and including contract termination.

    • Coordinating any requested changes to a health record with the BA pursuant to HCDOM Section 2.3.16, Patient’s Right to Amend Health Record.

    • Communicating a patient’s request regarding confidential communications and restrictions on use and disclosure to the BA within two business days of the request.

    • Conducting risk analyses and risk assessments to:

      • Identify, evaluate, and include any risks from BA relationships from the PO’s risk analysis.

      • Include in the CCHCS-wide risk assessment any risks identified from a specific BA relationship.

      • Verify and document BA adherence with privacy and security protocols required by law and the State Health Information Policy Manual quarterly.

  • CCHCS shall not require any patient to waive their right to file a complaint with the Secretary of the U.S. Department of Health and Human Services (HHS) as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits when CCHCS is a BA of another covered entity.

• Business Associate Responsibilities Post-Execution of Business Associate Agreements

  • BA responsibilities shall include, but are not limited to:

    • Transmitting data as permitted in the BAA and in compliance with:

      • Federal and state laws and regulations for Health Information Exchange, if applicable.

      • HCDOM Section 2.3.5, Health Information Exchange, if applicable.

    • Providing a patient with access or a copy, which may be in an electronic form, or granting or transmitting access or a copy to a person or entity designated by a patient’s request to a BA for access to, or a copy of, PHI about the patient.

    • Documenting, tracking, and accounting for all disclosures and respond to a patient’s request for an accounting of disclosures of PHI.  The BA shall respond to accounting of disclosure requests to CCHCS or to the patient (at the direction of CCHCS) within 14 calendar days, and include information related to such disclosures, in accordance with Code of Federal Regulations, Title 45, Section 164.528.

    • Communicating a patient’s request regarding confidential communications and restrictions on use and disclosure to CCHCS within two business days of the request.

    • Adhering to a patient’s request regarding confidential communications and restrictions on use and disclosure when received directly from the patient or from CCHCS on behalf of the patient.

    • Notifying CCHCS if there is a violation of law, policy, or contract resulting in a breach or security incident no later than 24 hours after detection. Notification shall be made pursuant to the HCDOM Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

    • Adhering to privacy and security protocols required by the BAA.

    • Identifying and informing CCHCS of the results of any risk analysis or assessment conducted by the BA that impacts its adherence to the BA’s obligations under the BAA.

  • The BA shall not require any patient to waive their right to file a complaint with the Secretary of the U.S. Department of HHS as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits.

• Business Associate Non-Compliance

  • If CCHCS becomes aware of a material breach or violation of a BAA or other arrangement, CCHCS shall take reasonable steps to mitigate the breach and end the violation. This may include providing consultation to the BA, terminating the BAA or agreement, and reporting the problem to the Secretary of the U.S. Department of HHS.

• Updating Business Associate Agreements for Changes in Federal and State Laws

  • When changes occur in federal or state law that affect the requirements in the BAA or impact the obligations of a BA, the PO shall:

    • Revise the CCHCS BAA template.

    • Determine if an amendment is required to existing contracts that contain the prior version of the CCHCS BAA.

  • CCHCS contracting units shall coordinate the execution of the revised BAA with current vendors.

• Business Associate Training Requirements and Contact Information

  • Any BA staff who will require access to CCHCS systems or PHI to perform their function or activities under a contract or agreement shall complete information security and privacy awareness training prior to being granted access pursuant to as required by law.

  • For questions or clarification, please contact: CCHCSPrivacyOffice@cdcr.ca.gov or 1-877-974-4722.

Policy

• Personally Identifiable Information (PII) maintained by California Correctional Health Care Services (CCHCS) is private and confidential.  CCHCS workforce members shall use PII to conduct business in compliance with federal and state law.

• CCHCS workforce members shall not use or disclose PII except as permitted or required by this chapter or as otherwise permitted or required by law.

Purpose

• To provide guidance to CCHCS workforce members regarding the use and disclosure of PII.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy rights laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of personal information maintained by CCHCS.

• CCHCS workforce members shall report incidents of inappropriate disclosure of PII to the CCHCS Office of Information Security via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal for fact-finding, analysis, intake, and response, except for those currently delegated to the CCHCS Privacy Office pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.11, Privacy Incidents and Breach Reporting.

General Use and Disclosure of PII

Information Collection and Minimum Necessary Use of PII

Third Party or Media Inquiries

• CCHCS workforce members shall not use or disclose PII pursuant to the HCDOM, Section 2.2.13, Handling Protected Health and Personally Identifiable Information.

Policy

• California Correctional Health Care Services (CCHCS) shall identify, investigate, and mitigate privacy incidents, provide notices when necessary to those affected and report breaches to California Department of Corrections and Rehabilitation (CDCR) and CCHCS’s oversight agencies as required by federal and state law.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) shall have oversight of this policy and assist in reporting privacy incidents and breaches under applicable federal and state laws, regulations, and requirements in the Health Care Department Operations Manual.

• Privacy incidents and breaches originating from CDCR activities including, but not limited to, the CDCR Undersecretaries and offices that report to the CDCR Secretary, shall be referred to the CDCR CPO for fact-finding, analysis, intake, and response.

• Privacy incidents and breaches which involve CDCR and CCHCS shall be cooperative and both entities shall coordinate fact-finding, analysis, intake, and response.

Procedure for Reporting Privacy Incidents

• CCHCS workforce members shall:

  • Report all privacy incidents to the CCHCS Office of Information Security (OIS) within 24 hours of when an incident occurs or is discovered.

  • Document all details on the CCHCS Information Security Incident Report (ISIR) found on Lifeline, under Information Technology, OIS.

  • Ensure all instructions listed on the ISIR are followed by documenting incidents in plain language and include the following reporting requirements:

    • The name and contact information of the reporting individual.

    • A list of the types of confidential information reasonably believed to be the subject of an incident.

    • The date or estimated date range when the incident occurred.

    • The date the incident was discovered.

    • A general description of the incident.

    • Identification of any CCHCS program areas that may have information regarding the incident which may assist the investigation and fact-finding.

    • Efforts to mitigate harm and any additional steps taken to prevent further disclosure or future occurrences.

    • The number of patients or individuals affected by the potential disclosure and number of individuals who potentially received the information.

    • The date the ISIR is submitted to OIS.

  • Submit the ISIR via email to the CCHCS OIS who shall review the ISIR, conduct an initial assessment, and assign a case number to the incident.

    • The CCHCS OIS shall forward any ISIRs that document privacy incidents to CCHCSPrivacyOffice@cdcr.ca.gov.

• Privacy Incident and Breach Management

  • Protocol for Escalation, Internal Reporting, and Response

    • The CPO notifies executive management via email at the onset of an incident, during the incident, and upon conclusion of the incident as warranted.

    • An Incident Response Team (IRT) shall be assembled by the PO to ensure the incident is addressed in the most expeditious and efficient manner. An IRT shall respond to an incident and may include:

      • The CCHCS CPO, or designee, to act as the Escalation Manager and coordinate the response when additional program areas are required to assist.

      • Program Manager of the program area experiencing the breach.

      • CCHCS Chief Information Security Officer (CISO).

      • Public Information or Communications Officer (if the breach involves 500 or more individuals).

      • Legal Counsel.

      • Other workforce members as identified by CCHCS CPO or CISO.

        • If the breach involves multiple agencies or state entities, an IRT from each agency or state entity may be involved.

    • IRT members shall attend an initial impact assessment and response coordination meeting when a breach involves notifying 500 or more individuals, multiple agencies or state entities, or is likely to garner media attention.

      • This meeting shall clarify roles, responsibilities, and timelines for reporting and response activities.

      • When multiple agency personnel are involved, meeting attendee lists or equivalent are used to track participant involvement.

      • Non-redisclosure agreements may also be used to ensure confidential information remains confidential and communications do not compromise or complicate an active investigation.

  • Incident Tracking, Fact-Finding and Case File

    • The PO workforce members shall:

      • Monitor the mailbox daily. 

      • Screen ISIRs received and document the case number and incident details in the incident tracking solution within 24 hours of receipt from CCHCS OIS.

      • Conduct fact-finding to determine if a breach occurred and as required supplement the ISIR with additional information from the individual who submitted the ISIR or other workforce members who may have relevant information about the incident including Information Technology, Health Information Management, or program area managers.

      • Notify the CPO when escalation is necessary to obtain cooperation from other program areas to complete fact-finding.

      • Conduct a risk assessment and document all relevant information to recover, correct, or resolve the incident, including the root cause, potential harm, and mitigation efforts as follows:

        • The nature and extent of the Personal Health Information (PHI), Personally Identifiable Information (PII), or High-Risk Confidential Information (HRCI) involved, including the types of identifiers and the likelihood of re-identification.

        • The unauthorized person or entity who used the PHI, PII, or HRCI or to whom the disclosure was made.

        • Whether the PHI, PII, or HRCI was actually acquired or viewed or, alternatively, if the opportunity existed for the information to be acquired or viewed.

        • A determination if the incident created a risk and, if so, the extent to which the risk has been mitigated.

        • Ensure sufficient information is obtained upon completion of the risk assessment to determine if a breach notification will be issued.

      • Determine if the incident is a breach.

      • Maintain an electronic case file, identified by a unique case number.  The case file shall contain all relevant information as documented on the ISIR and risk assessment.

      • The CCHCS CPO, or designee, shall review the risk assessment to determine if additional information or corrective actions are needed and approve the completed risk assessment.

    • The information maintained in the incident tracking solution shall be:

      • Utilized for regular review of system activity, such as for audits, incident tracking reports, and sharing threat information electronically with the California Department of Technology (CDT).

      • Available for risk analysis or assessment which shall include, at a minimum, assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.

    • All impermissible disclosures shall be recorded in the Accounting of Disclosure tracking log within the incident tracking solution.

      • The log shall record, at a minimum, the date of disclosure, name and address of the person or entity who received the PHI, PII, or HRCI, a brief description of the information disclosed, and a brief description of the intended reason for the disclosure.

• Recovery and Destruction of Information Unlawfully or Improperly Disclosed

  • The PO workforce members shall:

    • Work with the responsible program area to ensure the original information is immediately recovered by the program area or obtain written verification from the program area that the data in all media types have been properly destroyed.

    • Document all efforts and outcomes regarding recovery and destruction in the incident tracking solution.

  • Once the information (e.g., hard copies, electronic, and portable media) is recovered by the responsible program area, they shall ensure it is secured in an approved locked shred container, shredded, deleted, or disposed of according to the OIS process for electronic destruction.

• Breach Reporting Responsibilities between CCHCS and Oversight Agencies

  • When it is determined that a breach occurred, the PO workforce members shall report the breach to the CDT OIS and the California Highway Patrol (when required by law) via the California Compliance Security Incident Reporting System (Cal-CSIRS).

  • When the breach occurs at a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (CDPH), CCHCS workforce members shall:

    • Report the breach to CDPH no later than 24 hours after the incident is discovered and no later than 24 hours if the PO workforce members determine the incident is a breach.

    • Notice the patient no later than 15 business days after a breach has been determined pursuant to the California Code of Regulations, Title 22, Section 79902, Breach Reporting for Licensed Facilities.

  • Business associates, or contracted entities shall notify the CCHCS OIS no later than 24 hours after detection of a breach of PHI, PII, or HRCI via email CCHCS-ISO@cdcr.ca.gov, or by phone: (916) 691-3243.

  • Upon receipt of an ISIR involving a business associate, the PO workforce members shall contact the CCHCS program area(s) responsible for monitoring the business associate agreement and contact the business associate to begin mitigation efforts for the business associate’s or its sub-contractor’s involvement in the incident.

    • If the incident breach occurs after business hours or on a weekend or holiday and involves electronic PHI, notification shall be provided by calling the CCHCS ITSD Solution Center at 1-888-735-3470.

  • When a breach affects:

    • 500 or more individuals, the PO workforce members shall notify:

      • The Center for Data Insights and Innovation (CDII) within two business days of breach determination at CDIIPrivacyOffice@chhs.ca.gov.

      • The United States (US) Department of Health and Human Services (HHS) on the Breach Reporting form located at US HHS at the time notice is issued to those affected.

    • Fewer than 500 individuals, the PO shall maintain a log documenting the breaches and assigned workforce members shall submit aggregated breach information to US HHS no later than 60 calendar days after the end of each calendar year on the Breach Reporting Log located at US HHS.

      • The submission shall include all breaches discovered during the preceding calendar year.

  • PO workforce members shall submit an annual accounting of all PHI breaches to CDII at the end of each calendar year or as requested.

    • The information shall be submitted on the CDII Annual Breach Reporting form and shall include actions taken to investigate and mitigate each event.

• Breach Notification to Affected Individuals

  • The PO workforce members or entity responsible for the breach shall notify each individual who has had, or is reasonably believed to have had, PHI, PII, or HRCI inappropriately accessed, acquired, used, or disclosed as follows:

    • Notify by first-class mail to the affected individuals’ last known address.

      • If the individual whose information has been breached is deceased, the next of kin or personal representative for the individual or patient shall be notified by first class mail.

    • Email is permitted if the individual agrees to electronic notice.

    • If it is determined that there is possible imminent misuse of any PHI, PII, or HRCI, notice shall be provided by telephone or other means as appropriate.

    • If the contact information is insufficient or out of date preventing written notification to the individual, the notice shall be provided as follows:

      • When fewer than ten individuals are affected, an alternate form of written notice, telephone, or other means may be provided.

      • When more than ten individuals are affected, a posting shall be placed for a period of 90 calendar days on the homepage of the CDCR or CCHCS website or in a major print or broadcast media in the geographic area where the individuals likely reside.

  • Written notifications shall use plain language and be titled “Notice of Data Breach.”  The notice shall include all of the following, to the extent possible:

    • “What Happened,” a brief description of what happened, including the date of the breach, the date the breach was discovered, and, if applicable, if the notification was delayed due to a law enforcement investigation.

    • “What Information Was Involved,” a description of the types of information involved in the breach (e.g., PHI, PII, or HRCI, and other identifiers).

    • “What We Are Doing,” a brief description of the actions the state entity is taking to investigate the breach, mitigate harm to the individuals, and protect against further breaches.

    • “What You Can Do,” advisement of the steps individuals should take to protect themselves from potential harm resulting from the breach. The major credit reporting agencies’ toll-free telephone numbers and mailing addresses shall be included if the breach exposed PII such as Social Security number, driver’s license number, California identification card number, or other personal identifiers.

