Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.13 Handling Protected Health and Personally Identifiable Information

  • Policy

    • California Department of Corrections and Rehabilitation (CDCR) and California Correctional Health Care Services (CCHCS) workforce members shall ensure compliance with federal and state privacy requirements and CCHCS policies for Protected Health Information (PHI) and Personally Identifiable Information (PII). The PHI and PII maintained by CCHCS is private and confidential, and CCHCS workforce members shall not use or disclose PHI or PII, except as permitted or required by law, and as outlined in this policy.

  • Purpose

    • To ensure CCHCS and its workforce members comply with federal and state privacy requirements for state entities that maintain PII and PHI.

  • Responsibility

    • The CCHCS Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the privacy rights of individuals regarding the collection, use, and disclosure of PHI and PII maintained by CCHCS.

    • CCHCS workforce members are responsible for complying with requirements for use, disclosure, and access when handling PHI and PII.

  • Procedure

    • Permitted Use and Disclosure of PHI

    • Permitted Use and Disclosure of PHI

    • Access to PHI and PII of the Deceased

      • A written authorization for the release of information (ROI) or CDCR 7385 from the appointed patient representative is required before information may be disclosed.

      • A signed ROI is not valid or permitted based on prior authorization from the patient.

      • Exceptions to the written authorization requirement are limited to certain external law enforcement, coroner, research functions, or individuals involved in or relevant to the patient’s care and organ procurement.

      • All other cases require a signed ROI from the appointed patient representative pursuant to the Federal Code of Regulations, Title 45, Section 164.502(g)(4).

      • CCHCS workforce members shall:

        • Not disclose, use, or make available personal information collected from patients for purposes other than those for which it was originally collected.

        • Limit PHI use and disclosure to the minimum necessary information required to complete the desired task.

        • Protect the PHI of decedents in the same manner, and to the same extent, as required for the PHI of living persons.

      • Requests for a decedent’s health care information received from any source by CDCR or CCHCS shall be forwarded to Health Information Management (HIM) for further handling pursuant to the HCDOM, Chapter 2, Patients’ Entitlements and Responsibilities, Article 3, Health Information Management.

    • External Law Enforcement Requests or Inquiries

      • Pursuant to Statewide Health Information Policy Manual (SHIPM), Chapter 2, Section 2.2.6, Law Enforcement, CCHCS workforce members shall disclose PHI to external law enforcement officials in response to the following:

        • A court order, court-ordered warrant, subpoena, or summons issued by a judicial officer.

        • A grand jury subpoena.

        • An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process permitted under the law provided that the:

          • Information sought is relevant and material to a legitimate external law enforcement inquiry.

          • Request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.

          • De-identified information could not reasonably be used.

          • Request or a separate document indicates that the requirements listed within section (d)(4)(A)3.a. through c., have been satisfied.

      • Pursuant to SHIPM, Chapter 2, Section 2.2.6, Law Enforcement, CCHCS workforce members are permitted to disclose PHI to external law enforcement officials in response to the following:

        • A written or verbal request when information is needed to identify or locate a suspect, fugitive, material witness, or missing person limited to the following information:

          • Name and address

          • Date and place of birth

          • ABO blood type and Rh factor

          • Social Security Number

          • Type of injury

          • Date and time of treatment

          • Date and time of death (if applicable)

          • A description of distinguishing physical characteristics, including height, weight, gender, race, hair, and eye color, presence or absence of facial hair, scars, and tattoos.

        • A written or verbal request for information about a patient who is or suspected to be the victim of a crime if:

          • The patient agrees to the disclosure.

          • The patient’s agreement cannot be obtained because of incapacity or other emergency circumstances, provided that all of the following are met:

            • The external law enforcement official represents that:

              • The information is needed to determine whether a violation of law by a person other than the victim has occurred, and that the information is not intended to be used against the victim;

              • Immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the patient is able to agree to the disclosure.

