Article 2 – Confidentiality and Privacy
2.2.2 Use and Disclosure of Protected Health Information Based on Patient Authorization
-
Policy
-
California Correctional Health Care Services (CCHCS) workforce members may use or disclose Protected Health Information (PHI) pursuant to and in compliance with a valid patient authorization. Such disclosures shall be performed in accordance with the policies in the Health Care Department Operations Manual (HCDOM), Chapter 2, Article 2, Confidentiality and Privacy and Article 3, Health Information Management.
-
-
When Patient Authorization is Required
-
CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain treatment, payment, or health care operations activities pursuant to the HCDOM, Section 2.2.1, General Use and Disclosure of Protected Health Information. In addition, privacy law permits the release of PHI without a patient’s authorization under specific exceptions pursuant to the HCDOM, Section 2.2.6, Use and Disclosure of Protected Health Information Special Exceptions, or pursuant to a Business Associate Agreement as provided in the HCDOM, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information. CCHCS workforce members shall require a signed authorization for all other uses and disclosures of PHI.
-
Disclosure of the Health Record
-
Health Information Management (HIM) is the custodian of the health record and shall have the sole authority to disclose the health record, in whole or in part, pursuant to patient authorization.
-
CCHCS programs shall keep an accurate accounting of each disclosure pursuant to the HCDOM, Section 2.2.18, Accounting of Disclosures for Patients’ Protected Health Information, and make them available upon request.
-
-
Valid Authorizations
-
A patient’s or their personal representative’s authorization is considered valid if it contains all of the components listed in the HCDOM, Section 2.3.4, Release of Protected Health Information. authorization is considered valid if it contains at least the following elements:
-
The CDCR 7385, Authorization for Release of Protected Health Information, satisfies the requirements of a valid authorization and is the preferred form for disclosures pursuant to patient authorization.
-
An authorization is considered defective and invalid if any material information in the authorization is known to be false by CCHCS or its workforce members, or if it has any of the defects listed in the HCDOM, Section 2.3.4, Release of Protected Health Information.
-
-
Authorization for Specially Protected Health Information
-
A valid written authorization to disclose specially protected health information shall be obtained before making such a disclosure. Each specific type of specially protected health information disclosure requires a separate authorization and cannot be combined with an authorization requesting general health information. Further information regarding specially protected health information including any exceptions can be found in the HCDOM, Section 2.3.4, Release of Protected Health Information.
-
-
Revocation or Restriction of Authorization
-
A patient may revoke an authorization at any time in writing. No such revocation shall apply to information already released while the authorization was valid and in effect.
-
Patients have the opportunity to agree or object to certain or specific uses and disclosures of their health information.
-
Exception: Substance use disorder (SUD) treatment participants may verbally request to revoke authorization to disclose information obtained from SUD treatment programs. Verbal authorizations and revocations must be documented and maintained in the health record.
-
-
Verification of Individuals Receiving Information.
-
Information about a patient may only be disclosed pursuant to a written authorization after verifying the identity of the person receiving the information.
-
-
-
References
-
Code of Federal Regulations, Title 42, Chapter 1, Subchapter A, Part 2 – Confidentiality of Alcohol and Drug Abuse Patient Records
-
Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions
-
Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.501 – Definitions, Section 164.502 – Uses and disclosures of protected health information: General rules, Section 164.508 – Uses and disclosures for which an authorization is required, and Section 164.510 – Uses and disclosures requiring an opportunity for the individual to agree or to object
-
California Civil Code, Division 1, Part 2.6, Chapter 2, Section 56.11
-
California Health and Safety Code, Division 105, Part 4, Chapter 7, Sections 120975, 120980, 120985
-
California Health and Safety Code, Division 105, Part 4, Chapter 9, Section 121070
-
California Penal Code, Part 3, Title 8, Chapter 3, Section 7520
-
Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.1, General Use and Disclosure of Protected Health Information
-
Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.6, Use and Disclosure of Protected Health Information Special Exception
-
Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information
-
Health Care Department Operations Manual, Chapter 2, Article 3, Health Information Management
-
Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.25, Security and Privacy Awareness Training
-
Statewide Health Information Policy Manual, Section 2.1.1, Authorizations
-
Statewide Health Information Policy Manual, Section 2.2.0, Uses and Disclosures
-
Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information
-
-
Policy Control
Executive Sponsor: Deputy Director, Policy and Risk Management Services
Effective: 02/2012
Revised: 05/20/2024, 06/17/2026
Reviewed: 12/09/2025