      • Credit Reporting Agency Information

        • Equifax: 1-800-525-6285

        • Trans Union: 1-800-680-7289

        • Experian: 1-888-397-7342

      • Advise the individuals that they may request a copy of their credit report by mail by completing an Annual Credit Report Request Form from one of the three credit reporting agency websites and sending the completed form to the following address: P.O. Box 105281, Atlanta, GA 30348-5281.

    • “Other Important Information,” the enclosure “Breach Help – Consumer Tips from the California Attorney General.” This information is available in English and Spanish and can be downloaded from https://oag.ca.gov/privacy/other-privacy/breach-help-tips-for-consumers.

    • “For More Information,” the statement “For information about your medical or personal privacy rights, you may visit the State of California Department of Justice, Office of Attorney General (OAG), Privacy Enforcement and Protection.”

    • “Agency Contact, “the name, toll free number, and the website of the designated agency official or agency unit handling inquiries.

  • Before releasing the breach notification, the PO workforce members shall:

    • Provide a draft of the breach notification to the CDT OIS using Cal-CSIRS for review and approval.

    • Electronically report the incident to the OAG if the breach notification will be sent to 500 or more individuals

    • Notify the CCHCS Director of Communications who shall provide a press release to the prominent media outlets serving the state and regional area without unreasonable delay when a breach affects 500 or more individuals.

• Timing of Notification to Affected Individuals

  • The PO workforce members or entity responsible for the breach shall provide notifications in accordance with the following:

  • When the incident or breach involves a clinic, health facility, home health agency, or hospice licensed by the CDPH, a breach notification to the affected patient or patient’s representative no later than 15 business days after the breach was discovered.

    • A law enforcement agency may delay notification up to 60 calendar days with a written request or up to 30 calendar days with an oral request, if it is determined that notification will impede a criminal investigation.

  • When the incident or breach involves a non-licensed area, a breach notification within ten business days from the date a breach was reported, or reasonably believed to have occurred, to the extent possible. However, notice is required without unreasonable delay within and no later than 60 calendar days.

    • Any decision to delay notification beyond ten business days but less than 60 calendar days shall be made by the CCHCS CPO in writing.

    • Notification may be delayed if a law enforcement agency determines the notification will impede a criminal investigation.

• Documentation Retention

  • CCHCS shall retain breach policies and procedures, fact-finding, risk assessments, results, notifications, and reports for six years from the date of creation or the date when it last was in effect, whichever is later.

Policy

• California Department of Corrections and Rehabilitation (CDCR) and California Correctional Health Care Services (CCHCS) workforce members shall ensure compliance with federal and state privacy requirements and CCHCS policies for Protected Health Information (PHI) and Personally Identifiable Information (PII). The PHI and PII maintained by CCHCS is private and confidential, and CCHCS workforce members shall not use or disclose PHI or PII, except as permitted or required by law, and as outlined in this policy.

Purpose

• To ensure CCHCS and its workforce members comply with federal and state privacy requirements for state entities that maintain PII and PHI.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the collection, use, and disclosure of PHI and PII maintained by CCHCS.

• CCHCS workforce members are responsible for complying with requirements for use, disclosure, and access when handling PHI and PII.

Procedure

• Permitted Use and Disclosure of PHI

  • CCHCS workforce members shall only use or disclose PII in a manner that would not link the information disclosed to the patient to whom it pertains pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.10, General Use and Disclosure of Personally Identifiable Information.

• Permitted Use and Disclosure of PHI

  • CCHCS workforce members may use or disclose PHI pursuant to the HCDOM, Section 2.2.1, General Use and Disclosure of Protected Health Information.

• Access to PHI and PII of the Deceased

  • A written authorization for the release of information (ROI) or CDCR 7385 from the appointed patient representative is required before information may be disclosed.

  • A signed ROI is not valid or permitted based on prior authorization from the patient.

  • Exceptions to the written authorization requirement are limited to certain external law enforcement, coroner, research functions, or individuals involved in or relevant to the patient’s care and organ procurement.

  • All other cases require a signed ROI from the appointed patient representative pursuant to the Federal Code of Regulations, Title 45, Section 164.502(g)(4).

  • CCHCS workforce members shall:

    • Not disclose, use, or make available personal information collected from patients for purposes other than those for which it was originally collected.

    • Limit PHI use and disclosure to the minimum necessary information required to complete the desired task.

    • Protect the PHI of decedents in the same manner, and to the same extent, as required for the PHI of living persons.

  • Requests for a decedent’s health care information received from any source by CDCR or CCHCS shall be forwarded to Health Information Management (HIM) for further handling pursuant to the HCDOM, Chapter 2, Patients’ Entitlements and Responsibilities, Article 3, Health Information Management.

• External Law Enforcement Requests or Inquiries

  • Pursuant to Statewide Health Information Policy Manual (SHIPM), Chapter 2, Section 2.2.6, Law Enforcement, CCHCS workforce members shall disclose PHI to external law enforcement officials in response to the following:

    • A court order, court-ordered warrant, subpoena, or summons issued by a judicial officer.

    • A grand jury subpoena.

    • An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process permitted under the law provided that the:

      • Information sought is relevant and material to a legitimate external law enforcement inquiry.

      • Request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.

      • De-identified information could not reasonably be used.

      • Request or a separate document indicates that the requirements listed within section (d)(4)(A)3.a. through c., have been satisfied.

  • Pursuant to SHIPM, Chapter 2, Section 2.2.6, Law Enforcement, CCHCS workforce members are permitted to disclose PHI to external law enforcement officials in response to the following:

    • A written or verbal request when information is needed to identify or locate a suspect, fugitive, material witness, or missing person limited to the following information:

      • Name and address

      • Date and place of birth

      • ABO blood type and Rh factor

      • Social Security Number

      • Type of injury

      • Date and time of treatment

      • Date and time of death (if applicable)

      • A description of distinguishing physical characteristics, including height, weight, gender, race, hair, and eye color, presence or absence of facial hair, scars, and tattoos.

    • A written or verbal request for information about a patient who is or suspected to be the victim of a crime if:

      • The patient agrees to the disclosure.

      • The patient’s agreement cannot be obtained because of incapacity or other emergency circumstances, provided that all of the following are met:

        • The external law enforcement official represents that:

          • The information is needed to determine whether a violation of law by a person other than the victim has occurred, and that the information is not intended to be used against the victim;

          • Immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the patient is able to agree to the disclosure.

        • The disclosure is in the best interests of the patient as determined by CCHCS.

      • It is suspected that the patient may be a victim of child abuse or neglect, elder abuse or neglect, or domestic violence pursuant to SHIPM, Section 2.2.16, Victims of Abuse, Neglect, or Domestic Violence.

    • An inquiry about a patient who has died if there is suspicion that the death may have resulted from criminal conduct pursuant to SHIPM, Chapter 2, Section 2.2.1, Decedents, III.B (1) and (2).

    • An inquiry if there is a reasonable and honest belief that it constitutes evidence of criminal conduct.

    • An inquiry when providing emergency medical care that is not on its premises.  CCHCS workforce members are permitted to the disclose PHI to external law enforcement if the disclosure appears necessary to alert the authorities to the:

      • Commission and nature of a crime.

      • Location of the crime or the victim(s) of the crime.

      • Identity, description, and location of the perpetrator of the crime.

• Victims of Abuse, Neglect, or Domestic Violence

  • If CCHCS believes that the medical emergency results from abuse, neglect, or domestic violence of the patient in need of emergency health care pursuant to SHIPM, Chapter 2, Section 2.2.16, Victims of Abuse, Neglect or Domestic Violence, CCHCS workforce members may disclose a patient’s PHI without the patient’s authorization to a government authority authorized by law to receive reports if they reasonably believe the patient is the victim of abuse, neglect, or domestic violence.  CCHCS workforce members shall disclose the minimum PHI necessary to file a report and shall ensure the patient is notified of the disclosure unless notification would place the patient at risk of serious harm. The nature and date of disclosure and notification shall be documented on the CDCR 7219, Medical Report of Injury or Unusual Occurrence.

• Appropriate Safeguards

  • All email and portable electronic storage media including, but not limited to, CDs and thumb drives containing PHI and PII, shall be encrypted when sent to entities outside the CCHCS network utilizing the appropriate administrative, technical, and physical controls pursuant to the Statewide Information Management Manual, Chapter 5300.

• Documentation and Tracking of Disclosures

  • CCHCS workforce members shall document, track, and maintain the documentation regarding disclosures of PHI when the disclosure is not for TPO reasons. This tracking shall include what, when, why, and to whom disclosures are made pursuant to SHIPM, Chapter 5, Section 5.1.0, Accounting of Disclosures.

• CCHCS Workforce Members Access to PHI and PII

  • CCHCS workforce members may only access or use the minimum information necessary to conduct business in compliance with federal and state law.

• Third Party or Media Inquiries

  • CCHCS workforce members shall:

    • Forward all media inquiries regarding the release of patient PHI or PII to the CCHCS, Office of Communications at via email at Lifeline@cdcr.ca.gov.

    • Refer patient health care inquiries containing PHI or PII from third parties to the Health Care Correspondence and Appeals Branch (HCCAB) by emailing CCHCSPHCI@cdcr.ca.gov.  HCCAB shall respond to patient health care inquiries pursuant to the HCDOM, Section 2.3.15, Patient Health Care Inquiries.

    • Not use or disclose PHI or PII to third parties (e.g., attorney, legislative, or advocacy group) or to media.

  • Inquiries for PHI and PII are not subject to the California Public Records Act pursuant to the HCDOM, Section 5.1.2, California Public Records Act Requests.

• Management and Redaction of Health Information

  • Designated HIM workforce members shall perform the routine disclosure of all or part of a patient’s health record, as permitted by law or subsequent to a HIPAA-compliant authorization or CDCR 7385, for each request pursuant to the HCDOM, Section 2.3.4, Release of Protected Health Information.

  • Various disclosures, including but not limited to, mandated reporting or gathering statistical or population-based information, may not require identifying characteristics, such as name, date of birth, address, and more. For this reason, designated CCHCS workforce members shall redact all identifying information when the information is not necessary to fulfill the request. California Health and Human Services, Data Playbook, provides Data De-Identification Guidelines, Federal Code of Regulations, Title 45, Section 164.514.

• Information Security and Incident Breaches

  • If there is an incident or breach regarding an unlawful disclosure of PHI or PII, it shall be reported to the Office of Information Security immediately via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal. The instructions for reporting security incidents are available on Lifeline through the following links: CCHCS Security Incident Reporting Procedures (sharepoint.com).

• General Staff and Patient Information

  • Information Accuracy and Integrity

    • Information owners and CCHCS workforce members shall:

    • Maintain all records with accuracy, relevance, timeliness, and completeness.

    • Make appropriate corrections submitted by record subjects as required by law.

  • Accounting of Disclosures

    • Information owners and CCHCS workforce members shall:

    • Keep an accurate accounting of the date, nature, and purpose of each disclosure of a record as required by law.  The accounting shall include the date of the disclosure and the name, title, and business address of the individual or to whom the disclosure was made pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information.

    • Retain accountings of non-medical PII for at least three years after the disclosure for which the accounting is made or until the record is destroyed per the record retention policy, whichever is shorter.

    • Retain accountings of PHI for at least six years after the disclosure for which the accounting is made.

  • Privacy Impact Assessments

    • The Privacy Office shall assist program management with conducting Privacy Impact Assessments.

  • General Privacy Statement

    • The Privacy Office shall review and revise the general CCHCS internet privacy statement as needed.

Policy

• California Correctional Health Care Services (CCHCS) workforce members shall exercise due diligence to limit and prevent incidental disclosures of Protected Health Information (PHI).

Purpose

• To provide guidance regarding the incidental use or disclosures of PHI.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for the collection, use, and disclosure of PHI.

Procedure

• Methods and Processes to Limit and Prevent Incidental Use or Disclosure of Health Information

  • All CCHCS workforce members shall adhere to the minimum necessary requirements for using or disclosing PHI. PHI shall only be used or disclosed when necessary to satisfy a particular authorized purpose or carry out an assigned work-related function.

  • CCHCS workforce members acting on behalf of the patient clinically or administratively, including clinicians, ancillary services, administrative, clerical, and custodial workforce, shall only access, use, or disclose the minimum necessary PHI to carry out or perform assigned duties. Refer to the Code of Federal Regulations, Title 45, Section 164.514 (d)(e).

  • CCHCS workforce members shall limit access, use, or disclosure of PHI to the amount and type of information allowed by assigned job duties and necessary to complete assignments, pursuant to the Health Care Department Operations Manual (HCDOM) Section 5.3.14, Access Control and shall follow the rules for disclosure. Refer to HCDOM Sections 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information and 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

• Appropriate Safeguards

  • All CCHCS workforce members with assigned job duties requiring access, use, or disclosure of PHI shall, to the extent possible, apply appropriate administrative, technical, and physical safeguards pursuant to the HCDOM Section 2.2.5, Administrative, Technical, and Physical Safeguards for the protection and confidentiality of PHI.

• Accounting of Disclosures

  • CCHCS workforce members are not required to include incidental disclosures in the accounting of disclosures.

Policy

• California Correctional Health Care Services (CCHCS) workforce members may disclose health information, without a patient authorization, when the use or disclosure involves, or is related to, a specialized government function defined below.

Purpose

• To provide guidance regarding the permitted uses and disclosures of Protected Health Information (PHI) for specialized government functions.

Responsibility

• The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the disclosure of PHI maintained by CCHCS for specialized government functions.

Procedure

• Measures and Processes Utilized to Disclose Health Information for Specialized Government Functions

  • CCHCS workforce members are permitted to disclose health information, without patient authorization for any of the following specialized government functions:

    • Law enforcement or custodial situations if the disclosure of health information is made to authorized correctional or law enforcement officials with lawful custody of the patient, and the health information is needed, according to the law enforcement official or representative of the correctional institution, to do any of the following:

      • Provide custodial access for the patient’s health care needs to support health care delivery in a custodial setting,

      • Ensure the health and safety of the patient or other incarcerated persons,

      • Ensure the health and safety of officers, employees, or others at the correctional institution,

      • Ensure the health and safety of correctional individuals responsible for transporting or transferring of patients from one institution, facility, or setting to another,

      • Enforce the law on the premises of the correctional institution,

      • Administer and maintain the safety, security, and good order of the correctional institution.

