Health Care Department Operations Manual

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.1 General Use and Disclosure of Protected Health Information

Policy
- Protected Health Information (PHI) maintained by California Correctional Health Care Services (CCHCS) is private and confidential. CCHCS workforce members may not use or disclose PHI, except as permitted or required by this chapter or as otherwise permitted or required by law.
Purpose
- To provide guidance regarding general use and disclosure of PHI.
Responsibility
- The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for the general use and disclosure of PHI.
- CCHCS workforce members shall report incidents of inappropriate disclosure of PHI to the CCHCS Office of Information Security Office (ISO) via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal for fact-finding, analysis, intake, and response, except for those currently delegated to the CCHCS Privacy Office pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.11, Privacy Incidents and Breach Reporting.
Use and Disclosure of PHI
- Use and Disclosure of PHI at Patient or Personal Representative Request
  - CCHCS workforce members may use or disclose PHI to the patient or the patient’s personal representative when requested pursuant to the HCDOM Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization.
- Use and Disclosure of PHI for Treatment, Payment or Health Care Operations (TPO) Purposes
  - CCHCS workforce members may use or disclose PHI without patient authorization as follows:
    - For TPO activities related to CCHCS patients.
    - To communicate with or notify a patient’s family member or others involved in the patient’s care if the disclosure is in the best interest of the patient and it can be reasonably inferred the patient does not object.
    - To an entity conducting research, provided that the research has been approved by the California Health and Human Services Agency Committee for the Protection of Human Subjects or a legally authorized institutional review board or a privacy board as set forth in Health Insurance Portability and Accountability Act, Section 164.512(i).
    - To another covered entity (health care organization) or health care provider for its payment activities.
    - To another covered entity for its health care operations activities if CCHCS workforce members and the other covered entity have or had a relationship with the patient who is the subject of the PHI being requested, and the disclosure includes, but is not limited to, conducting the following:
      - Quality assessments and improvement activities, including developing clinical guidelines.
      - Competency assessments during practitioner and provider performance evaluations.
      - Approved health care fraud and abuse detection or compliance by CCHCS or another federal or state agency.
  - CCHCS workforce members shall process routine requests for all or a subset of patients’ PHI pursuant to the HCDOM, Sections 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information, and 2.3.4, Release of Protected Health Information.
  - Requests to access mental health records may be denied when:
    - A licensed health care professional determined that access could endanger the life or physical safety of the patient or another person.
    - The request is made by the patient’s representative, and a licensed health care professional has determined that access is reasonably likely to cause substantial harm to the patient or another person.
    - The report would be made to the patient’s representative, and the state entity determines the patient’s representative may be responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the patient.
    - For more information regarding the privacy and confidentiality of mental health records, contact m_MHPolicyUnit@cdcr.ca.gov.
- Use and Disclosure of PHI for Non-TPO Purposes
  - CCHCS workforce members shall not use or disclose PHI for non-TPO purposes unless the disclosure is pursuant to a valid written authorization from the patient or the personal representative of the patient, or meets an exception in one of the following HCDOM, Sections:
  - 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization
  - 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions
  - 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets
  - 2.2.9, Business Associate Use and Disclosure of Protected Health Information
  - 2.2.13, Handling Protected Health and Personally Identifiable Information
- Requirements for Use and Disclosures of Specially Protected Health Information
  - Specially Protected Health Information as defined in California’s Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information, is subject to further limitations pursuant to the HCDOM, Sections 2.3.4, Release of Protected Health Information, and 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization.
- Third Party or Media Inquiries
  - CCHCS workforce members shall not use or disclose PHI pursuant to the HCDOM, Section 2.2.13 Handling Protected Health and Personally Identifiable Information.
- Health Records Disclosure
  - Disclosure of all or part of a patient’s health record shall be performed pursuant to the HCDOM, Chapter 2, Article 3, Health Information Management.
References
- California Code of Regulations, Title 22 Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions
- Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions
- Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.501 – Definitions, Section 164.502 – Uses and disclosures of protected health information: General rules, and Section 164.506 – Uses and Disclosures to carry out treatment, payment, or health care operations
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.3, Sanctions and Penalties for Privacy and Information Security Violations
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.11, Privacy Incidents and Breach Reporting
- Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.13, Handling Protected Health and Personally Identifiable Information
- Health Care Department Operations Manual, Chapter 2, Article 3, Health Information Management
- Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements
- Statewide Health Information Policy Manual, Section 2.2.0, Uses and Disclosures
- Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information
- Statewide Health Information Policy Manual, Section 2.7.0, Minimum Necessary
Revision History
- Effective: 02/2012
  Revised: 09/17/2025