Chapter 2 – Patients’ Entitlements and Responsibilities

Policy

• California Correctional Health Care Services, Health Information Management shall:

• Ensure availability of accurate and complete patient health care information to authorized users.

• Ensure quality of patient health related information.

• Ensure privacy and security of patient health information.

• Ensure access to health records to support patient health care needs.

• Ensure appropriate quality controls and other monitoring mechanisms for all ambulatory, inpatient, and outpatient documentation.

• Manage the release of Protected Health Information, to include use and disclosure and other release of information processes and functions.

• Ensure appropriate coding such as International Classification of Diseases is completed for all inpatient admissions.

Purpose

• To ensure maintenance, storage, retrieval, accessibility, retention, and destruction of patient health information. “The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization” (American Health Information Management Association: Fundamentals of the Legal Health Record and Designated Record Set).  Patient records consist of paper-based records, electronic records, and other media that documents the patient’s health care.

Responsibility

• The Chief Executive Officer, or designee, Health Records Technician III, and Health Records Technician II of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

• Under the direction of the Deputy Director, Medical Services, the Medical Record Directors at headquarters are responsible for the oversight, implementation, monitoring, and evaluation of this policy through consultation services pursuant to Title 22.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall adhere to established rules, guidelines, and statutes that protect patient privacy, confidentiality, security, access to, use, and disclosure of Protected Health Information (PHI).  HIM, Health Records, and Information Technology Units shall ensure:

• The use of appropriate technical safeguards, as stated in 45 Code of Federal Regulations Part 164, Subpart C, to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI.

• Any tampering of PHI is identified and reported, as appropriate.

• Availability of health information is readily accessible to the extent possible.

• Capability of storing information pursuant to retention requirements.

• Availability of backup and restore operation.

• Management review of security periodically for necessary changes as a result of technology evolution.

• Periodic risk assessments conducted by management in accordance with State Administrative Manual, Section 5305.6, Risk Management, to ascertain the threats and vulnerabilities that impact CCHCS and HIM assets, and implement appropriate mitigations.

Purpose

• To ensure protection of patient, privacy, security, access to, use, and disclosure of PHI.

Policy Responsibility

• The Chief Executive Officer, or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

• The CCHCS Information Security Officer shall validate the security component for access to electronically stored PHI.

Procedure Overview

• CCHCS HIM shall ensure all employees are informed of and follow established rules, guidelines, and statutes that protect patient privacy, security, access to, use, and disclosure of PHI. As new technologies evolve with the use of computerized patient health records, HIM staff shall implement and reinforce procedures for authorizing access to PHI.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring and evaluation of this procedure.

Procedure

• PHI Identifiers

  • Any of the following personal data identifiers, used in combination with a medical condition, becomes PHI and shall not be disclosed without proper authorization or approval:

  • Names.

  • All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes.  However, the initial three digits of a zip code may remain on the information if, according to current publicly-available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits for all such geographic unit containing 20,000 or fewer people is changed to 000.

  • All elements of dates (except year) directly relating to the patient including birth date, dates of admission and discharge from a health care facility, and date of death.  For persons age 90 and older, all elements of dates (including year) that would indicate such age must be removed, except that such ages and elements may be aggregated into a single category of “age 90 and older.”

  • Telephone numbers.

  • Fax numbers.

  • Electronic mail addresses.

  • Social security numbers.

  • Health record numbers.

  • Health plan beneficiary numbers.

  • Account numbers.

  • Certificate or license numbers.

  • Vehicle identifiers and serial numbers including license plate numbers.

  • Device identifiers and serial numbers.

  • Web Universal Resource Locators.

  • Internet Protocol address numbers.

  • Biometric identifiers including fingerprints and voiceprints.

  • Full face photographic images and any comparable images.

  • Any other unique identifying number, characteristic, or code.

• Accountability

  • All CCHCS/California Department of Corrections and Rehabilitation (CDCR) health care employees shall ensure PHI is covered or unable to be viewed at all times when information is not in use.

  • All computerized systems shall be protected with a unique user ID and a complex password.

• Backup and Storage of PHI

  • All CCHCS/CDCR health care employees shall ensure that any tampering of PHI is identified and reported to the Information Security Officer.