    • Government programs providing public benefits if the health information is related to the purpose for which the information was collected and any of the following:

      • The state entity is a health care plan that is a government program,

      • The disclosure is to another entity administering a government program providing public benefits,

      • The disclosure is required or expressly authorized by law, and

        • Is the sharing of eligibility or enrollment information,

        • Is required for the maintenance of information in a single or combined data system accessible to both government agencies.

    • Government agencies administering a government program providing public benefits if the health information is related to the purpose for which the information was collected, and any of the following:

      • The state entity is a covered entity administering a government program providing public benefits,

      • The disclosure is to another covered entity that is a government agency administering a government program providing public benefits,

      • Both programs serve the same or similar populations,

      • The disclosure is necessary to coordinate Health Insurance Portability and Accountability Act covered functions of the program, or to improve administration and management relating to the programs covered functions.

    • Military and Veteran activities if upon separation or discharge from military service, disclosure is made by a component of the Departments of Defense or Homeland Security to provide information to the Department of Veterans Affairs to determine eligibility for benefits.

    • National security and intelligence activities if the disclosure of health information is made to authorized federal officials conducting lawful intelligence, counterintelligence and other national security activities authorized by the National Security Act, and the disclosure is any of the following:

      • Required by law,

      • Compelled due to circumstances affecting the health or safety of an individual,

      • Compelled through subpoena or warrant.

    • Protective Services for the president and others if the disclosure of health information is made to authorized federal officials to protect the president and other persons, including foreign heads of state, or to conduct investigations authorized by United States Code, and the disclosure is any of the following:

      • Required by law,

      • Compelled due to circumstances affecting the health or safety of an individual,

      • Compelled through subpoena or warrant.

  • CCHCS and California Department of Corrections and Rehabilitation are responsible for:

    • Verifying the identity of federal officials or correctional and law enforcement representatives pursuant to Statewide Health Information Policy Manual (SHIPM), Chapter 3, Section 3.1.7, Verification of Identity.

    • Ensuring that only the minimum amount of health information to achieve the purpose is disclosed pursuant to the HCDOM, Section 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information.

  • CCHCS workforce members are responsible to document, track, and maintain information concerning disclosures of health information. This tracking must document what, when, why, and to whom disclosures are made pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information.

Policy

• California Correctional Health Care Services (CCHCS) shall permit the use and disclosure of health information to legally authorized government agencies that conduct health oversight activities regarding the appropriate operation and management of programs, the provision of health care or health care related services, and health information governance in the provision of those services.

Purpose

• To provide guidance regarding uses or disclosures of health information for health oversight purposes, as required by law, and to ensure processes are maintained related to the use and disclosure of health information to government agencies performing health oversight activities, and health information governance.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) is responsible for the oversight of this policy.

• Hiring authorities are responsible to ensure staff comply with this policy.

Applicability

• This policy applies to CCHCS as a Covered Entity.

Procedure

• CCHCS shall meet health oversight obligations by:

  • Understanding what constitutes health oversight activities, and how to respond to requests for health information by other agencies for this purpose.

  • Cooperating with federal and state agencies responsible for determining compliance with the Health Insurance Portability and Accountability Act and other laws relating to the privacy, security, and administration of health information.

  • Ensuring all workforce members receive training to limit disclosure of health information to the minimum necessary when a health oversight agency conducts health oversight activities pursuant to this policy.

  • Addressing health information privacy concerns of other state entities when requesting health information.

  • Understanding that health oversight agency representatives will be required to provide verification of both identity and authority when requesting health information for authorized oversight activities.

  • Requiring reasonable evidence or legal authority in the forms listed below:

    • A written statement of identity on agency letterhead.

    • An identification badge.

    • Similar proof of official status.

    • A written request provided on agency letterhead describing legal authority for release of health information.

• Permitted Uses and Disclosures to Oversight Agencies

  • A state entity that is also a health oversight agency may use health information for health oversight activities.

  • Health information may be disclosed to a health oversight agency, without an authorization, for authorized oversight activities, including, but not limited to, audits, licensure, investigations, or disciplinary actions permitted by law.

• Exceptions to Permitted Disclosures to Health Oversight Agencies

  • A health oversight activity does not include an investigation or other activity in which the patient is the subject of the investigation or activity, when it is not a direct result of, or directly related to:

    • The receipt of health care.

    • A claim for public benefits related to health.

    • Qualification for, or receipt of, public benefits or services when a patient’s health is vital to the claim for public benefits or services.

    • A report of child abuse, neglect, or domestic violence.

    • A report of sexual abuse or violence in accordance with the Prison Rape Elimination Act.

    • Payment collection activities related to provision of health care.

• Temporary Suspension of Accounting of Disclosures

  • Health oversight agencies may request a temporary suspension of a patient’s right to receive an accounting of disclosures.

    • The temporary suspension shall be made in writing, include the reason why the disclosure would impede the health oversight activities, and indicate the timeframe the suspension is required.

    • For verbal requests, the patient’s right to an accounting shall be suspended for no more than 30 business days unless a written request is submitted during that timeframe.

• Joint Activities or Investigations

  •  If a health oversight activity is conducted in conjunction with a public benefits investigation not related to health, the joint activity or investigation is considered a health oversight activity.

    • Inquiries or investigations of Medi-Cal fraud involving health treatment or investigations involving other federal or state public benefits are considered a health oversight activity for purposes of this policy.

• Health Information Governance

  • Roles and Responsibilities

    • The CCHCS CPO shall:

      • Notify Hiring Authorities of noncompliance of their staff with this policy or privacy laws.

      • Recommend that action be taken, when appropriate.  Recommendations may include, but are not limited to:

        • Creating a process to mitigate risk or prevent future privacy breaches.

        • Advising CCHCS on staffing or resources needed to respond to and mitigate a privacy breach, and to prevent future privacy breaches.

        • Consulting with the CCHCS Performance Management Unit to advise CCHCS Hiring Authorities on recommended action regarding a specific workforce member.

      • Communicate with the California Department of Corrections and Rehabilitation (CDCR) CPO to identify their respective areas of responsibility, including the following functions:

        • Collaborating with the CDCR CPO regarding areas of overlapping responsibility.

        • Developing a joint plan for health information governance that would apply to both CDCR and CCHCS.

    • Hiring Authorities shall:

      • Consider recommendations from the CCHCS CPO and ensure CCHCS meets all timeframes for incident management required by federal and state law.

      • Advise the CCHCS CPO of actions taken in response to Privacy Office recommendations.

Policy

• California Correctional Health Care Services (CCHCS) shall develop and maintain an entity-wide information security, privacy, and risk management strategy and program to support health information privacy and security compliance as required by federal and state privacy and security laws.

Purpose

• To define specific workforce roles related to privacy and security and outline those roles in duty statements to ensure privacy and security policies and procedures are developed, implemented, monitored, and maintained.

Responsibility

• The CCHCS Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO) are responsible for the implementation, monitoring, and maintenance of this policy.

CCHCS Workforce Staffing Roles

• CCHCS Chief Privacy Officer

  • The CPO shall ensure compliance with CCHCS’s policies and procedures relating to privacy. Responsibilities include, but are not limited to:

    • Assisting in the development and implementation of privacy policies and procedures.

    • Monitoring compliance with privacy policies and procedures pursuant to applicable federal and state privacy laws, standards, and industry best practices.

    • Performing ongoing compliance monitoring activities including initial and periodic information privacy risk assessments or analyses and implementing mitigation and remediation efforts.

    • Working with legal counsel and management to ensure forms, authorizations, and notices are current.

    • Assisting with, coordinating, and supporting departmental tracking of workforce member access to health information as needed for Privacy Office operations.

    • Developing, revising, and monitoring compliance with Privacy Awareness Training and ensuring that all users who have access to CCHCS data complete training before being provisioned and annually thereafter.

    • Monitoring patients’ rights to access, amend, and restrict access to their health information.

    • Ensuring a process for addressing complaints on privacy policies and procedures, including complaints on denial of access to health information and responding to privacy questions and issues.

    • Coordinating control activities with the CISO.

    • Conducting fact-finding for reported information security incidents, making breach determinations, and issuing notifications required by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state law and policy.

    • Coordinating with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Center for Data Insights and Innovation (CDII), state regulators, and other oversight entities in compliance reviews and investigations.

    • Coordinating with the CISO to recommend sanctions for privacy violations.

    • Coordinating with the CISO and contracting units in the development, implementation, and ongoing compliance monitoring of business associates (BA) and business associate agreements (BAA) to ensure privacy concerns, requirements, and responsibilities are addressed.

    • Identifying a point of contact by name, title, or office and telephone number in any notice describing how a patient’s health information may be used and disclosed, and how the patient may access their information, including the designated contact person or office that is responsible for receiving privacy-related complaints and providing additional information about the content of the privacy notice.

• CCHCS Chief Information Security Officer

  • The CCHCS CISO shall ensure compliance with CCHCS’ policies and procedures relating to information security.  Responsibilities include, but are not limited to:

    • Building a strategic and comprehensive information security program that defines, develops, maintains, and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality, and availability of information that is owned, controlled, or processed within the organization.  

    • Ensuring information security policies, standards, and procedures are up-to-date with applicable federal and state information security laws, licensing and certification requirements and accreditation standards.

    • Initiating, facilitating, and promoting activities to foster information security awareness within the organization.

    • Creating a culture of cyber security with information technology to drive behavioral change within the organization.

    • Evaluating security trends, evolving threats, risks, and vulnerabilities and applying tools to mitigate risk as necessary.

    • Managing security incidents and events involving electronic health information.

    • Ensuring that the technology recovery, business continuity, risk management, and access control needs of the organization are addressed.

    • Ensuring the organization complies with the administrative, technical, and physical safeguards.

    • Working closely with the CPO to ensure alignment between security and privacy compliance programs, including policies, practices, and investigations, and assisting with reporting to oversight agencies.    

    • Performing and analyzing initial and periodic information security risk assessments and implementing mitigation and remediation.

    • Developing and implementing information security risk management plans.

    • Ensuring the organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.

    • Overseeing periodic monitoring and reviewing of audit records to ensure the appropriateness of system activity, including, but not limited to, logons and logoffs, file accesses, updates, edits, and printing.

    • Ensuring the organization has and maintains an appropriate system use and disclosure and confidentiality statement.

    • Overseeing, developing, and delivering initial and ongoing security training to the workforce.

    • Participating in the development, implementation, and ongoing compliance monitoring of BAs and BAAs, to ensure security concerns, requirements, and responsibilities are addressed.

    • Assisting the CPO as needed with breach determination and notification processes under HIPAA and applicable state breach rules and requirements.

    • Establishing and administering a process for investigating and acting on security incidents which may result in a privacy breach.

    • Partnering with the CPO to recommend sanctions for information security violations.

    • Cooperating with the HHS OCR, CDII, state regulators, and other legal entities, organizations, or officers in any compliance reviews or investigations.

Policy

• California Correctional Health Care Services (CCHCS) shall maintain a process to account for the disclosures of patients’ Protected Health Information (PHI) in compliance with federal and state privacy laws.

Purpose

• To ensure disclosures of patient PHI are tracked and documented in order to provide an accounting of such disclosures to the patient upon their request.

Responsibility

• The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the collection, use, and disclosure of PHI maintained by CCHCS.

• Under the direction of the Chief of Health Information Management (HIM), or designee, the HIM workforce members shall receive and respond to requests for an accounting of disclosures and provide reports on organization disclosures to the Privacy Office.

Procedure

• Tracking Disclosures

  • CCHCS program areas and Business Associates (BA) that disclose patient PHI shall ensure that the disclosures are documented and made available in responding to an accounting of disclosures request.

  • CCHCS program areas that disclose patient PHI shall maintain an electronic record of each accounting of disclosures sufficient to demonstrate compliance with the requirements.

    • Tracking information shall be maintained pursuant to the Health Care Department Operations Manual (HCDOM) Sections 2.3.1, Health Information Management Overview, 2.3.2, Security and Privacy, and 2.3.5, Health Information Exchange.

    • CCHCS program areas and BAs shall retain the tracking documentation records for a minimum of six years from the date of its creation or the date when it was last in effect, whichever is later.

    • CCHCS BAs shall be responsible for accounting of disclosures pursuant to the HCDOM Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information, and the Business Associate Agreement.

• Accounting of Disclosures

  • Processing Request for Accounting of Disclosures

    • HIM shall review the access and disclosure log to determine if the patient has requested an accounting of disclosures within the last 12 months. Subsequent requests of accounting of disclosures shall only include incremental disclosures made since the original accounting.

      • HIM shall print the accounting of disclosures document for the requested dates from the ‘Access HIM’ application within the Electronic Health Record System.

      • HIM shall ensure that the accounting of disclosures include the following, at a minimum:

        • The date(s) of the disclosure(s).

        • The names and title of the entity or person to whom the information was provided, and the recorded address.

        • A brief description of the health information disclosed.

        • The reason for the required or permitted disclosure.

    • HIM shall contact the program areas for the patient’s requested date(s) of disclosure(s). Programs and BAs shall provide to HIM the requested data within five calendar days of the request. HIM shall:

      • Gather, organize, and combine all data into one document.

      • Print and mail the document to the patient.

      • Update the Accounting of Disclosures tracking records.

  • Response Timing

    • HIM shall respond within 60 calendar days after receipt of a request for a patient’s accounting of disclosures.

    • If unable to respond within 60 calendar days, HIM may extend the time by no more than 30 calendar days, provided that within the initial 60-day period, HIM provides the patient with a written statement of the reasons for the delay and the date by which the accounting shall be provided.

      • Only one 30-day extension is permitted.

    • The following types of disclosures are excluded from the accounting of disclosures requirement:

      • Treatment, payment, and health care operations.

      • To the patient about themselves.

      • Resulting from or incident to an otherwise permitted disclosure.

      • Pursuant to an authorization.

      • For a facility’s directory, or to persons involved in the patient’s care or for related purposes.

      • That are part of a Limited Data Set.

      • To correctional institutions or law enforcement officials under the HIPAA corrections exception.

    • Disclosures Accounting for Research Purposes.

      • If during the period of time covered by the requested accounting, CCHCS makes disclosures for specific research purposes regarding 50 or more individuals’ records, CCHCS may account for the disclosures by providing all of the following:

        • The name of the protocol or other research activity.

        • A plain language description of the research protocol or activity, including the purpose of the research and the criteria for selecting certain records.

        • A brief description of the type of health information that was disclosed.

