Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.10 General Use and Disclosure of Personally Identifiable Information

  • Policy

    • Personally Identifiable Information (PII) maintained by California Correctional Health Care Services (CCHCS) is private and confidential.  CCHCS workforce members shall use PII to conduct business in compliance with federal and state law.

    • CCHCS workforce members shall not use or disclose PII except as permitted or required by this chapter or as otherwise permitted or required by law.

  • Purpose

    • To provide guidance to CCHCS workforce members regarding the use and disclosure of PII.

  • Responsibility

    • The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy rights laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of personal information maintained by CCHCS.

    • CCHCS workforce members shall report incidents of inappropriate disclosure of PII to the CCHCS Office of Information Security via the Report Unauthorized Disclosure – CCHCS – ServiceNow Portal for fact-finding, analysis, intake, and response, except for those currently delegated to the CCHCS Privacy Office pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.11, Privacy Incidents and Breach Reporting.

  • General Use and Disclosure of PII

  • CCHCS workforce members shall only use or disclose PII in a manner that would not link the information disclosed to the individual to whom it pertains unless the information is disclosed as follows:

    • To the individual or the individual’s representative to whom the information pertains.

    • With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 business days before the disclosure, or in the time limit agreed to by the individual in the written consent if longer than 30 business days.

    • To the duly appointed guardian, conservator, or person legally authorized to represent the individual.

    • To a governmental entity when required by federal or state law.

    • As permitted or required by law.

    • To a person who has provided the agency with advance, adequate written assurance that the information shall be used solely for statistical research or reporting purposes, and only if the information to be disclosed is in a form that shall not identify any individual.

    • Pursuant to a valid subpoena, court order, or other compulsory legal process if, before the disclosure, CCHCS workforce members reasonably attempt to notify the individual to whom the record pertains and if the notification is not prohibited by law.

  • Information Collection and Minimum Necessary Use of PII

  • Information owners and CCHCS workforce members shall:

    • Collect the least amount of PII required to fulfill the purposes for which it is collected.

    • Limit PII use and disclosure to the minimum necessary amount of information required to complete the desired task.

    • Obtain personal information only through lawful and transparent means and to the greatest extent practicable directly from the individual who is the subject of the information.

      • The purposes for which PII is collected shall be specified at or prior to the time of collection.  Information owners and CCHCS workforce members shall not disclose, use, or make available personal information collected from individuals for purposes other than those for which it is originally collected.

      • Information owners and CCHCS workforce members shall maintain privacy policies which include the general means by which PII is protected against loss, unauthorized access, use, modification, or disclosure, unless that disclosure of general means compromises legitimate state department or state agency objectives or law enforcement purposes.

  • Third Party or Media Inquiries

  • References

    • California Government Code, Title 2, Division 3, Part 1, Chapter 1, Article 1, Section 11019.9

    • California Civil Code, Division 3, Part 4, Section 1798 et seq.

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.3, Sanctions and Penalties for Privacy and Information Security Violations

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.11, Privacy Incidents and Breach Reporting

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.13, Handling Protected Health and Personally Identifiable Information

    • Health Care Department Operations Manual, Chapter 2, Article 3, Section 2.3.15, Patient Health Care Inquiries

    • Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements

    • State Administrative Manual 5320.2, Security and Privacy Training

  • Revision History

    • Effective: 02/2012
      Revised: 09/17/2025