  • HIM, Health Records, and Information Technology Units shall ensure:

    • The use of appropriate technical safeguards, as stated in 45 Code of Federal Regulations Part 164, Subpart C, to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI.

    • Any tampering of PHI is identified and reported, as appropriate.

    • Availability of health information is readily accessible to the extent possible.

    • Capability of storing information pursuant to retention requirements.

    • Availability of backup and restore operation.

    • Management review of security periodically for necessary changes as a result of technology evolution.

    • Periodic risk assessments conducted by management in accordance with State Administrative Manual, Section 5305.6, Risk Management, to ascertain the threats and vulnerabilities that impact CCHCS and HIM assets, and implement appropriate mitigations.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) staff shall:

• Understand and adhere to applicable federal and state statutes and regulations to ensure patient privacy as well as control access to, use, and disclosure of Protected Health Information (PHI). 

• Safeguard both the health record and its contents against loss, defacement, tampering, and from disclosure or use by unauthorized individuals in accordance with Information Security Office mandates.

• Ensure Headquarters (HQ) reviews all requests from external entities.

Purpose

• To ensure patient health information is protected against loss, defacement, tampering, and unauthorized disclosure.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services:

  • HIM HQ and Institution Health Records staff are responsible for the implementation and monitoring of this policy for currently incarcerated persons.

  • Health and Imaging Record Center (HIRC) staff are responsible for the implementation and monitoring of this policy for paroled or discharged incarcerated persons.

• The Chief Executive Officer, or designee, Health Records Technician (HRT) III and HRT II of each institution, and HIRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy, and shall establish and maintain local operating procedures to carry out the requirements herein.

Responsibility

• Information Technology department staff are responsible for provisioning access to the Electronic Health Record System in accordance with established policy, procedures, and guidelines.

Procedure

• The requestor, or designee, shall complete and submit a PHI access provision request through the CCHCS Service Portal.

• CCHCS HIM shall ensure patient health information is available as needed by health care staff and others who have authorized access.

Policy

• California Correctional Health Care Services (CCHCS) shall release requested Protected Health Information (PHI) with authorization in accordance with applicable law, timely evaluation, and appropriate processing.

Purpose

• To provide guidance regarding the required criteria for handling and responding to routine requests for release of PHI for purposes other than treatment payment and health care operations, and where required or permitted by law.

Applicability

• This policy applies to the release of PHI in any form (health records, other types of written communication, and verbal information) pursuant to a valid authorization, court order, administrative order, or subpoena.

• This policy does not apply to disclosures permitted by law in which a patient authorization is not required for release of information. Refer to the Health Care Department Operations Manual (HCDOM) Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions for these special situations.

Responsibility

• Statewide

  • Under the direction of the Deputy Director, Medical Services, and Health Information Management (HIM) Chief:

  • Institution Health Records staff, within the scope of their authority, are responsible for oversight, implementation, monitoring, and evaluation of this policy for current patients.

  • Health and Imaging Record Center (HIRC) staff, within the scope of their authority, are responsible for oversight, implementation, monitoring, and evaluation of this policy for paroled or discharged persons.

  • Health Records staff at institutions (for currently incarcerated persons), and HIRC staff (for paroled and discharged persons) are responsible for processing all other requests for health information.

• Regional

  • Health Care Executives are responsible for the administration of this policy at the subset of institutions within their assigned region.

• Institutional

  • The Chief Executive Officer (CEO), or designee, of each institution has the overall responsibility for implementation and ongoing oversight of this policy.

• CCHCS workforce members shall ensure compliance with this policy and federal and state privacy laws containing protections and additional restrictions for the access, use or disclosure of PHI.

Procedure

• Routine Authorization

  • Workforce members shall respond to a valid written authorization for release of PHI. CCHCS shall accept either the CDCR 7385, Authorization for Release of Protected Health Information, or an alternative form that conforms to the requirements of Section (e)(4) below.

  • For access purposes, patient representatives shall be treated in the same manner as the patient who is the subject of the health information unless there is an exception set forth in (e)(6)(B)(3) below.

• Court Orders, Administrative Order or Subpoena

  • Workforce members shall comply with all properly executed court orders, administrative orders, or subpoena in accordance with section (e)(6) and (e)(7) as follows:

    • If a court order, administrative order, or subpoena arrives at an institution through the Litigation Coordinators, it shall be transmitted to HIM for record collection.