        • The dates or periods of time during which the disclosures occurred, or may have occurred, including the date of the last disclosure during the accounting period.

        • The name, address, and telephone number of the entity that sponsored the research and the researcher to whom the information was disclosed.

        • A statement that the health information may or may not have been disclosed for a particular protocol or particular research activity.

      • If it is reasonably likely that the health information was disclosed for a research protocol or activity, CCHCS shall, if requested by the patient, assist the patient in contacting the entity that sponsored the research and the researcher.

      • Upon request by the patient, state entities are responsible for providing an accounting of disclosures related to research for the six years prior to the request.

  • Charge for the Accounting of Disclosures

    • HIM shall not charge a fee to a currently incarcerated person who requests an accounting of disclosures.

    • HIM may charge a fee to a person no longer incarcerated as follows:

      • The first accounting of disclosures made to a person during any 12-month period of time shall be provided free of charge.

      • For any subsequent request for an accounting of disclosures made by the same person within this 12-month period, HIM may charge a reasonable, cost-based fee for the accounting, provided that HIM informs the person of the charge in advance and provides the person with an opportunity to withdraw or modify the request for a subsequent accounting to avoid or reduce the fee.

• Reporting of Accountings of Disclosures

  • HIM shall provide a report of all accountings of disclosures to the Privacy Office upon request. This report shall include all information required in each accounting, and the titles of persons or offices responsible for receiving and processing requests for accounting of disclosures.

Policy

• California Correctional Health Care Services, Health Information Management shall:

• Ensure availability of accurate and complete patient health care information to authorized users.

• Ensure quality of patient health related information.

• Ensure privacy and security of patient health information.

• Ensure access to health records to support patient health care needs.

• Ensure appropriate quality controls and other monitoring mechanisms for all ambulatory, inpatient, and outpatient documentation.

• Manage the release of Protected Health Information, to include use and disclosure and other release of information processes and functions.

• Ensure appropriate coding such as International Classification of Diseases is completed for all inpatient admissions.

Purpose

• To ensure maintenance, storage, retrieval, accessibility, retention, and destruction of patient health information. “The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization” (American Health Information Management Association: Fundamentals of the Legal Health Record and Designated Record Set).  Patient records consist of paper-based records, electronic records, and other media that documents the patient’s health care.

Responsibility

• The Chief Executive Officer, or designee, Health Records Technician III, and Health Records Technician II of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

• Under the direction of the Deputy Director, Medical Services, the Medical Record Directors at headquarters are responsible for the oversight, implementation, monitoring, and evaluation of this policy through consultation services pursuant to Title 22.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall adhere to established rules, guidelines, and statutes that protect patient privacy, confidentiality, security, access to, use, and disclosure of Protected Health Information (PHI).  HIM, Health Records, and Information Technology Units shall ensure:

• The use of appropriate technical safeguards, as stated in 45 Code of Federal Regulations Part 164, Subpart C, to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI.

• Any tampering of PHI is identified and reported, as appropriate.

• Availability of health information is readily accessible to the extent possible.

• Capability of storing information pursuant to retention requirements.

• Availability of backup and restore operation.

• Management review of security periodically for necessary changes as a result of technology evolution.

• Periodic risk assessments conducted by management in accordance with State Administrative Manual, Section 5305.6, Risk Management, to ascertain the threats and vulnerabilities that impact CCHCS and HIM assets, and implement appropriate mitigations.

Purpose

• To ensure protection of patient, privacy, security, access to, use, and disclosure of PHI.

Policy Responsibility

• The Chief Executive Officer, or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

• The CCHCS Information Security Officer shall validate the security component for access to electronically stored PHI.

Procedure Overview

• CCHCS HIM shall ensure all employees are informed of and follow established rules, guidelines, and statutes that protect patient privacy, security, access to, use, and disclosure of PHI. As new technologies evolve with the use of computerized patient health records, HIM staff shall implement and reinforce procedures for authorizing access to PHI.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring and evaluation of this procedure.

Procedure

• PHI Identifiers

  • Any of the following personal data identifiers, used in combination with a medical condition, becomes PHI and shall not be disclosed without proper authorization or approval:

  • Names.

  • All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes.  However, the initial three digits of a zip code may remain on the information if, according to current publicly-available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits for all such geographic unit containing 20,000 or fewer people is changed to 000.

  • All elements of dates (except year) directly relating to the patient including birth date, dates of admission and discharge from a health care facility, and date of death.  For persons age 90 and older, all elements of dates (including year) that would indicate such age must be removed, except that such ages and elements may be aggregated into a single category of “age 90 and older.”

  • Telephone numbers.

  • Fax numbers.

  • Electronic mail addresses.

  • Social security numbers.

  • Health record numbers.

  • Health plan beneficiary numbers.

  • Account numbers.

  • Certificate or license numbers.

  • Vehicle identifiers and serial numbers including license plate numbers.

  • Device identifiers and serial numbers.

  • Web Universal Resource Locators.

  • Internet Protocol address numbers.

  • Biometric identifiers including fingerprints and voiceprints.

  • Full face photographic images and any comparable images.

  • Any other unique identifying number, characteristic, or code.

• Accountability

  • All CCHCS/California Department of Corrections and Rehabilitation (CDCR) health care employees shall ensure PHI is covered or unable to be viewed at all times when information is not in use.

  • All computerized systems shall be protected with a unique user ID and a complex password.

• Backup and Storage of PHI

  • All CCHCS/CDCR health care employees shall ensure that any tampering of PHI is identified and reported to the Information Security Officer.

  • HIM, Health Records, and Information Technology Units shall ensure:

    • The use of appropriate technical safeguards, as stated in 45 Code of Federal Regulations Part 164, Subpart C, to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI.

    • Any tampering of PHI is identified and reported, as appropriate.

    • Availability of health information is readily accessible to the extent possible.

    • Capability of storing information pursuant to retention requirements.

    • Availability of backup and restore operation.

    • Management review of security periodically for necessary changes as a result of technology evolution.

    • Periodic risk assessments conducted by management in accordance with State Administrative Manual, Section 5305.6, Risk Management, to ascertain the threats and vulnerabilities that impact CCHCS and HIM assets, and implement appropriate mitigations.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) staff shall:

• Understand and adhere to applicable federal and state statutes and regulations to ensure patient privacy as well as control access to, use, and disclosure of Protected Health Information (PHI). 

• Safeguard both the health record and its contents against loss, defacement, tampering, and from disclosure or use by unauthorized individuals in accordance with Information Security Office mandates.

• Ensure Headquarters (HQ) reviews all requests from external entities.

Purpose

• To ensure patient health information is protected against loss, defacement, tampering, and unauthorized disclosure.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services:

  • HIM HQ and Institution Health Records staff are responsible for the implementation and monitoring of this policy for currently incarcerated persons.

  • Health and Imaging Record Center (HIRC) staff are responsible for the implementation and monitoring of this policy for paroled or discharged incarcerated persons.

• The Chief Executive Officer, or designee, Health Records Technician (HRT) III and HRT II of each institution, and HIRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy, and shall establish and maintain local operating procedures to carry out the requirements herein.

Responsibility

• Information Technology department staff are responsible for provisioning access to the Electronic Health Record System in accordance with established policy, procedures, and guidelines.

Procedure

• The requestor, or designee, shall complete and submit a PHI access provision request through the CCHCS Service Portal.

• CCHCS HIM shall ensure patient health information is available as needed by health care staff and others who have authorized access.

Policy

• California Correctional Health Care Services (CCHCS) shall release requested Protected Health Information (PHI) with authorization in accordance with applicable law, timely evaluation, and appropriate processing.

Purpose

• To provide guidance regarding the required criteria for handling and responding to routine requests for release of PHI for purposes other than treatment payment and health care operations, and where required or permitted by law.

Applicability

• This policy applies to the release of PHI in any form (health records, other types of written communication, and verbal information) pursuant to a valid authorization, court order, administrative order, or subpoena.

• This policy does not apply to disclosures permitted by law in which a patient authorization is not required for release of information. Refer to the Health Care Department Operations Manual (HCDOM) Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions for these special situations.

Responsibility

• Statewide

  • Under the direction of the Deputy Director, Medical Services, and Health Information Management (HIM) Chief:

  • Institution Health Records staff, within the scope of their authority, are responsible for oversight, implementation, monitoring, and evaluation of this policy for current patients.

  • Health and Imaging Record Center (HIRC) staff, within the scope of their authority, are responsible for oversight, implementation, monitoring, and evaluation of this policy for paroled or discharged persons.

  • Health Records staff at institutions (for currently incarcerated persons), and HIRC staff (for paroled and discharged persons) are responsible for processing all other requests for health information.

• Regional

  • Health Care Executives are responsible for the administration of this policy at the subset of institutions within their assigned region.

• Institutional

  • The Chief Executive Officer (CEO), or designee, of each institution has the overall responsibility for implementation and ongoing oversight of this policy.

• CCHCS workforce members shall ensure compliance with this policy and federal and state privacy laws containing protections and additional restrictions for the access, use or disclosure of PHI.

Procedure

• Routine Authorization

  • Workforce members shall respond to a valid written authorization for release of PHI. CCHCS shall accept either the CDCR 7385, Authorization for Release of Protected Health Information, or an alternative form that conforms to the requirements of Section (e)(4) below.

  • For access purposes, patient representatives shall be treated in the same manner as the patient who is the subject of the health information unless there is an exception set forth in (e)(6)(B)(3) below.

• Court Orders, Administrative Order or Subpoena

  • Workforce members shall comply with all properly executed court orders, administrative orders, or subpoena in accordance with section (e)(6) and (e)(7) as follows:

    • If a court order, administrative order, or subpoena arrives at an institution through the Litigation Coordinators, it shall be transmitted to HIM for record collection.

      • Unless otherwise advised by legal counsel, CCHCS shall comply with a subpoena that is not accompanied by a court order compelling disclosure of PHI if:

        • CCHCS receives satisfactory assurances from the party seeking the PHI that the patient has received notice of the subpoena, or a good faith effort has been made to provide the patient with notice of the subpoena, in the form of a written statement and accompanying documentation demonstrating that:

          • The party requesting such information has made a good faith attempt to provide written notice to the patient (or if the patient’s location is unknown, to mail a notice to the patient’s last known address);

          • The notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the patient to raise an objection to the court or the administrative tribunal; and

          • The time for the patient to raise objections to the court or administrative tribunal has elapsed, and there were either no objections filed, or all objections filed by the patient have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution; or

        • A qualified protective order has been agreed to by the parties and issued by the jurisdictional court.

    • HIM shall consult with legal counsel regarding any court order, administrative order, or subpoena, based on enforcement of another state’s law, that is related to protected health care services that are lawful in this state, including reproductive services and gender affirming care.

    • If a court order, administrative order, or subpoena arrives at HIM, and validity of the documents is in question, HIM staff shall collaborate with legal counsel and the Health Care Litigation Support Section, as necessary, to ensure proper review, and determination of validity.

• Special Authorization

  • Specially Protected Health Information

    • Patients must specifically authorize the release of the following specially protected health information:

      • HIV Test Results. A written authorization is required for each separate disclosure.

      • DDS Service Records, which includes regional center developmental disability information and records for services provided to persons with developmental disabilities in a developmental disability center covered under Division 4.1, Division 4.5, Division 6, or Division 7, of the Welfare and Institutions Code (“DDS Services”). Records related to developmental disability services provided inside CDCR do not constitute “regional center developmental disability information.”

      • Part 2 Program Service Records, which include substance use treatment information and records relating to the identity, diagnosis, prognosis, or treatment of any patient by a federally assisted alcohol or drug treatment program regulated by the Federal Code of Regulations, Title 42, Part 2, including a Narcotic Treatment Program (“Part 2 Program Services”). Records related to alcohol and drug treatment provided by CCHCS do not constitute “substance use treatment information,” because CCHCS is not a Part 2 program.

    • The release of any specially protected health information is subject to CCHCS policy and applicable law.

  • Genetic Information for Underwriting Purposes

    • CCHCS shall not use or disclose genetic information for underwriting purposes. HIM shall consult legal counsel to discuss any authorization requests specifically related to genetic information.

  • Psychotherapy Notes

    • CCHCS providers do not create psychotherapy notes.  Further, CCHCS does not make it a practice to request, nor is it an expectation to accept psychotherapy notes when CCHCS requests mental health records from outside providers for the continuity of care of patients. HIM shall consult legal counsel to discuss any authorization requests specifically related to psychotherapy notes.

  • Mental Health Records

    • Mental health records are PHI and have the same protection afforded to other PHI. The only mental health records that have heightened protection are psychotherapy notes.

• Components of a Valid Authorization

  • Format of Authorization

    • The authorization shall:

      • Have typeface of a least 14-point font or be a handwritten document.

      • Be clearly separate from any other language present on the page.

  • Identification of Patient

    • The authorization shall include the patient’s name, CDCR number, and date of birth.

  • Identity of Disclosing Party

    • The authorization shall include the name or other specific identification of the person(s) or organization(s) authorized to disclose the PHI.

  • Identity of Recipient

    • The authorization shall include the name or other identification of the person(s), class of persons, or organization(s) authorized to receive the PHI.

  • Specific Description of Information Authorized for Release

    • The authorization shall include a specific and meaningful description to instruct HIM regarding the PHI to be disclosed.

  • Purpose of Use or Disclosure

    • The authorization shall include a description of each purpose of the requested use or disclosure, including any limitations on the use or disclosure of the PHI by the persons or entities authorized to receive the PHI.

  • Expiration

    • The authorization shall include an expiration date or event, which must be limited to one year unless the person signing it requests a longer timeframe.

  • Statement of Right to Revoke

    • The authorization shall include a statement that the patient has a right to revoke the authorization.  The statement shall also explain how revocation is accomplished, including that it shall be in writing, and tell the patient about exceptions applicable to the revocation. 

  • Signature and Date

    • For the patient, the authorization shall be signed and dated by the patient and the signature shall serve no other purpose than to execute the authorization.

    • For the agent, the authorization shall be signed and dated by the agent and shall include a description of the agent’s authority to act on behalf of the patient. A copy documenting the agent’s authority shall be attached (e.g., power of attorney, letters issued in estate proceeding, or declaration of next of kin.)

  • Authorization as a Condition

    • The authorization shall state that CCHCS cannot condition treatment of the patient on obtaining a signed authorization.

