Article 2 – Confidentiality and Privacy
2.2.2 Use and Disclosure of Protected Health Information Based on Patient Authorization
-
Policy
-
California Correctional Health Care Services (CCHCS) workforce members may use or disclose Protected Health Information (PHI) pursuant to and in compliance with a valid patient authorization. Such disclosures shall be performed in accordance with the policies in the Health Care Department Operations Manual (HCDOM), Chapter 2, Article 2, Confidentiality and Privacy and Article 3, Health Information Management.
-
Purpose
-
To authorize specific uses or disclosures of PHI based on patient’s authorization and to identify applicable requirements for such patient authorizations.
-
-
Responsibility
-
The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI maintained by CCHCS.
-
-
When Patient Authorization is Required
-
As outlined in detail in the HCDOM, Section 2.2.1, General Use and Disclosure of Protected Health Information, CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain treatment, payment, or health care operations activities. In addition, privacy law permits the release of PHI without a patient’s authorization pursuant to specific exceptions outlined in the HCDOM, Section 2.2.6, Use and Disclosure of Protected Health Information Special Exceptions, or pursuant to a Business Associate Agreement as provided in the HCDOM, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information. CCHCS workforce members shall require a signed authorization for all other uses and disclosures of PHI.
-
Disclosure of the Health Record
-
Health Information Management (HIM) is the custodian of the health record and shall have the sole authority to disclose the health record, in whole or in part, pursuant to patient authorization.
-
Valid Authorizations
-
A patient’s or their personal representative’s authorization is considered valid if it contains at least the following elements:
-
A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
-
The name or other specific identification of the person(s) authorized to make the requested use or disclosure.
-
The name or other specific identification of the person(s) to whom CCHCS may make the requested use or disclosure.
-
A description of each purpose of the requested use or disclosure and the specific uses and limitations on the use of the health information by the persons or entities authorized to receive it. The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.
-
An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure after which disclosure is no longer authorized.
-
A signature which serves no other purpose than to execute the document and date. If the authorization is signed by a personal representative of the patient, a description of such representative’s authority to act for the individual must also be provided.
-
A statement that the patient has the right to revoke the authorization in writing and a description of how the individual may revoke the authorization.
-
A statement that CCHCS may not condition treatment on whether the patient signs the authorization.
-
A statement concerning the potential for the information disclosed to be subject to redisclosure by the recipient and no longer protected by applicable federal and state law.
-
A statement advising the patient of their right to receive a copy of the authorization.
-
The authorization must be in writing in at least 14-point type and must be clearly separate from any other language present in the same document.
-
-
The CDCR 7385, Authorization for Release of Protected Health Information, satisfies the above requirements and is the preferred form for disclosures pursuant to patient authorization. Other authorization forms are disfavored but may be accepted if they conform to all the requirements listed above in section (d)(3)(A)1. through 11.
-
An authorization is considered defective and invalid if any material information in the authorization is known to be false by CCHCS or its workforce members or if any of the following defects exist:
-
The expiration date has passed.
-
The authorization has not been filled out completely or lacks a required element.
-
The authorization is known to have been revoked.
-
-
-
Authorization for Specially Protected Health Information
-
A valid written authorization to disclose specially protected health information shall be obtained before making such a disclosure. Each specific type of specially protected health information disclosure requires a separate authorization and cannot be combined with an authorization requesting general health information. Further information regarding specially protected health information including any exceptions can be found in the HCDOM Section, 2.3.4, Release of Protected Health Information.
-
Revocation or Restriction of Authorization
-
A patient may revoke an authorization at any time in writing. No such revocation shall apply to information already released while the authorization was valid and in effect.
-
Patients have the opportunity to agree or object to certain or specific uses and disclosures of their health information.
-
Exception: Alcohol and drug treatment participants may verbally revoke authorization to disclose information obtained from alcohol and drug treatment programs. Verbal authorizations and revocations must be documented and maintained in the health record.
-
-
Verification of Individuals Receiving Information.
-
Information about a patient may only be disclosed pursuant to a written authorization after verifying the identity of the person receiving the information.
-
-
References
-
Code of Federal Regulations, Title 42, Chapter 1, Subchapter A, Part 2 – Confidentiality of Alcohol and Drug Abuse Patient Records
-
Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions
-
Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.501 – Definitions, Section 164.502 – Uses and disclosures of protected health information: General rules, Section 164.508 – Uses and disclosures for which an authorization is required, and Section 164.510 – Uses and disclosures requiring an opportunity for the individual to agree or to object
-
California Civil Code, Division 1, Part 2.6, Chapter 2, Section 56.11
-
California Health and Safety Code, Division 105, Part 4, Chapter 7, Sections 120975, 120980, 120985
-
California Health and Safety Code, Division 105, Part 4, Chapter 9, Section 121070
-
California Penal Code, Part 3, Title 8, Chapter 3, Section 7520
-
Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.1, General Use and Disclosure of Protected Health Information
-
Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.6, Use and Disclosure of Protected Health Information Special Exception
-
Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information
-
Health Care Department Operations Manual, Chapter 2, Article 3, Health Information Management
-
Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements
-
Statewide Health Information Policy Manual, Section 2.1.1, Authorizations
-
Statewide Health Information Policy Manual, Section 2.2.0, Uses and Disclosures
-
Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information
-
-
Revision History
-
Effective: 02/2012
Revised: 05/20/2024
Reviewed: 12/09/2025
-