Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.16 Health Oversight

  • Policy

    • California Correctional Health Care Services (CCHCS) shall permit the use and disclosure of health information to legally authorized government agencies that conduct health oversight activities regarding the appropriate operation and management of programs, the provision of health care or health care related services, and health information governance in the provision of those services.

  • Purpose

    • To provide guidance regarding uses or disclosures of health information for health oversight purposes, as required by law, and to ensure processes are maintained related to the use and disclosure of health information to government agencies performing health oversight activities, and health information governance.

  • Responsibility

    • The CCHCS Chief Privacy Officer (CPO) is responsible for the oversight of this policy.

    • Hiring authorities are responsible to ensure staff comply with this policy.

  • Applicability

    • This policy applies to CCHCS as a Covered Entity.

  • Procedure

    • CCHCS shall meet health oversight obligations by:

      • Understanding what constitutes health oversight activities, and how to respond to requests for health information by other agencies for this purpose.

      • Cooperating with federal and state agencies responsible for determining compliance with the Health Insurance Portability and Accountability Act and other laws relating to the privacy, security, and administration of health information.

      • Ensuring all workforce members receive training to limit disclosure of health information to the minimum necessary when a health oversight agency conducts health oversight activities pursuant to this policy.

      • Addressing health information privacy concerns of other state entities when requesting health information.

      • Understanding that health oversight agency representatives will be required to provide verification of both identity and authority when requesting health information for authorized oversight activities.

      • Requiring reasonable evidence or legal authority in the forms listed below:

        • A written statement of identity on agency letterhead.

        • An identification badge.

        • Similar proof of official status.

        • A written request provided on agency letterhead describing legal authority for release of health information.

    • Permitted Uses and Disclosures to Oversight Agencies

      • A state entity that is also a health oversight agency may use health information for health oversight activities.

      • Health information may be disclosed to a health oversight agency, without an authorization, for authorized oversight activities, including, but not limited to, audits, licensure, investigations, or disciplinary actions permitted by law.

    • Exceptions to Permitted Disclosures to Health Oversight Agencies

      • A health oversight activity does not include an investigation or other activity in which the patient is the subject of the investigation or activity, when it is not a direct result of, or directly related to:

        • The receipt of health care.

        • A claim for public benefits related to health.

        • Qualification for, or receipt of, public benefits or services when a patient’s health is vital to the claim for public benefits or services.

        • A report of child abuse, neglect, or domestic violence.

        • A report of sexual abuse or violence in accordance with the Prison Rape Elimination Act.

        • Payment collection activities related to provision of health care.

    • Temporary Suspension of Accounting of Disclosures

      • Health oversight agencies may request a temporary suspension of a patient’s right to receive an accounting of disclosures.

        • The temporary suspension shall be made in writing, include the reason why the disclosure would impede the health oversight activities, and indicate the timeframe the suspension is required.

        • For verbal requests, the patient’s right to an accounting shall be suspended for no more than 30 business days unless a written request is submitted during that timeframe.

    • Joint Activities or Investigations

      •  If a health oversight activity is conducted in conjunction with a public benefits investigation not related to health, the joint activity or investigation is considered a health oversight activity.

        • Inquiries or investigations of Medi-Cal fraud involving health treatment or investigations involving other federal or state public benefits are considered a health oversight activity for purposes of this policy.

    • Health Information Governance

      • Roles and Responsibilities

        • The CCHCS CPO shall:

          • Notify Hiring Authorities of noncompliance of their staff with this policy or privacy laws.

          • Recommend that action be taken, when appropriate.  Recommendations may include, but are not limited to:

            • Creating a process to mitigate risk or prevent future privacy breaches.

            • Advising CCHCS on staffing or resources needed to respond to and mitigate a privacy breach, and to prevent future privacy breaches.

            • Consulting with the CCHCS Performance Management Unit to advise CCHCS Hiring Authorities on recommended action regarding a specific workforce member.

          • Communicate with the California Department of Corrections and Rehabilitation (CDCR) CPO to identify their respective areas of responsibility, including the following functions:

            • Collaborating with the CDCR CPO regarding areas of overlapping responsibility.

            • Developing a joint plan for health information governance that would apply to both CDCR and CCHCS.

        • Hiring Authorities shall:

          • Consider recommendations from the CCHCS CPO and ensure CCHCS meets all timeframes for incident management required by federal and state law.

          • Advise the CCHCS CPO of actions taken in response to Privacy Office recommendations.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Subpart E, Sections 164.501, 164.504(e), 164.512, and 164.528164.530(i)(1)

    • California Civil Code, Division 1, Part 2.6, Chapter 2, Section 56.10

    • California Civil Code, Division 3, Part 4, Title 1.8, Chapter 1, Article 6, Sections 1798.24 and 1798.25

    • California Health and Safety Code, Division 109, Section 130203

    • State Administrative Manual, Section 5300.2, Policy, Procedure, and Records Management

    • Statewide Health Information Policy Manual, Section 2.2.4, Health Oversight

    • Statewide Health Information Policy Manual, Section 4.2.1, Consequences of Non-Compliance

  • Revision History

    • Effective: 10/23/2023
      Reviewed: 10/08/2024
      Revised 02/24/2025