  • Redisclosure

    • The authorization shall state that if the person or organization that receives the PHI is not subject to the Health Insurance Portability and Accountability Act of 1996, then the PHI may be subject to disclosure and may no longer be protected by federal and state privacy regulations.

  • Copy

    • The authorization shall state that the person signing it has the right to receive a copy of the authorization.

• Defective Authorizations

  • An authorization is not valid, and shall not be relied upon to disclose PHI if:

    • The expiration date or event has passed.

    • Any required information is missing.

    • It has been revoked.

    • CCHCS becomes aware that information in the authorization is false.

    • The authorization violates restrictions on authorizations, such as combining the release of PHI with a patient’s consent for care.

  • If an authorization is not valid, HIM shall notify the patient of why the authorization is not valid.

  • If changes are necessary to an authorization, the requester may submit a new authorization form.

• Releasing PHI

  • Verification of Identity and Legal Authority

    • Identity

      • CCHCS shall verify the identity of any person or entity requesting disclosure if the identity is not already known.

    • Authority

      • CCHCS shall verify the authority of any person or entity requesting disclosure that is not the patient and if the authority is not already known.  Acceptable forms of documentation that give authority include:

      • Power of Attorney (shall include a provision that allows medical decision-making or release of health records).

      • Next of Kin declaration (for deceased patients only).

      • Other form of official documentation (e.g., identification of party as executor of the will, administrator of the estate or conservator).

    • The verification requirements are satisfied if CCHCS relies on the exercise of professional judgement in making a use or disclosure or acts on a good faith belief in making a disclosure.

  • Processing Request and Preparation of Records

    • Log Receipt of Request

      • Upon receipt of a valid authorization or a properly executed court order, administrative order, or subpoena, CCHCS shall log the request into the Access HIM application in the Electronic Health Record System.

    • Identify Information for Release

      • CCHCS shall retrieve the requested documents from the record, corresponding with the requestor if necessary. If the requested documents are in paper format, they shall be scanned into the health record.

      • CCHCS shall prepare only the minimum necessary amount of PHI to be released pursuant to the authorization, order, or subpoena; however, if the patient has requested the release of information, the minimum necessary standard does not apply.

      • HIM shall redact information that has not been authorized for release.

      • HIM shall include a disclosure statement when applicable.

        • The following disclosure statement must accompany a disclosure of HIV test results:

        • “This information has been disclosed to you from records whose confidentiality is protected by state law. State law prohibits you from making any further disclosure of it without the specific written consent of the person to whom it pertains, or as otherwise permitted by law. A general authorization for release of medical or other information is not sufficient for this purpose.”

        • The following disclosure statement must accompany a disclosure of substance use treatment information (services provided outside CDCR):

        • “(1) This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see §2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65; or (2) 42 CFR part 2 prohibits unauthorized disclosure of these records.”

    • Exceptions to Granting Access

      • For access purposes, patient representatives shall be treated in the same manner as the patient who is the subject of the health information unless there is a reasonable belief that:

        • The patient has been or may be subject to domestic violence, abuse, or neglect by the individual.

        • Treating such individual as the patient’s representative could endanger the individual.

        • CCHCS, in the exercise of their expert knowledge and opinion, decides it is not in the best interest of the patient to treat the individual as the patient’s representative.

      • CCHCS shall not release health information compiled in anticipation of use in a civil, criminal, or administrative action or proceeding.

      • CCHCS may deny releasing PHI obtained from someone other than a health care provider under a promise of confidentiality if the release would be reasonably likely to reveal the source of the information.

      • Review of Mental Health Records Prior to Release

        • If a request is for release of mental health records to an individual (e.g., patient, patient representative, family member), then HIM shall submit the records to the Chief of Mental Health, or their designee for review to determine whether there is a substantial risk of significant adverse or detrimental consequences to the patient or another person if the patient or patient representative reviews the records.

        • If the Chief of Mental Health, or designee, determines the records may be released, then they shall notify HIM and HIM shall release the records within 15 business days of the date of the patient’s initial request.

        • If the Chief of Mental Health, or designee, determines the records should not be released in their current form, then the following shall occur:

          • The Chief of Mental Health, or designee, shall provide HIM with the following:

            • Documentation which indicates what records shall not be released with a description of the “specific adverse or detrimental consequences to the patient” the provider anticipates would occur if review were permitted.

            • A statement to be shared with the patient that, in plain language, provides an explanation for refusing the release and information regarding the patient’s option to permit inspection by an alternative licensed mental health provider or licensed social worker, and information regarding how to file a complaint or health care grievance.

          • Upon receipt of that information, HIM shall:

            • Scan the provider’s documentation and statement into the health record.

            • Provide the patient with notification of the refusal to permit inspection of certain records, reason for the refusal (the statement prepared by the provider), information regarding the patient’s option to permit inspection by an alternative licensed mental health provider or licensed social worker, and information regarding how to file a complaint or health care grievance.

            • If the patient requests an alternative provider review their records, HIM shall log the request and provide copies of the records to the licensed mental health professional designated by the patient.

      • CCHCS may deny, in whole or in part, a patient’s request to obtain PHI, if obtaining PHI would jeopardize the health, safety, security, custody, or rehabilitation for the patient or other patients, or the safety of any officer, employee, or other person at CCHCS or responsible for the transporting of the patient.

      • CCHCS shall comply with the federal information blocking regulations as outlined in 45 CFR Part 171 and will not engage in practices that unreasonably interfere with the access, exchange, or use of electronic health information.

      • If CCHCS denies access, a written statement shall be provided by the determinant describing the basis for the denial and an explanation of the patient’s options for review of the denial, which may include completing a CDCR 602-HC Health Care Grievance.  Further, HIM shall make a written record to be included with the health records requested, noting the date of the request and the reason for refusing to permit release of the records.

  • Arrange Delivery

    • Verbal

      • CCHCS shall verbally release information to a recipient who has a valid authorization and shall document such release in the health record.

    • Written

      • HIM shall release the records along with a declaration of records and shall document such release in the health record.

  • If the records were released pursuant to a court order, administrative order, or subpoena, HIM shall scan the signed document into the health record.

• Accounting of Disclosures

  • CCHCS shall keep an accurate accounting of each disclosure as set forth in the HCDOM Section 2.2.18, Accounting of Disclosures.  The accounting shall include the name of the patient, a description of the PHI disclosed, a brief description of the reason for the disclosure (e.g., subpoena, completed CDCR 7385), the date of the disclosure, and the name, title, and address of the individual or organization to whom the disclosure was made.

• Processing Timeframes

  • If a request is valid and the information can be located, CCHCS staff shall provide the records within 15 business days.

  • If a request is valid but CCHCS does not maintain the record, CCHCS workforce members shall notify the patient within 15 business days and advise the patient of where to direct their request for access if CCHCS knows where the PHI is maintained.

  • If a request is valid but CCHCS cannot produce the records within 15 business days, CCHCS staff shall provide written notification advising the patient of a delay and the estimated date by which the records will be provided.  CCHCS has an additional 15 business days to produce the records.

  • If an authorization is not valid CCHCS staff shall notify the patient within 15 business days and provide them with the opportunity to complete a new authorization.

• Fee Schedule

  • CCHCS shall not charge a currently incarcerated person for the release of health records.

  • CCHCS may charge a fee (to parties that are not currently incarcerated persons, pursuant to section (e)(9)(A) above) to offset the costs associated with responding to requests for health records. The fee shall be consistent with applicable federal and state law and shall be based on an assessment of factors such as the current cost of equipment and supplies, labor costs, postage, and administrative overhead.

• Authorization Modification or Revocation

  • To modify or revoke an authorization, the patient shall send a written revocation to CCHCS. If CCHCS receives a written revocation, all disclosure of PHI shall stop, except as follows:

    • Any actions taken in reliance on the authorization before the receipt of the modification or revocation are not affected by the modification or revocation.

    • If a partial revocation is received, the disclosure of PHI not affected by the partial revocation shall continue.

  • Exceptions to a Written Revocation Rule.

    • CCHCS may request but cannot require a revocation for substance use treatment information (services provided outside CDCR) to be in writing.  The patient may revoke the authorization verbally or in writing.

• Documentation of all Authorizations, Modifications and Revocations
  CCHCS shall maintain any authorization, modification, or revocation applied to authorizations for a minimum of six years from the date of request.

Policy

• California Correctional Health Care Services (CCHCS) health care and administrative programs that exchange data shall ensure Protected Health Information (PHI) transmitted through the Health Information Exchange (HIE) is in compliance with applicable federal and state privacy and information security laws and regulations and CCHCS Information Technology (IT) policies. Data/information shall be conveyed via an encrypted enterprise standard transfer mechanism.

Purpose

• To ensure patient confidentiality and privacy protection during the exchange of health-related documentation via the designated portal, and to ensure disclosure of PHI is documented pursuant to Code of Federal Regulations, Section 164.528, Right to Accounting Disclosures of PHI.

Responsibility

• Under the direction of the Chief Privacy Officer, or designee, the Privacy Office (PO) is responsible for the monitoring and evaluation of this policy.

• Health care and administrative programs and institutional Hiring Authorities, or designees, are responsible for the implementation of this policy.

Procedure Overview

• HIE is used by providers to securely transmit patient health information directly to external health care professionals. This information is transmitted via the internet in an encrypted and secure method amongst health care professionals with a trusted relationship. This form of information exchange enables coordinated care, benefitting both providers and patients.

• When HIE is initially requested on behalf of CCHCS, another state agency or entity, or a contracted organization, the health care and administrative programs shall notify the PO, IT, Health Information Management (HIM), and other relevant headquarters administrative programs such as Direct Care Contracts Services (DCCS), Acquisitions Management Services (AMS), and Health Care Invoicing Section (HIS).

• After an agreed-upon HIE is implemented, health care or administrative programs shall notify the PO, DCCS, IT, HIS, and HIM, and the contract managers for contracts executed by AMS, when HIE begins, to ensure tracking or logging of all HIE events.

• CCHCS utilizes the following measures and processes to disclose PHI for HIE purposes.

  • When contracted with an organization to exchange PHI via HIE, CCHCS shall enter into a contract with the organization with which it intends to exchange information. The agreement shall address the minimum requirements of a valid Business Associate Agreement (BAA) or comparable Data Sharing Agreement (DSA) to fulfill all of the requirements and obligations of a Business Associate regarding the privacy, security, and administrative activities relating to health information pursuant to the Health Care Department Operations Manual (HCDOM) Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information.

  • The agreement shall ensure that the organization safeguards electronic health information created, received, maintained, or transmitted to or by the organization on behalf of CCHCS, and that the documents address the same safeguards and protections for electronic health information as for any other health information shared.

  • A valid contract or other agreement shall be agreed upon and implemented between CCHCS and organizations prior to using, disclosing, moving, or storing PHI for HIE purposes.

  • When CCHCS and the organization are both government entities, CCHCS may fulfill the agreement requirement with a Memorandum of Understanding that contains terms that accomplish the objectives of a BAA.

Procedure

• Health care and administrative programs within CCHCS, including, but not limited to, contracting units, involved in data transfer of PHI for treatment, payment, research, or continuity of care for oversight, compliance, or litigation purposes, shall report all HIE activities to the Chief Privacy Officer. The PO shall provide a current list of HIE contracted entities to oversight agencies upon request.

• BAA or DSA shall be executed prior to the exchange of health information.

• Health care administrative programs shall coordinate communication between the contracted organization and IT to begin the process of HIE.

• IT staff shall coordinate with health care, administrative programs, or other entities that request HIE when new HIE is initiated under existing or newly negotiated contracts, or DSAs. IT staff shall generate a report of all contracted entities CCHCS engages in HIE and provide the report to the PO on a quarterly basis, at minimum, and as needed.

• Health care and administrative programs shall report changes to the contract list to the PO quarterly.

• Health care and administrative programs shall notify the PO when CCHCS engages in HIE with different types of entities pursuant to the Statewide Health Information Policy Manual Section 2.2.17.

• Health care and administrative programs engaging in HIE shall verify with IT that a BAA or DSA is on file for each entity CCHCS engages in HIE.

• The PO shall maintain a current list of all contracted entities CCHCS engages in HIE and generate a current list based on contracting unit updates upon request.

• Requirements for HIE

  • Under direction of executive leadership, directors, or their designees, staff in each health care and administrative program shall contact the contracted organization to execute all necessary controls prior to initiating HIE.

• Downtime

  • The paper process to exchange the documentation shall be followed pursuant to the HCDOM, Section 2.3.13, Health Record Application/System Downtime Contingency Plan.

• Facsimile Correspondence

  • Cover Sheet

    • Attach the cover sheet to all facsimile correspondence as the first page.

    • Include the following two statements on the cover sheet:

      • “Transmittal is Confidential.”

      • “If the information transmitted is received by someone other than the intended individual, the sender shall be immediately notified.”

  • Transmittal and Post Transmittal Verification

    • When documents are sent by facsimile, the responsible CCHCS staff shall:

      • Phone the recipient to verify the recipient’s name and facsimile number along with patient name and CDCR number and inform him/her of the imminent transmission.

      • Ask that the recipient stay near the facsimile machine to intercept the documents.

      • Obtain verification of receipt of health care information by reviewing the confirmation print-out from the facsimile machine.

      • Contact the recipient to verify that all documents were received and document the verification task. If the recipient confirms that the record is incomplete, then the documents should be resent to the recipient. Once the documents are successfully confirmed to be received by the recipient, the facsimile log will reflect all attempts to provide the documents via facsimile.

  • Facsimile Log

    • Record all facsimile transmissions into the Facsimile Log and include:

      • The name, address, and telephone number of the sending and/or receiving entities.

      • The name of the patient and CDCR number.

      • The number of pages sent and/or received.

      • The date of transmittal.

      • The date Recipient verified receipt of the documents.

  • Misdirected facsimile tracking

    • In a document has been determined to be sent to the incorrect party the following steps must be taken:

      • Verify the information with the internal log (i.e., facsimile number, recipient name).

      • Contact the recipient via telephone or facsimile to explain the misdirection.

      • Request the destruction or return of all documents sent via facsimile in error.

      • Record the response on the facsimile cover letter and in the Facsimile Log.

      • Follow the CCHCS Health Care Department Operations Manual, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure all health related patient documents are located in the health record. The health record shall be organized systematically to facilitate data retrieval and compilation, and information shall be arranged in an easily accessible format and order.