            • The disclosure is in the best interests of the patient as determined by CCHCS.

          • It is suspected that the patient may be a victim of child abuse or neglect, elder abuse or neglect, or domestic violence pursuant to SHIPM, Section 2.2.16, Victims of Abuse, Neglect, or Domestic Violence.

        • An inquiry about a patient who has died if there is suspicion that the death may have resulted from criminal conduct pursuant to SHIPM, Chapter 2, Section 2.2.1, Decedents, III.B (1) and (2).

        • An inquiry if there is a reasonable and honest belief that it constitutes evidence of criminal conduct.

        • An inquiry when providing emergency medical care that is not on its premises.  CCHCS workforce members are permitted to the disclose PHI to external law enforcement if the disclosure appears necessary to alert the authorities to the:

          • Commission and nature of a crime.

          • Location of the crime or the victim(s) of the crime.

          • Identity, description, and location of the perpetrator of the crime.

    • Victims of Abuse, Neglect, or Domestic Violence

      • If CCHCS believes that the medical emergency results from abuse, neglect, or domestic violence of the patient in need of emergency health care pursuant to SHIPM, Chapter 2, Section 2.2.16, Victims of Abuse, Neglect or Domestic Violence, CCHCS workforce members may disclose a patient’s PHI without the patient’s authorization to a government authority authorized by law to receive reports if they reasonably believe the patient is the victim of abuse, neglect, or domestic violence.  CCHCS workforce members shall disclose the minimum PHI necessary to file a report and shall ensure the patient is notified of the disclosure unless notification would place the patient at risk of serious harm. The nature and date of disclosure and notification shall be documented on the CDCR 7219, Medical Report of Injury or Unusual Occurrence.

    • Appropriate Safeguards

      • All email and portable electronic storage media including, but not limited to, CDs and thumb drives containing PHI and PII, shall be encrypted when sent to entities outside the CCHCS network utilizing the appropriate administrative, technical, and physical controls pursuant to the Statewide Information Management Manual, Chapter 5300.

    • Documentation and Tracking of Disclosures

      • CCHCS workforce members shall document, track, and maintain the documentation regarding disclosures of PHI when the disclosure is not for TPO reasons. This tracking shall include what, when, why, and to whom disclosures are made pursuant to SHIPM, Chapter 5, Section 5.1.0, Accounting of Disclosures.

    • CCHCS Workforce Members Access to PHI and PII

      • CCHCS workforce members may only access or use the minimum information necessary to conduct business in compliance with federal and state law.

    • Third Party or Media Inquiries

      • CCHCS workforce members shall:

        • Forward all media inquiries regarding the release of patient PHI or PII to the CCHCS, Office of Communications at via email at Lifeline@cdcr.ca.gov.

        • Refer patient health care inquiries containing PHI or PII from third parties to the Health Care Correspondence and Appeals Branch (HCCAB) by emailing CCHCSPHCI@cdcr.ca.gov.  HCCAB shall respond to patient health care inquiries pursuant to the HCDOM, Section 2.3.15, Patient Health Care Inquiries.

        • Not use or disclose PHI or PII to third parties (e.g., attorney, legislative, or advocacy group) or to media.

      • Inquiries for PHI and PII are not subject to the California Public Records Act pursuant to the HCDOM, Section 5.1.2, California Public Records Act Requests.

    • Management and Redaction of Health Information

      • Designated HIM workforce members shall perform the routine disclosure of all or part of a patient’s health record, as permitted by law or subsequent to a HIPAA-compliant authorization or CDCR 7385, for each request pursuant to the HCDOM, Section 2.3.4, Release of Protected Health Information.

      • Various disclosures, including but not limited to, mandated reporting or gathering statistical or population-based information, may not require identifying characteristics, such as name, date of birth, address, and more. For this reason, designated CCHCS workforce members shall redact all identifying information when the information is not necessary to fulfill the request. California Health and Human Services, Data Playbook, provides Data De-Identification Guidelines, Federal Code of Regulations, Title 45, Section 164.514.

