Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.9 Business Associate Use and Disclosure of Protected Health Information

  • Policy

    • California Correctional Health Care Services (CCHCS) is permitted to disclose Protected Health Information (PHI) to a business associate (BA) when CCHCS enters into a written Business Associate Agreement (BAA) with the BA.

  • Purpose

    • To specify when CCHCS may disclose a patient’s PHI to a CCHCS BA and provisions that shall be included in CCHCS contracts requiring a BAA.

  • Responsibility

    • The CCHCS Chief Privacy Officer (CPO) shall have oversight of this policy and facilitate annual review to comply with privacy laws, policies, and standards respecting the privacy rights of individuals, and shall collaborate with the CCHCS Office of Legal Affairs (COLA) and elevate to executive leadership to decide on matters of organizational risk.

  • Procedure

    • Use and Management of Business Associate Agreements

      • The current approved version of the CCHCS BAA shall be distributed to contracting units and posted on the intranet.

      • When another state agency, another entity, or a contracted organization requests access or use of PHI, the CCHCS programs shall notify the Privacy Office (PO), and the applicable CCHCS programs, such as, Direct Care Contracts Section, Acquisitions Management Services, Information Technology Services Division, Healthcare Invoicing Section, and Health Information Management.

      • The CCHCS program shall:

        • Execute the BAA.

        • Track and log all executed contracts that contain a BAA.

        • Send a report of all contracts, Data Sharing Agreements (DSAs), or Memorandum of Understandings (MOUs) containing BAAs to the PO on a quarterly basis or as required for operational need.

      • The PO shall:

        • Maintain a current list of all contracts, DSAs, and MOUs containing BAAs.

        • Generate a current list upon request, based on contracting unit updates.

      • When CCHCS enters into an agreement with another government entity, CCHCS may fulfill the BAA requirement through an Interagency Agreement, MOU, or DSA that contains terms that accomplish the objectives of a BAA.

      • A BAA, DSA, or MOU shall be executed prior to exchange, access, use, disclosure, movement, or storage of PHI.

    • CCHCS Responsibilities Prior to Disclosure of PHI

      • Prior to disclosing PHI, CCHCS shall:

        • Enter into written agreements with the contractors who access PHI as part of the services they are providing. The agreement shall fulfill the minimum requirements of a valid BAA or comparable DSA and obligations of a BA regarding the privacy, security, and administrative activities relating to health information.

        • Ensure written agreements safeguard electronic health information created, received, maintained, or transmitted to or by other organizations on behalf of CCHCS, and provides protections for electronic health information as for any other health information shared.

      • The current published version of the CCHCS BAA shall be used as the primary document when contracting with a BA.

        • The CPO, in consultation with COLA, may consider a BA’s proposed alternative language within the current published version of the BAA if the proposed language does not violate CCHCS or state privacy policy.

        • Only if the CCHCS BAA is not agreed to in Sections (d)(2)(B) or (d)(2)(B)(1), an alternate form of a BAA, such as the third party’s BAA, may be used following a legal review and recommendation by COLA.

      • CCHCS shall utilize the CDII-approved BAA template when conducting business with a No View Host Services Provider or a Cloud Services Provider.

    • Exceptions to the Requirement to Execute a Business Associate Agreement

      • For BA functions required by law, including, but not limited to, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, technology services, financial services and similar services, CCHCS may disclose the minimum PHI necessary to comply with the legal mandate without meeting the requirements of a BA contract.  The CCHCS program in consultation with COLA shall attempt in good faith to obtain satisfactory assurances that the BA shall protect health information to the extent required by a CCHCS BAA.  If such an attempt fails, CCHCS shall document the attempt and the reasons that such assurances cannot be obtained.

      • A BAA is not required between CCHCS and the subcontractors of a BA when a valid CCHCS BAA is maintained.

      • The following situations may still require an agreement containing the requirements of this policy when CCHCS discloses PHI:

        • Based on a patient’s or patient representative’s authorization.

        • To a health care provider concerning the treatment of an individual.

        • As a plan sponsor to the extent that CCHCS is acting in the capacity of a group health plan as defined in the Health Insurance Portability and Accountability Act of 1996.

        • To a government agency to determine eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting PHI for such purposes, to the extent such activities are authorized by law.

        • To a covered entity participating in an organized health care arrangement that performs the function or activity of a BA to or for such organized health care arrangement by virtue of such contracted activities or services.

        • To a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to CCHCS and does not require access on a routine basis to such PHI.

        • Or patient information such as personally identifiable information.

        • Or health information that is de-identified in accordance with the Health Care Department Operations Manual (HCDOM), Section 2.2.8, De-identification of Patient Information and Use of Limited Data Sets Policy.

    • CCHCS Responsibilities Post Execution of Business Associate Agreements

      • CCHCS’ responsibilities include, but are not limited to:

        • Receiving, logging, and reporting a patient’s complaints regarding the uses and disclosures of PHI by the BA.