Purpose

• To ensure all patient health related information is contained in the health record.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure all health care documentation is accurately included in the health record following patient encounters/treatment. The health record shall be organized systematically in order to facilitate data retrieval and compilation. HIM staff shall reference the Organization List when including documents in the appropriate sections of the health record. The Organization List shall be used as a reference tool for training and ongoing maintenance of patient health record documentation.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, the Medical Records Directors at headquarters are responsible for the oversight, implementation, monitoring, and evaluation of this procedure through consultation.

• The CEO, or designee, HRT III, and HRT II are responsible for ensuring that applicable patient health related information is contained in the health record.

• HIM supervisors are responsible for ensuring all staff are trained on current policies and procedures related to the organization and placement of documents in the health record.

Procedure

• Chart Organization

  • HIM staff organize documents according to document type and then by encounter/treatment date.

  • Patient identification:

    • Verify the Protected Health Information is referencing the correct patient California Department of Corrections and Rehabilitation (CDCR) number.

    • Verify the CDCR number is on all of the documents.

    • Validate the CDCR number is the same in the health record.

  • Proper placement of documentation in the health record viewer:

    • Refer to the Organization List (on the CCHCS Intranet) for correct placement of all approved health care forms/documents in the health record.

• Unidentifiable Information

  • HIM staff verify patient identifiers such as name, date of birth, and CDCR number in the CDCR California Incarcerated Records and Information Search and/or Strategic Offender Management System.  If unable to verify the patient identifiers, notify the HIM Supervisor immediately.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure all paper documents received are scanned in a timely manner and readily accessible in the health record for viewing to support continuity of care.

Purpose

• To ensure availability of patient health information.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure all staff are informed of and follow established rules and guidelines for scanning patient health information.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this procedure.

• The CEO, or designee, HRT III, and HRT II of each institution are responsible for the implementation, monitoring, and evaluation of this procedure.

Procedure

• HIM staff shall scan Day Forward Documents received within 24 hours of receipt.

• HIM staff shall scan urgent/emergent documents immediately upon receipt.

• Specialty Reports shall be scanned into the chart within five calendar days from the date of the patient encounter.

• Hospital records (outside facility) shall be scanned into the chart within three calendar days from the date the patient is discharged.

• HIM staff shall combine multiple documents into a single PDF.

• HIM shall index and perform quality checks prior to uploading the document(s) into the health record.

• HRC staff is responsible for scanning archive documents that are housed at the HRC.

Policy

• California Correctional Health Care Services (CCHCS) shall ensure all health record documentation meets federal and state legal, regulatory, and accreditation requirements.  Health Information Management (HIM) and Health Records shall implement systems and processes for quality control and analysis; documents must be complete in order to provide the information necessary for timely continuity of care and patient safety.

Purpose

• To ensure HIM staff adheres to federal and state legal, regulatory, and accreditation requirements.  These requirements shall encompass systems that will allow for analytical and statistical retrieval of data.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Records Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Records Technician III (HRT III), and Health Records Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• To ensure HIM staff adhere to state and federal legal, regulatory, and accreditation requirements.  These requirements must encompass systems that will allow for analytical and statistical retrieval of data.

Procedure Responsibility

• The CEO, or designee, HRT III, and HRT II Supervisor are responsible for ensuring the health record is analyzed for accuracy and completion and is readily accessible for patient care.  They are also responsible for ensuring health care documents are in the health record timely.

• Under the direction of the Deputy Director, Medical Services, the Medical Record Directors at headquarters are responsible for the oversight, implementation, monitoring, and evaluation of this procedure through consultation.

Procedure

• HIM staff shall analyze documents in the health record to ensure compliance with the following general documentation guidelines:

  • An individual health record shall be established for every patient who receives care.

  • Content and format of the health record shall be uniform and use only approved California Department of Corrections and Rehabilitation (CDCR) forms.

  • For patient safety reasons, abbreviations, acronyms, and symbols shall be used only when their meanings are understood and they are on the CCHCS approved list of abbreviations and symbols.

  • All entries shall be legible.

  • The patient’s name and CDCR number shall appear on every individual paper document that contains Protected Health Information (PHI).  The patient demographic information shall appear on every screen in the health record.

  • Documentation shall be clear, concise, objective, reflect factual information, and be written using specific language.  Avoid using vague or generalized language. Remarks critical to the care or services provided by others shall not be included in the health record.

  • Clinicians shall indicate that they have reviewed diagnostic reports by initialing and dating each report.  A plan of care that addresses any abnormal test results shall be documented in the health record.

  • All verbal consents for health care procedures shall be documented, and the originals of signed consent forms shall be placed/scanned in the health record.

  • All health record entries must be authenticated and include the date (month, day, and year), time, and signature or initials and credentials of the author.

  • All patient encounters shall be documented in the health record including all patient education and validation that effective communication was provided and appropriately documented.

  • In addition to the handwritten signature, the clinician may use a personal rubber stamp which contains the clinician’s name and title for increased legibility.

• Any author documenting in the health record shall be responsible for the completeness and accuracy of their entries.

• All clinical documentation errors shall be corrected by the clinician in compliance with federal and state statutes and regulations.

• All amended documents shall be scanned into the health record.

  • Request for amendments are received by the HIM Department.

  • HIM staff shall:

    • Log each request into the Patient Access Log.

    • Review the request for the type of changes requested.

    • Conduct a preliminary review of the health record.  Compare the original entry with the requested changes.

  • If informational content changes are requested:

    • Forward the request to the Chief Medical Executive (CME) or Chief of Mental Health as appropriate for review and action.

    • The CME or Chief of Mental Health and the treating clinician shall confer and review the amendment request.

    • If request for amendment is approved, clinicians shall follow Section (f)(4)(D) below.

    • If request for amendment is not approved, clinicians shall follow Section (f)(4)(E) below.

    • HIM staff shall scan all patient requests for amendment into the Medico-Legal section of the health record upon receipt from the clinician.

  • To process amendment requests:

    • The original entry shall not be obliterated or deleted.

    • Enter the amended information into the health record.

    • Make a notation at the point of the original entry, in the margin or by attaching a note to the entry, that an amendment notice has been made and reference the amended information.

    • Record the reason for the amendment or refer to the patient’s written request.

    • Document the statement of facts.

    • Date and time the amendment using the 24-hour clock.

    • Sign the amendment with full name and title.

    • Identify the location of any secondary records that substantiate the amendment.

  • Respond in writing to the patient if the request is denied:

    • Indicate action taken, e.g., “amendment notice filed this date.”

    • Attach a copy of the response to the written request and forward to HIM to incorporate into the patient’s health record.

  • Include any amendments or requests for amendments in all subsequent releases of health information requests.

• An addendum is another type of late entry that is used to provide additional information in conjunction with a previous entry.  With this type of correction, a previous note has been made and the addendum provides additional information to address a specific situation or incident.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure patient health information is stored and maintained in a secured environment.

Purpose

• To ensure all health record documents are stored in a safe and secure environment from which patient health information can be easily retrievable, available, accessible, and viewable to clinicians.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure all health record documents are stored in a safe and secure environment. Patient health information shall be easily retrievable, accessible, and viewable electronically by clinicians.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this procedure.

• The CEO, or designee, HRT III, and HRT II of each institution are responsible for the implementation, monitoring, and evaluation of this procedure.

Procedure

• Health Record Document Storage and Retrieval

  • Document Storage

    • HIM staff shall package and ship documents to a designated archive location.

    • All Day Forward scanned documents shall be sent to the HRC for storage.

  • Document Retrieval

    • All scanned documents archived at the HRC shall be stored in an easily retrievable manner.

• Paper Health Record Storage and Retrieval

  • All paper based health records shall be maintained and stored at the HRC.

  • Documents indexed in the paper health records shall be easily retrievable upon request.

• Inpatient Paper Health Records

  • The paper health records for inpatient admissions shall be stored in the local HIM Department at the institution where the admissions occurred.

  • The local HIM Department shall be responsible for the maintenance and retrieval of the complete original inpatient chart.

Policy

• California Correctional Health Care Services Health Information Management (HIM) shall ensure the Error Process is utilized to help mitigate and correct scanned documents that may have been misfiled or have other documentation errors in the health record.

Purpose

• To ensure the health record is accurate.

Applicability

• This policy applies to HIM and Exception Processing Team (EPT) staff who are responsible for correcting scanned patient health documentation.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Records Center staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer, or designee, Health Records Technician III, and Health Records Technician II of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure staff is knowledgeable of the EPT process. The Exception Types include:

• Document belongs to a different California Department of Corrections and Rehabilitation number.

• Document is filed in the wrong Tab.

• Document is filed in the wrong Sub Tab.

• Wrong Document Type.

• Wrong Encounter Date.

• Other.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, and the Chief of HIM, the EPT is responsible for making all necessary corrections to the health record.

Procedure

• The EPT process is utilized when the health record user discovers an error in scanning (i.e., the document is scanned to the wrong Tab or Sub Tab or the document is placed in the wrong health record) at which time the user shall file/send an exception report to the EPT.

• All reported exceptions shall be reviewed and processed by the EPT.

Policy

• California Correctional Health Care Services Health Information Management (HIM) shall ensure retention for health records, both paper-based and electronic format, are in accordance with federal, state, and local regulations.  Paper-based and electronic health records are retained for ten years after discharge from the California Department of Corrections and Rehabilitation.

Purpose

• To ensure HIM staff adhere to the recommended retention period for paper-based and electronic health records.

Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer, or designee, Health Record Technician III, and Health Record Technician II of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

• HRC and Institution Health Records staff are responsible for destroying or arranging for the destruction of paper-based health records.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall:

• Ensure federal and state privacy protections continue to apply to a patient’s health information even after death. These protections also require institutions to release health records to those people either appointed by the patient or who are deemed a personal representative by state law. 

• Allow authorized users to place a health record on Administrative Hold which prohibits the scanning of additional documents without authorization.

• Remove Administrative Holds under certain circumstances such as adding documents to the health record.

Purpose

• To ensure the health record is protected after death.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall determine the appropriate release of a deceased patient’s Protected Health Information (PHI) documents.  Federal and state privacy protections continue to apply to a patient’s PHI even after the patient’s death.  These protections also require facilities to release health records to those people either appointed by the patient or who are deemed a personal representative by state law.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The CEO, or designee, HRT III, and HRT II of each institution are responsible for the implementation, monitoring, and evaluation of this procedure.

Procedure

• Placing an Administrative Hold

  • In the event that a health record needs to be placed on Administrative Hold, the application shall be utilized to allow a Supervisor or authorized user to do so.

• Removing an Administrative Hold

  • An Administrative Hold can be removed under certain circumstances such as adding documents to the health record.

  • A supervisor or an authorized user may remove an Administrative Hold.

• Scanning Additional Documents During an Administrative Hold

  • When additional documents need to be scanned and the health record is on Administrative Hold:

  • An HRT II supervisor or a Health Record Technician I (HRT I) who has been designated as the supervisor backup shall remove the Administrative Hold temporarily.

  • HIM staff shall scan the documents.

  • Once the documents are scanned, the chart shall be put back on Administrative Hold.

• Replacing an Administrative Hold

  • When replacing an Administrative Hold, the health record must remain locked indefinitely.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure that the documentation of patient care continues in the event of application or system downtime.

Purpose

• To ensure continuity of care and documentation continuity for all patients in the event the Electronic Health Record System (EHRS) is not available.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall maintain a Health Record Application/System Downtime Contingency Plan (Plan) to ensure continuity of care and documentation for all patients in the event the EHRS is not available during scheduled and non-scheduled downtimes.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring and evaluation of this procedure.

• The CEO, or designee, has overall responsibility for local implementation of the Plan and shall ensure that a Local Operating Procedure is established to provide site-specific direction.

• The Health Program Manager III (HPM III) at the HRC has overall responsibility for local implementation of the Plan and shall ensure that a Local Operating Procedure is established to provide site-specific direction.

Procedure

• Plan maintenance and implementation

  • The headquarters HIM Program shall maintain the Plan which shall be reviewed and updated at least annually to reflect current practices and enhancements to EHRS.

  • Institution health care and HRC staff shall activate downtime procedures as directed in the Plan.

• The Plan can be accessed electronically via Lifeline at the following link: EHRS Interdisciplinary Downtime Procedures.pdf (sharepoint.com).  The institution HRT II, Supervisor, shall ensure that a printed copy is available to all staff within the institution and inform staff where the printed copies are stored. The Plan shall include, but is not limited to:

  • Types of downtime.

  • Roles and responsibilities.

  • Incident Commander.

  • Communication process during downtime.

  • Downtime viewer, forms, and supporting materials.

  • Recovery phase including scanning procedures.

  • Downtime companion documents specific to:

    • Dental.

    • Dietary Services.

    • Health Information Management.

    • Laboratory.

    • Medical Providers.

    • Mental Health.

    • Nursing.

    • Pharmacy.

    • Radiology.

    • Registration Services.

    • Medical Scheduling.

• Training

  • All institution health care and HRC staff shall be trained in downtime procedures and updates.  A system for orientation shall be maintained by the HPM III at the HRC and the HRT II at the institutions.

Policy

• The California Department of Corrections and Rehabilitation (CDCR) and California Correctional Health Care Services (CCHCS) shall maintain a statewide Patient Health Care Inquiries (PHCI) process to communicate with patients under CDCR jurisdiction and individuals authorized to receive information regarding a patient’s health care.

• For PHCI regarding urgent changes in a patient’s health care condition or status, the department shall maintain a PHCI phone line at each institution for authorized individuals to call.

• For non-urgent PHCI, authorized individuals shall submit their patient-specific health care concerns, via email or by mail to the Health Care Correspondence and Appeals Branch (HCCAB) at CCHCS headquarters (HQ).

Purpose

• To maintain processes for authorized individuals and patients under CDCR jurisdiction to inquire and receive timely responses to PHCI.

Responsibility

• The Deputy Director (DD), Policy and Risk Management Services (PRMS), and the Chief, HCCAB, are responsible for the oversight and evaluation of the statewide PHCI policy and procedure.

• The Chief Executive Officer (CEO), or designee, shall ensure compliance with this policy and the PHCI Operating Standards.

• At the direction of the CEO, the clinical chief of designated health care discipline (Chief Medical Executive, Chief of Mental Health, or Supervising Dentist), or clinician designee, is responsible for releasing verbal health care information via the PHCI line at their institution.

• The Chief, HCCAB, is responsible for tracking and reporting PHCI to the Regional Health Care Executives monthly.

