Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.6 Use and Disclosure of Protected Health Information: Special Exceptions

  • Policy

    • California Correctional Health Care Services (CCHCS) workforce members may use or disclose Specially Protected Health Information (PHI) as permitted or required by the special exceptions specified in this policy and the Statewide Health Information Policy Manual (SHIPM), Section 2.3.0, Specially Protected Information.

  • Purpose

    • To provide guidance on certain uses or disclosures of PHI based on specified exceptions in the law authorizing disclosure of PHI without patient authorization.

  • Responsibility

    • The Chief Privacy Officer shall have oversight of this policy including privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of personal information maintained by CCHCS.

  • Use and Disclosure of PHI

    • General Rules

      • As outlined in the Health Care Department Operations Manual  (HCDOM), Section 2.2.1, General Use and Disclosure of Protected Health Information and the HCDOM, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization, CCHCS workforce members may use and disclose PHI without a patient’s authorization for certain Treatment, Payment or Health Care Operations (TPO) activities, pursuant to and in compliance with a valid patient authorization, without a patient’s authorization pursuant to the specific exceptions in this policy, or as otherwise specifically permitted or required by law.

    • When Patient Authorization is not Required

      • PHI may be used or disclosed without a valid authorization pursuant to an exception required or permitted by law.  All disclosures of health records under this policy shall be performed by Health Information Management (HIM) workforce members in accordance with HIM policies and procedures including requirements related to tracking of disclosures.

      • CCHCS workforce members may use or disclose PHI without patient authorization for reasons other than for TPO including, but not limited to:

        • PHI when required to do so by federal, state, or local law.

        • When the use or disclosure is otherwise specifically permitted by law including, for example, the voluntary reporting to the U.S. Food and Drug Administration of adverse events related to drug products or medical device problems.

        • A coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or conducting other duties authorized by law pursuant to the SHIPM, Section 2.2.1, Decedents.

        • Health oversight activities authorized by law, including audits; civil, criminal, or administrative investigations, prosecutions, or actions; and licensing or disciplinary actions.

        • Judicial or administrative proceedings, in response to an order of a court, a valid subpoena, search warrant, or other lawful process unless prohibited or otherwise limited by federal or state law applicable to the program or activity requirements.

        • Limited law enforcement purposes, to the extent authorized by applicable federal or state law, CCHCS workforce members may report certain injuries or wounds; provide information to identify or locate a suspect, victim, or witness; alert law enforcement of a death because of criminal conduct; and provide information which constitutes evidence of criminal conduct on CCHCS premises.

        • Organ procurement organizations or other entities engaged in procuring, banking, or transplantation of cadaver organs, eyes, or tissue for the purpose of facilitating transplantation.

        • A local health department for the purpose of preventing or controlling disease, injury, or disability including, but not limited to, the reporting of disease, injury, vital events, including death, and the conduct of public health surveillance, public health investigations, and public health interventions as authorized or required by federal or state law or regulations.

        • Entities providing mere courier services without requiring routine access to such PHI, e.g., the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers providing mere data transmission services.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.512 – Uses and disclosures for which an authorization or opportunity to agree or object is not required

    • California Civil Code, Division 1, Part 2.6, Chapter 2, Section 56.10

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.1, General Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization

    • Health Care Department Operations Manual, Chapter 2, Article 3, Health Information Management

    • Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1 General Training Requirements

    • Statewide Health Information Policy Manual, Section 2.2.0, Uses and Disclosures

    • Statewide Health Information Policy Manual, Sections 2.2.1-2.2.17

    • Statewide Health Information Policy Manual, Section 2.3.0, Specially Protected Information

  • Revision History

    • Effective: 02/2012
      Revised: 05/20/2024
      Reviewed: 12/09/2025