    • Information Security and Incident Breaches

    • General Staff and Patient Information

      • Information Accuracy and Integrity

        • Information owners and CCHCS workforce members shall:

        • Maintain all records with accuracy, relevance, timeliness, and completeness.

        • Make appropriate corrections submitted by record subjects as required by law.

      • Accounting of Disclosures

        • Information owners and CCHCS workforce members shall:

        • Keep an accurate accounting of the date, nature, and purpose of each disclosure of a record as required by law.  The accounting shall include the date of the disclosure and the name, title, and business address of the individual or to whom the disclosure was made pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information.

        • Retain accountings of non-medical PII for at least three years after the disclosure for which the accounting is made or until the record is destroyed per the record retention policy, whichever is shorter.

        • Retain accountings of PHI for at least six years after the disclosure for which the accounting is made.

      • Privacy Impact Assessments

        • The Privacy Office shall assist program management with conducting Privacy Impact Assessments.

      • General Privacy Statement

        • The Privacy Office shall review and revise the general CCHCS internet privacy statement as needed.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.501, Section 164.502, Section 164.504, Section 164.506, Section 164.512, Section 164.514, and Section 164.528

    • Health Information Technology for Economic and Clinical Health Act

    • California Civil Code, Division 1, Part 2.6, Chapter 2, Section 56.10

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 7, Sections 1798.24(d) – (f)  and 1798.25

    • California Government Code, Title 2, Division 3, Part 1, Chapter 1, Article 1, Section 11019.9

    • California Health and Safety Code, 130303

    • California Penal Code, Part 2, Title 12, Chapter 3.5, Sections 1543 – 1545

    • California Code of Regulations, Title 15, 3999.215

    • California Code of Regulations, Title 22, Division 5, Chapter 9, Article 4, Sections 77139 and 73543

    • Department Operations Manual, Chapter 4, Information Technology, Article 1 through 66

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.1, General Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.3, Enforcements, Sanctions, and Penalties for Violations of Individual Privacy and Information Security Violations

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.10, General Use and Disclosure of Personally Identifiable Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.15, Specialized Government Functions

    • Health Care Department Operations Manual, Chapter 2, Article 3, Section 2.3.4, Health Information Management, Release of Information

    • Health Care Department Operations Manual, Chapter 2, Article 3, Section 2.3.15, Headquarters Patient Health Care Inquiry Response

    • Health Care Department Operations Manual, Chapter 5, Article 3, Information Technology

    • Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements

    • State Administrative Manual, Chapter 5300, Information Technology-Office of Information Security

    • Statewide Health Information Policy Manual, Chapter 2, Section 2.1.0, Authorizations

    • Statewide Health Information Policy Manual, Section 2.2.1, Decedents

    • Statewide Health Information Policy Manual, Section 2.2.6, Law Enforcement

    • Statewide Health Information Policy Manual, Section 2.2.13, Specialized Government Functions

    • Statewide Health Information Policy Manual, Chapter 2, Section 2.2.14, Treatment, Payment, and Health Care Operations

    • Statewide Health Information Policy Manual, Section 2.2.16, Victims of Abuse, Neglect, or Domestic Violence

    • Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information

    • Statewide Health Information Policy Manual, Section 2.7.0, Minimum Necessary

    • Statewide Health Information Policy Manual, Section 3.1.7, Verification of Identity (Person or Entity Authentication)

    • Statewide Health Information Policy Manual, Section 5.1.0, Accounting of Disclosures

    • Statewide Information Management Manual, SIMM 5305-A, Information Security Program Management Standard

    • Statewide Information Management Manual, SIMM 5300-B, Information Security Program Management Standard

  • Revision History

    • Effective: 04/2022
      Revised: 09/17/2025