Release Of Information and Health Records Requests

• The PHCI process is not the correct venue to submit an Authorization for Release of Protected Health Information form or to request patient health care records pursuant to the Health Care Department Operations Manual (HCDOM), Chapter 2, Article 3, Section 2.3.4, Release of Information policy.

Procedure

• PHCI Timeframes

  • Institutions shall:

    • Retrieve messages from their PHCI line at least once on each business day.

    • Commence processing PHCI on the date received.

    • Make every effort to verbally respond within the following timeframes:

      • Urgent change in the patient’s health care condition or status within five business days.

      • Patient death, serious injury or serious illness, including incidents of serious injury due to self-harm, suicide attempts or accidents within one business day.

      • Non-urgent PHCI regarding patient-specific health care or treatment concerns shall not receive a response. Pursuant to the PHCI Operating Standards and (e)(2)(A) below, outgoing messages shall instruct these callers to contact HCCAB.

  • HCCAB shall:

    • Commence processing written PHCI on the date received.

    • Make every effort to provide a written response for PHCI within 45 business days.

• Institution PHCI Outgoing Message

  • The institution CEO or designee shall follow established PHCI Operating Standards for the recorded outgoing message on the PHCI line.

• Review and Response to PHCI Line

  • The institution CEO or designee shall follow established PHCI Operating Standards to ensure the PHCI is:

    • Retrieved and received date are documented.

    • Reviewed for urgent concerns.

    • Responded to if a valid release of information (ROI) is on file for the caller.  Health care information shall only be released to authorized individuals.

      • If there is no valid ROI on file for the requester, the CEO, or designee, shall notify the caller of Release of Information processes pursuant to Local Operating Procedures and the HCDOM, Section 2.3.4 Release of Information.

      • PHCI containing threatening, obscene, demeaning, or abusive language, shall not receive a response.

      • No response will be provided to PHCI for patients who have paroled or discharged from CDCR.

    • Documented in the health record including the verbal discussion regarding the PHCI.

      • Health care staff shall not disclose any information regarding visiting or patient location.

      • Three attempts shall be made to reach the caller and all attempts shall be documented.  If after three attempts no contact is made, the PHCI is considered closed.

  • HCCAB shall ensure written PHCI is:

    • Triaged within one business day of receipt at a level no less than a Registered Nurse, utilizing clinical expertise within their licensure to determine if the PHCI contains an urgent or health care issue requiring clinical intervention.

      • Urgent medical, mental health, and dental clinical needs shall be immediately referred to a clinician for evaluation consistent with HCDOM Section 3.1.5, Scheduling and Access to Care.

      • Urgent issues that cannot be immediately resolved or require follow-up shall be referred to executive health care staff for review or action.

    • Confirmed to have a valid ROI on file for the requester. Health care information shall only be released to authorized individuals.

    • Responded to when the PHCI includes the requestor’s name, address, patient’s full name, CDCR identification number, date of birth, and a brief description of the patient-specific health care or treatment concern.

      • Written PHCI from patients under CDCR jurisdiction submitted to HCCAB shall be limited to issues that cannot be addressed through the Health Care Grievance Process.

      • No response will be provided to PHCI for patient who have paroled or discharged from CDCR.

      • PHCI containing threatening, obscene, demeaning, or abusive language, shall not receive a response.

Policy

• The California Correctional Health Care Services (CCHCS) shall provide guidance to patients regarding requests for changes, corrections, or amendments to documentation contained within their health records.

Responsibility

• Statewide

  • The Deputy Director, Dental Services; Deputy Director, Medical Services; Deputy Director, Nursing Services; and Deputy Director, Statewide Mental Health Program are responsible for the oversight, implementation, and evaluation of this policy.

  • The Chief, Health Information Management (HIM), is responsible for the monitoring and evaluation of this policy and shall establish and maintain procedures to carry out the requirements herein.

• Regional

  • Regional Health Care leadership is responsible for oversight and implementation of this policy at the subset of institutions within an assigned region.

• Institutional

  • Health care leadership is responsible for the implementation, monitoring, and evaluation of this policy and shall establish and maintain local operating procedures to carry out the requirements herein.

Procedure

• Request for Change, Correction, or Amendment

  • A patient or patient’s representative may request any portion of the patient’s health record to be changed, corrected, or amended. 

  • The request for amendment must be in writing, utilizing the CDCR 7236, Request to Amend Health Records.

  • The request for amendment must be submitted to HIM at the patient’s institution. In the case of supervised persons, the request must be sent to Health Records Imaging Center.

    • Upon receipt of the request for amendment HIM staff shall review the request for the type of changes requested.

      • If the request is incomplete or does not clearly identify the record that the patient or patient’s representative requests to be amended, the request shall be returned to be clarified.

      • If a request is returned to the submitter for clarification, HIM staff shall include a description of what information is needed to clarify the request.

    • The content of a complete request shall include:

      • What information is being requested to amend (i.e., encounter date, provider, etc.).

      • The reason for the request to amend. 

      • Only one record amendment request per form.

      • No more than 250 words amending or to be added to the identified record.

    • HIM shall forward the CDCR 7236 to the appropriate institution discipline leadership (e.g., Chief Medical Executive, Chief Nurse Executive, Chief of Mental Health, Chief Psychiatrist, or Supervising Dentist), or designees, where the patient’s record was created, for assignment to the author of the document. If the CDCR 7236 is received from a patient representative, the envelope containing the patient representative’s address shall also be provided to the appropriate discipline.

      • If the author of the document is an unlicensed professional, working under the supervision of a licensed clinician, the licensed clinician shall review and respond to the amendment request.

      • In the event that the author of the document is unavailable, and will not be available within a reasonable timeframe to respond to this request, the appropriate institution discipline leadership, or designee shall review and respond to the amendment request.

      • In instances where the author of the document has relocated to another institution or within CCHCS Headquarters, the request shall be forwarded to the author by HIM to the appropriate location.

  • HIM staff shall maintain a master log to record all patient requests for amended records.

• Decisions

  • The author of the document, or designated reviewer as described in Section (c)(1)(C)3, shall respond to the request for amendment within 30 days using the CDCR 7236 with either of the following:

    • The amendment request is approved and the patient’s health record has been amended.

      • A copy of the patient’s amended health records shall be included with the response.

    • The amendment request is denied in whole or in part.

      • The response shall be written in plain language and at a minimum must address the following:

        • The reasons for the denial.

        • A description of how the patient may submit a written statement of disagreement as described on the CDCR 7236.

        • A description of how the patient may file a complaint with the Department or to the Secretary of the U.S. Department of Health and Human Services (HHS). The description must include the name or title and telephone number of the contact person for the complaint as described on the CDCR 7236.

      • In instances where the amendment is denied in part, the author of the document, or designated reviewer, shall also:

        • Indicate which portion of the request was amended and which portion of the request was denied.

        • Provide a copy of the patient’s partially amended health records.

    • The Department shall have an additional 30 days to review and respond, for a maximum of 60 days, to amendment requests.

  • If the request is approved, the author of the document shall:

    • Not redact or delete the original entry.

    • Enter the amended information into the health record.

    • Make a notation at the point of original entry that an amendment notice has been made and reference the amended information.

    • Note in the health record the reason for the amendment or refer to the patient’s CDCR 7236.

    • Document the statement of facts.

    • Date and time the amendment using the 24-hour clock.

    • Sign the amendment with full name and title.

    • Identify the location of any secondary records that substantiate the amendment.

  • A request for amendment may be denied if it is determined that the health information or health record that is the subject of the request:

    • Was not created by CCHCS, unless the patient explains that the originator of the health information is no longer available and the unavailability can be verified;

    • Would not be available for inspection; or

    • Is accurate and complete.

  • Once the response is received by HIM from the author of the document or designated reviewer, HIM staff shall scan the CDCR 7236 and response into the health record.

    • The CDCR 7236 shall be returned to the patient or patient’s representative with the response and amended health records, if applicable.

  • When a correction is made, reasonable efforts shall be made to provide the amended information to business associates and others who are known to have the patient health information that was amended.

    • HIM staff shall notify the persons entitled to receive the amended information, as identified by the patient or patient’s representative on the original amendment request. If the patient or patient’s legal representative is unsure who is entitled to receive the amended information, staff shall work with the patient or patient’s representative to ensure that all parties are appropriately identified in accordance with the HCDOM, Section 2.3.4, Release of Information.

    • HIM staff shall identify other persons, including business associates, that are known to have the patient’s health information and that may have or may rely on it.

  • If the patient requests a disclosure after the amended record is approved, the patient shall execute a new CDCR 7385.

• Statement of Disagreement

  • The patient or patient’s representative may file a statement of disagreement, if they do not agree with the denial or partial approval of their request.

    • The statement of disagreement shall be submitted to the institution’s HIM.

  • If the patient or patient’s representative does not submit a statement of disagreement, they may request that the CDCR 7236 and the denial is provided with any future disclosures.

  • The patient or patient’s representative may file a complaint with the Secretary of the U.S. Department of HHS.

• Rebuttals to the Statement of Disagreement

  • CCHCS shall prepare a written rebuttal to the patient or patient’s representative to the statement of disagreement and is responsible for providing a copy to them.

  • The person that responds to the statement of disagreement shall not be the author of the original document and must be at a classification not less than that of the institutional clinical leadership of the designated discipline.

• Inclusion in Health Record

  • All documentation related to the CDCR 7236 shall be appended (or otherwise linked) to the health information that is the subject of the disputed amendment and shall be retained for ten years in accordance with the HCDOM, Section 2.3.11, Retention and Destruction.

    • This includes all correspondence and statements of disagreement related to the patient’s or patient representative’s requests for amendment and relating to denial or acceptance of requests to amend.

    • If the health record has been amended, the amendment shall be appended to the original documentation, as described in Section (c)(2)(B).

  • All documents shall be accessible and available to appropriate staff within the health record.

  • All documentation related to the request for addendum including amended records, statement of disagreement, and the written rebuttal shall be retained and distributed with the health record for as long as the records are maintained.

Policy

• California Correctional Health Care Services (CCHCS) shall disclose information to Public Health Authorities, without a patient’s authorization, when required by law.  CCHCS may disclose Protected Health Information PHI for public health activities, without the patient’s authorization, when the reason for the disclosure is related to the purpose for which the PHI was collected and under the circumstances outlined below.

Purpose

• To define the parameters for releasing PHI for public health activities.

Responsibility

• Statewide

  • Under the direction of the Deputy Director, Medical Services, and Health Information Management Chief:

    • Institution Health Records staff within the scope of their authority are responsible for oversight, implementation, monitoring, and evaluation of this policy for patients.

    • Health and Imaging Record Center staff within the scope of their authority are responsible for oversight, implementation, monitoring, and evaluation of this policy for paroled or discharged persons.

• Regional

  • Health Care Executives are responsible for the administration of this policy at the subset of institutions within their assigned region.

• Institutional

  • The Chief Executive Officer, or designee, of each institution has the overall responsibility for implementation and ongoing oversight of this policy.

Procedure

• CCHCS may disclose PHI to Public Health Authorities who are legally authorized to receive such reports to prevent or control disease, injury, or disability pursuant to the Health Care Department Operations Manual Section 3.8.1, Public Health Disease Reporting, or state law.  This includes but is not limited to the following:

  • The reporting of a disease or injury.

  • Conducting public health surveillance, investigations, or interventions.

• PHI may be disclosed as needed to notify a person that they have been exposed to a communicable disease or are at risk of contracting or spreading a disease or condition, if CCHCS is legally authorized to do so to prevent or control the spread of the disease.

• Verification of identity

  • CCHCS shall verify Public Health Authorities’ status and identity prior to releasing PHI.

• Minimum Necessary

  • CCHCS is responsible for reasonably limiting the PHI disclosed for public health purposes to the Minimum Necessary to accomplish the intended purpose.

• Accounting of Disclosures

  • CCHCS shall document, track, and maintain information concerning disclosures of PHI. This tracking shall document what, when, why, and to whom disclosures are made.

Policy

• California Correctional Health Care Services (CCHCS) shall promote the utilization of advance directives to determine patients’ health care preferences, including, but not limited to, treatment decisions regarding medications, surgeries, and life support treatments; however, patients are not required to complete an advance directive.

• The California Department of Corrections and Rehabilitation (CDCR) 7421, Advance Directive for Health Care, shall be utilized by staff whenever possible and especially when the patient is diagnosed with a serious medical condition or is admitted to a Correctional Treatment Center, Outpatient Housing Unit, Skilled Nursing Facility, hospice, or outside medical facility.

Purpose

• To define the process for incarcerated persons to complete an advance directive including identification of a power of attorney for health care and provision of instructions for future health care.

Responsibility

• Statewide

  • CCHCS and CDCR departmental leadership, at all levels of the organization, shall ensure administrative, custodial, and clinical systems are in place and appropriate resources are available so that care teams can successfully implement the advance directive policy.

• Regional

  • Regional Health Care Executives are responsible for adherence to this procedure at the subset of institutions within an assigned region.

• Institutional

  • The Chief Executive Officer, or designee, is responsible for the implementation, monitoring, and evaluation of this policy and procedure.

Procedure Overview

• CCHCS shall encourage all patients with health care decision-making capacity to complete an advance directive.  Completion of a CDCR 7421 is the preferred method for patients to communicate their wishes; however, other documentation, if able to be validated, provided by patients or their agent, also known as legally recognized decision-maker, shall be honored.

• A health care provider or institution may decline to comply with the preferences of the patient or the patient’s agent or legally recognized decision-maker for reasons of conscience or if the requested health care would be medically ineffective or contrary to generally accepted health care standards. In such cases, barring the need for emergent care, the primary care provider (PCP) shall discuss the case with institution and regional medical leadership and when appropriate present the case to the CCHCS Care Team Enhanced Conference for review and consultation.

Procedure

• Communication of Advance Directive Information to Patients

  • The CDCR 7421 shall be available to patients through the following:

    • The “Patient Orientation to Health Care Services Handbook” which includes information about advance directives.

    • The CDCR 7421 with the Patient Fact Sheet and Instructions which is included in the informational packet given to patients in Reception Centers.

  • Health care staff have professional obligations to discuss end-of-life decision-making and the goals of care with patients at clinically appropriate times. During these encounters, health care staff shall educate patients about their right to name an agent or legally recognized decision-maker and to specify their end-of-life preferences.

  • It is optional for a patient to complete a CDCR 7421.

