Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.5 Safeguards for Protected Health Information and Personally Identifiable Information

  • Policy

    • California Correctional Health Care Services (CCHCS) shall take steps to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII) from intentional or unintentional violation of federal and state privacy laws and CCHCS privacy policies.

  • Purpose

    • To specify the safeguards required to minimize the risk of unauthorized access, use, or disclosure of PHI and PII.

  • Responsibility

    • The Chief Privacy Officer shall have oversight of this policy to comply with laws, policies, and standards for protecting the privacy rights of individuals.

  • Safeguards

    • CCHCS workforce members shall take all necessary precautions to safeguard PHI and PII pursuant to the State Health Information Policy Manual and the Statewide Information Management Manual Chapter 5300.

    • All CCHCS workforce members with assigned job duties requiring the access, use, or disclosure of PHI shall apply administrative, technical, and physical safeguards to protect PHI.

    • Each program shall have information technology (IT) and information security controls to safeguard PHI and PII, including administrative, technical, and physical controls.

    • CCHCS programs shall conduct internal reviews periodically to evaluate the effectiveness of these safeguards.

  • Specific Safeguarding Procedures

    • Paper Practices

      • CCHCS workforce members shall be educated on the risks of creating paper documents and how they shall be used, handled, shared, stored, and destroyed.

      • Each CCHCS program shall ensure all paper documents including those awaiting disposal or destruction in locked desk-site containers, storage rooms, centralized waste and shred bins, or other storage devices are labeled, disposed of regularly, and secured through reasonable measures to prevent unauthorized access.

      • Each CCHCS program shall ensure that shredding of paper documents is performed on a timely basis consistent with record retention requirements.

    • Verbal Practices

      • CCHCS workforce members shall take reasonable steps to protect the privacy of all verbal exchanges or discussions of PHI and PII regardless of where the discussion occurs.

        • CCHCS workforce members shall provide only the minimally necessary verbal information to fulfill their job functions.

      • Each CCHCS program shall use enclosed offices or interview rooms to verbally exchange PHI and PII if available.

        • In open office environments, incidental use or disclosure is not considered a privacy violation if CCHCS workforce members have complied with the reasonable safeguards and minimum necessary requirements.

        • Each CCHCS program shall ensure workforce members are educated on the potential for inadvertent verbal disclosure of PHI and PII.

    • Visual Practices

      • CCHCS workforce members shall ensure PHI and PII are adequately shielded from unauthorized visual disclosure.

      • CCHCS programs and workforce members shall use best practices to ensure that PHI and PII in any visual medium such as photos, videos, images, or documents displayed on computer screens are not visible to unauthorized persons.

    • Electronic Practices

      • Format of PHI and PII (e.g., databases, email, phone, fax) shall be protected through IT-related controls. 

      • CCHCS workforce members shall be assigned to electronic groups that provide access only to the minimum necessary information to fulfill their job functions.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.530(c)

    • California Civil Code, Sections 1798-1798.78, Information Practices Act of 1977

    • Department Operations Manual, Chapter 4, Information Technology, Article 1 through 66

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.4, Minimum Necessary Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 5, Article 3, Information Technology

    • Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements

    • State Administrative Manual, Chapter 5300, Information Technology-Office of Information Security

    • Statewide Health Information Policy Manual, Section 3.1.0, Administrative Safeguards

    • Statewide Health Information Policy Manual, Section 3.2.0, Physical Safeguards

    • Statewide Health Information Policy Manual, Section 3.3.0, Technical Safeguards

    • Statewide Health Information Policy Manual, Section 4.1.1, Policies and Procedures

    • Statewide Information Management Manual, SIMM 5305-A, Information Security Program Management Standard

    • Statewide Information Management Manual, SIMM 5300-B, Information Security Program Management Standard

  • Revision History

    • Effective: 02/2012
      Revised: 12/23/2025