        • Receiving, logging, and reporting notices from the BA of possible violations of the BA contract.

        • Instructing the BA on the process to notify CCHCS if or when any violations of law, policy, or contract occurs.

        • Monitoring BA performance to detect and ensure that the BA is not engaged in a pattern or practice that violates their obligations under the BAA.

        • Implementing corrective action plans, as needed.

        • Mitigating, if necessary, known violations up to and including contract termination.

        • Coordinating any requested changes to a health record with the BA pursuant to HCDOM Section 2.3.16, Patient’s Right to Amend Health Record.

        • Communicating a patient’s request regarding confidential communications and restrictions on use and disclosure to the BA within two business days of the request.

        • Conducting risk analyses and risk assessments to:

          • Identify, evaluate, and include any risks from BA relationships from the PO’s risk analysis.

          • Include in the CCHCS-wide risk assessment any risks identified from a specific BA relationship.

          • Verify and document BA adherence with privacy and security protocols required by law and the State Health Information Policy Manual quarterly.

      • CCHCS shall not require any patient to waive their right to file a complaint with the Secretary of the U.S. Department of Health and Human Services (HHS) as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits when CCHCS is a BA of another covered entity.

    • Business Associate Responsibilities Post-Execution of Business Associate Agreements

      • BA responsibilities shall include, but are not limited to:

        • Transmitting data as permitted in the BAA and in compliance with:

        • Providing a patient with access or a copy, which may be in an electronic form, or granting or transmitting access or a copy to a person or entity designated by a patient’s request to a BA for access to, or a copy of, PHI about the patient.

        • Documenting, tracking, and accounting for all disclosures and respond to a patient’s request for an accounting of disclosures of PHI.  The BA shall respond to accounting of disclosure requests to CCHCS or to the patient (at the direction of CCHCS) within 14 calendar days, and include information related to such disclosures, in accordance with Code of Federal Regulations, Title 45, Section 164.528.

        • Communicating a patient’s request regarding confidential communications and restrictions on use and disclosure to CCHCS within two business days of the request.

        • Adhering to a patient’s request regarding confidential communications and restrictions on use and disclosure when received directly from the patient or from CCHCS on behalf of the patient.

        • Notifying CCHCS if there is a violation of law, policy, or contract resulting in a breach or security incident no later than 24 hours after detection. Notification shall be made pursuant to the HCDOM Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

        • Adhering to privacy and security protocols required by the BAA.

        • Identifying and informing CCHCS of the results of any risk analysis or assessment conducted by the BA that impacts its adherence to the BA’s obligations under the BAA.

      • The BA shall not require any patient to waive their right to file a complaint with the Secretary of the U.S. Department of HHS as a condition of the provision of treatment, payment, enrollment in a health care plan, or eligibility for benefits.

    • Business Associate Non-Compliance

      • If CCHCS becomes aware of a material breach or violation of a BAA or other arrangement, CCHCS shall take reasonable steps to mitigate the breach and end the violation. This may include providing consultation to the BA, terminating the BAA or agreement, and reporting the problem to the Secretary of the U.S. Department of HHS.

    • Updating Business Associate Agreements for Changes in Federal and State Laws

      • When changes occur in federal or state law that affect the requirements in the BAA or impact the obligations of a BA, the PO shall:

        • Revise the CCHCS BAA template.

        • Determine if an amendment is required to existing contracts that contain the prior version of the CCHCS BAA.

      • CCHCS contracting units shall coordinate the execution of the revised BAA with current vendors.

    • Business Associate Training Requirements and Contact Information

      • Any BA staff who will require access to CCHCS systems or PHI to perform their function or activities under a contract or agreement shall complete information security and privacy awareness training prior to being granted access pursuant to as required by law.

      • For questions or clarification, please contact: CCHCSPrivacyOffice@cdcr.ca.gov or 1-877-974-4722.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart C, Section 160.310 – Responsibilities of Covered Entities and Business Associates

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.502 – Uses and disclosures of protected health information: General rules

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.504(e) – Uses and Disclosures: Organizational Requirements

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.528 – Accounting of Disclosures of Protected Health Information

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.530(b)(2)(i)(B) and (C)

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.8, De-Identification of Patient Information and Use of Limited Data Sets

    • Health Care Department Operations Manual, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow

    • Health Care Department Operations Manual, Section 2.3.5, Health Information Exchange

    • Health Care Department Operations Manual, Section 2.3.16, Patient’s Right to Amend Health Record

    • State Health Information Policy Manual, section 2.2.17, Health Information Exchange

    • State Health Information Policy Manual, section 4.4.1, Business Associate Agreement

    • State Health Information Policy Manual, section 4.4.2, Oversight of Business Associates

    • State Health Information Policy Manual, section 4.6.1, Contractors

    • 21st Century Cures Act, Public Law No 114-255 (12/13/2016)

  • Revision History

    • Effective: 02/2012
      Revised: 12/23/2025