  • Primary Care Team members shall document any discussion of advance directives with a patient in the Electronic Health Record System (EHRS). If a patient completes an advance directive, the PCP shall document the patient encounter and discuss the decisions that the patient is making regarding their future physical and mental health care. Health care providers shall determine and document effective communication when there is an exchange of health care information in accordance with the Health Care Department Operations Manual, Section 2.1.2, Effective Communication Documentation.

  • Advance directives and the goals of care (including progress notes, and Do Not Resuscitate orders, if applicable) shall be reviewed as a patient’s clinical situation changes.

• Initiation of Written Advance Directives

  • Patients shall be given an opportunity to complete or revise the CDCR 7421 at reception, annually, upon request, and upon admission to a CDCR health care setting including Correctional Treatment Center, Outpatient Housing Unit, Skilled Nursing Facility, or hospice or within 24 hours of being admitted to the hospital for a serious or critical medical condition.

  • Patients shall be given an opportunity to complete a CDCR 7421 when seen in a primary care clinic setting.

• Guidance for Completing CDCR 7421, Advance Directive for Health Care

  • Please note that parts one through three are optional and all are not required for a valid advance directive.

  • Part 1: Power of Attorney for Health Care

    • The patient may choose to appoint someone to make medical decisions for them if they become unable to make those decisions.

    • The agent or legally recognized decision-maker is not authorized to consent on behalf of the patient to any of the following:

      • Abortion.

      • Sterilization.

      • Psychosurgery.

      • Electroconvulsive treatment.

      • Commitment to or placement in a mental health treatment facility.

    • An agent’s refusal of recommended treatment may still be overridden by a court order, such as Penal Code 2602.

    • The agent or legally recognized decision-maker is directed to make all health care decisions for the patient in accordance with any instructions they have indicated in the advance directive or in any way made known to the agent or legally recognized decision-maker.  If the patient’s wishes are not known, the agent or legally recognized decision-maker is directed to make health care decisions in accordance with what the agent or legally recognized decision-maker determines to be in the best interest of the patient.  In determining the best interest of the patient, the agent or legally recognized decision-maker shall consider the personal values of the patient. If a decision-maker does not appear to be acting in the patient’s best interest, refer to Probate Code 4734-4736.

    • The agent’s authority is effective only when it has been determined and documented by the CME, or designee, that the patient lacks health care decision-making capacity and ends if determination is made that the patient has regained health care decision-making capacity, unless otherwise indicated in a power of attorney for health care.

  • Part 2: Instructions for Health Care

    • This section provides an opportunity for the patient to give instructions for future health care.  The patient may provide specific health care instructions using additional sheets if necessary.

    • An advance directive shall only be applicable if a patient is unable to communicate their preferences at the time of treatment, unless otherwise indicated by the patient.

  • Part 3: Donation of Organs at Death

    • A patient may choose to donate organs or other tissues. If a patient chooses to donate, they may specify that it can be any organ, tissue, or part or may specify only certain organs, tissues, or parts.

    • If a patient chooses to donate, they can decide if the donated organs, tissues, or parts may be used for transplant, therapy, research, or education.

  • Part 4: Patient Signature and Witnesses

    • The patient’s signature is required, along with the date the CDCR 7421 was completed.  If the patient is physically unable to sign the CDCR 7421, another adult may sign for them at the patient’s direction.

    • The advance directive can be witnessed in one of two ways:

      • Two witnesses may sign the document; or

      • A Notary Public may notarize the document.  As there is limited availability of notary services within the institutions, CCHCS approves the use of two witnesses to facilitate patients completing advance directives.

    • Witnesses within a CDCR institution:

      • A CCHCS health care employee may serve as a witness to the patient’s signature if they are not currently directly involved in the patient’s health care (e.g., a Licensed Vocational Nurse working as a medication nurse in another unit, building or yard or a physical therapist who visits the unit but is not treating the patient who is completing the form).

      • A CDCR or CCHCS administrative employee including, but not limited to, an Office Assistant, Office Technician, Health Program Specialist, or Health Records Technician.

      • A CDCR Custody Officer.

    • Individuals who may not serve as witnesses:

      • The patient’s current PCP or other health care staff directly involved in the patient’s care.

      • Anyone who is serving as an agent or legally recognized decision-maker.

    • When a patient is in a CDCR or outside Skilled Nursing Facility, an additional witness (patient advocate or ombudsman) in addition to the two witnesses or notary, must sign the CDCR 7421 to ensure the patient is not signing under duress.

• Evidence of an Advance Directive

  • If a patient completed an advance directive prior to entry into an institution, the valid “outside” advance directive shall be forwarded to Health Information Management (HIM) to be scanned to the document type Advance Directive.

  • When a CDCR 7421 has been completed, the original shall be forwarded to HIM to be scanned to the document type Advance Directive.  The scanned document shall be placed in the Miscellaneous Patient Care folder in the Notes tab.  The primary care team shall provide the patient one copy of the CDCR 7421 for the patient and one copy for each agent or legally recognized decision-maker (no more than four copies).

  • Providers shall note in the Problem List that a CDCR 7421 has been completed.

  • It is the patient’s responsibility to forward copies of the advance directive to notify the agent(s) or legally recognized decision-maker(s) that they may be called upon to make future health care decisions for the patient.  Health care staff shall notify the agent or legally recognized decision-maker if the agent or legally recognized decision-maker is needed to make health care decisions for the patient.

  • A copy of the CDCR 7421 shall accompany the patient when transported to an outside hospital for emergency care or admission or transfer to other health care facilities.

• Revocation or Amendment of an Advance Directive

  • Patients may amend or revoke any aspect of the CDCR 7421 at any time either orally or in writing. If the patient:

  • Wishes to amend their CDCR 7421, they shall complete a new CDCR 7421 as soon as practicable.

  • Gives verbal instructions to amend their CDCR 7421, the health care staff who received the instructions shall document them in a progress note, and a new CDCR 7421 shall be completed as soon as practicable.

• Determining Health Care Decision-Making Capacity

  • Patients are presumed to have health care decision-making capacity unless a determination has been made to the contrary.

  • Health care decision-making capacity:

    • Determinations are the responsibility of the PCP.  For patients with concerns regarding mental health, the PCP may contact a mental health clinician to complete the advance directive.

    • May vary, and the patient may have capacity for some decisions and not for others.

    • Should be evaluated in relation to the matter at hand, the patient’s ability to understand the personal impact of their choices, and the ability to reason about those choices relative to their personal values.

  • If a patient is determined to not have health care decision-making capacity for a given decision, the PCP shall document this in a progress note.

• Initiation of Non-Written Advance Directives or Orally-Designated Surrogates

  • A patient with capacity may provide oral instructions to create an advance directive.  A health care provider shall document the patient’s preferences in the EHRS and facilitate the completion of a written CDCR 7421 as soon as possible.

  • A patient with capacity may orally designate a surrogate to make health care decisions only by personally informing the supervising health care staff, or designee, of the health care facility, who shall document such designation in the EHRS. Unless the patient specifies a shorter time period, this appointment is only effective during the course of treatment, illness, stay in the health care facility, or for 60 calendar days, whichever period is shorter.

• Decision Making Priority if Patient Lacks Decision-Making Capacity

  • If a patient is determined to not have health care decision-making capacity, the following health care decision-makers can make decisions on the patient’s behalf regarding the issue(s) for which the patient lacks decision-making capacity, in the following descending order of priority.

  • The surrogate that was previously designated by the patient via process outlined in Section (e)(7)(B) above.

  • An agent previously named in an advance directive or health care power of attorney.

  • The guardian or conservator of the patient who has the authority to make physical and mental health care decisions for the patient.

• Patients Lacking Decision-Making Capacity Without a Legally Recognized Decision-Maker

  • If an exigent health care event occurs to a patient who lacks health care decision-making capacity and that patient does not have a legally recognized decision-maker, a health care provider, or designee of the institution, may choose a surrogate to make health care decisions for the patient, pursuant to Probate Code 4712.

  • Designation of a surrogate in this manner does not replace the need for a court-appointed decision-maker should the patient continue to require support with medical decision-making, in which case the primary care team shall initiate the Penal Code 2604 process no later than 60 days after the exigency.

Policy

• California Correctional Health Care Services (CCHCS) shall honor and make available to all patients the California Department of Corrections and Rehabilitation (CDCR) 7465, Physician Orders for Life Sustaining Treatment (POLST).

Purpose

• This policy accompanies the CDCR 7465 and complements the CDCR 7421, Advance Directive for Health Care.

Responsibility

• The Chief Executive Officer, or designee, of each institution is responsible for the implementation, monitoring, and evaluation of this policy and procedure.

Procedure Overview

• Physician Orders for Life Sustaining Treatment (POLST) is a legally recognized mechanism by which patients can provide specific instructions for their end-of-life care, including requests regarding resuscitation. It is appropriate to consider obtaining and/or completion of a POLST for patients that are elderly, frail, have serious medical or surgical conditions, or who have less than six months life expectancy. Key provisions of the CDCR 7465 POLST are as follows:

  • The CDCR 7465 POLST is required to be signed by a Primary Care Provider (PCP) and the individual or the individual’s surrogate. Health care staff may discuss the form with the patient and help prepare the form, but the POLST must be signed by a PCP.

  • Health care providers are required to honor the provisions of the POLST.

  • Health care providers have statutory immunity from criminal prosecution, civil liability, discipline for unprofessional conduct, administrative sanction, or any other sanction to a health care provider who relies in good faith on the request and honors a POLST form that appears valid.

• California Correctional Health Care Services (CCHCS) shall ensure effective communication is achieved and documented when there is an exchange of health care information in accordance with the Health Care Department Operations Manual, Section 2.1.2, Effective Communication Documentation.

Procedure

• Completing the CDCR 7465

  • CCHCS encourages staff to promote a patient’s use of the CDCR 7465 whenever appropriate.

  • Health care staff has professional obligations to discuss end of life decision-making and goals of care, as well as patients’ right to name a legally recognized decision-maker and to specify their end of life preferences. This discussion should occur at clinically appropriate times with patients who are elderly, frail, have serious medical or surgical conditions, or who have less than six months life expectancy. The PCP is responsible for using language and communication methods that are appropriate and effective for the specific patient. It is often a good practice for PCPs to engage their patients in end of life preference discussions as soon as patients meet the criteria.

  • PCPs shall document all discussions with a patient regarding the CDCR 7465 in the health record.

  • The PCP shall be responsible for determining whether a patient has the capacity to make medical decisions. The PCP shall request a psychiatric consultation or obtain the assistance of the Chief Medical Executive (CME), or designee, when there is a question concerning a patient’s capacity to make medical decisions. Determination of diminished capacity shall be documented in the health record. If a patient lacks medical decision-making capacity, their legally recognized decision-maker shall make the decision on behalf of the patient.

  • The PCP shall seek the concurrence and consent of the legally recognized decision-maker before completing a CDCR 7465. In the event the patient is unable to communicate informed health care decisions or lacks the capacity to make health care decisions and has not designated a legally recognized decision-maker either orally or via a written Advance Directive for Health Care, the PCP, CME, or designee, and Regional Health Care Executive shall work with the CCHCS Office of Legal Affairs to identify appropriate steps to obtain legal authority for appointment of a legally recognized decision-maker.

• Distribution and Filing

  • Blank CDCR 7465 forms shall be available in all health care settings.

  • The current original unrevoked POLST is scanned to POLST document in the electronic health records. The CDCR 7465 is double-sided and both sides shall be scanned.

  • Any revoked POLST original or copy shall be lined out and marked “revoked-void” and scanned to POLST document type and noted in the Banner Bar of the health record.

  • A copy of the CDCR 7465 shall accompany the patient when transported to the hospital and when transferred to other health care facilities.

• Conflict Resolution and Special Situations

  • In the event a patient requests medical treatment contrary to generally accepted medical standards, or if the requested medical care would be medically ineffective, or for reasons of conscience, the health care provider or institution (for institutions there must be a pre-existing institutional policy) may decline to comply with the preferences of the patient or the patient’s legally recognized decision-maker. In such cases, the PCP shall discuss the case with institution and regional medical leadership and when appropriate, present the case to the CCHCS Ethics Committee for review and consultation.

  • If the patient requests “Do Not Attempt Resuscitation/Do Not Resuscitate (DNR)” status on Section A of the CDCR 7465 it is understood that every effort shall be made to relieve the patient’s suffering and maintain comfort. Specifically, a “Do Not Attempt Resuscitation/DNR” order does not imply that other therapeutic measures necessary to promote comfort will be withheld (e.g., palliative treatment for pain, dyspnea, major hemorrhage, or other medical conditions).

  • Terms such as “slow code” and “chemical code” are inappropriate and shall not be used. In the absence of a CDCR 7465 specifying “Do Not Attempt Resuscitation/DNR,” full Cardio Pulmonary Resuscitation shall be initiated for any patient experiencing cardiac and/or respiratory arrest unless otherwise indicated.

  • If there is suspicion that a patient’s cardiorespiratory arrest is not a part of a natural or expected death, then resuscitation shall be attempted despite the presence of a CDCR 7465 stating no attempt at resuscitation. This would include a patient suspected of attempted suicide or possibly suffering harm by another.

  • The PCP shall be responsible for discussing with the patient and/or legally recognized decision-maker as appropriate and documenting in the health record whether the POLST/DNR orders are to be maintained or suspended during anesthesia and surgery. This decision shall be communicated to the surgeon prior to the date of the procedure by the PCP. If the surgeon refuses to honor the patient’s wishes, a referral to another surgeon willing to do so should be generated by the PCP and the CME, or designee, should be notified. The surgical team and the patient shall determine in advance of the procedure specifically when the POLST/DNR orders are to be suspended and reinstated.

• Honoring POLST Orders Completed Outside of the Institution

  • If a patient with a completed POLST transfers to or from another CDCR institution or outside health care facility, the receiving institution/facility shall accept the sending institution’s POLST orders.

• Documenting the Code Status of a Critically Ill Patient Who Has No POLST or Advance Directive

  • Completion of a CDCR 7465 is not always possible. If DNR status is clinically indicated and in keeping with the patient’s wishes, providers may write DNR orders in the absence of a CDCR 7465.

    • For DNR orders without an accompanying CDCR 7465, a supervising physician not directly involved in the care of the patient shall document his/her concordance in the health record.

    • A DNR order written without a POLST means only that the patient is not to receive resuscitative measures in the event of a full arrest. Any other limits on medical interventions, such as “do not intubate” or “no blood products,” must be specifically ordered.