      • Unless otherwise advised by legal counsel, CCHCS shall comply with a subpoena that is not accompanied by a court order compelling disclosure of PHI if:

        • CCHCS receives satisfactory assurances from the party seeking the PHI that the patient has received notice of the subpoena, or a good faith effort has been made to provide the patient with notice of the subpoena, in the form of a written statement and accompanying documentation demonstrating that:

          • The party requesting such information has made a good faith attempt to provide written notice to the patient (or if the patient’s location is unknown, to mail a notice to the patient’s last known address);

          • The notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the patient to raise an objection to the court or the administrative tribunal; and

          • The time for the patient to raise objections to the court or administrative tribunal has elapsed, and there were either no objections filed, or all objections filed by the patient have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution; or

        • A qualified protective order has been agreed to by the parties and issued by the jurisdictional court.

    • HIM shall consult with legal counsel regarding any court order, administrative order, or subpoena, based on enforcement of another state’s law, that is related to protected health care services that are lawful in this state, including reproductive services and gender affirming care.

    • If a court order, administrative order, or subpoena arrives at HIM, and validity of the documents is in question, HIM staff shall collaborate with legal counsel and the Health Care Litigation Support Section, as necessary, to ensure proper review, and determination of validity.

• Special Authorization

  • Specially Protected Health Information

    • Patients must specifically authorize the release of the following specially protected health information:

      • HIV Test Results. A written authorization is required for each separate disclosure.

      • DDS Service Records, which includes regional center developmental disability information and records for services provided to persons with developmental disabilities in a developmental disability center covered under Division 4.1, Division 4.5, Division 6, or Division 7, of the Welfare and Institutions Code (“DDS Services”). Records related to developmental disability services provided inside CDCR do not constitute “regional center developmental disability information.”

      • Part 2 Program Service Records, which include substance use treatment information and records relating to the identity, diagnosis, prognosis, or treatment of any patient by a federally assisted alcohol or drug treatment program regulated by the Federal Code of Regulations, Title 42, Part 2, including a Narcotic Treatment Program (“Part 2 Program Services”). Records related to alcohol and drug treatment provided by CCHCS do not constitute “substance use treatment information,” because CCHCS is not a Part 2 program.

    • The release of any specially protected health information is subject to CCHCS policy and applicable law.

  • Genetic Information for Underwriting Purposes

    • CCHCS shall not use or disclose genetic information for underwriting purposes. HIM shall consult legal counsel to discuss any authorization requests specifically related to genetic information.

  • Psychotherapy Notes

    • CCHCS providers do not create psychotherapy notes.  Further, CCHCS does not make it a practice to request, nor is it an expectation to accept psychotherapy notes when CCHCS requests mental health records from outside providers for the continuity of care of patients. HIM shall consult legal counsel to discuss any authorization requests specifically related to psychotherapy notes.

  • Mental Health Records

    • Mental health records are PHI and have the same protection afforded to other PHI. The only mental health records that have heightened protection are psychotherapy notes.

• Components of a Valid Authorization

  • Format of Authorization

    • The authorization shall:

      • Have typeface of a least 14-point font or be a handwritten document.

      • Be clearly separate from any other language present on the page.

  • Identification of Patient

    • The authorization shall include the patient’s name, CDCR number, and date of birth.

  • Identity of Disclosing Party

    • The authorization shall include the name or other specific identification of the person(s) or organization(s) authorized to disclose the PHI.

  • Identity of Recipient

    • The authorization shall include the name or other identification of the person(s), class of persons, or organization(s) authorized to receive the PHI.

  • Specific Description of Information Authorized for Release

    • The authorization shall include a specific and meaningful description to instruct HIM regarding the PHI to be disclosed.

  • Purpose of Use or Disclosure

    • The authorization shall include a description of each purpose of the requested use or disclosure, including any limitations on the use or disclosure of the PHI by the persons or entities authorized to receive the PHI.

  • Expiration

    • The authorization shall include an expiration date or event, which must be limited to one year unless the person signing it requests a longer timeframe.

  • Statement of Right to Revoke

    • The authorization shall include a statement that the patient has a right to revoke the authorization.  The statement shall also explain how revocation is accomplished, including that it shall be in writing, and tell the patient about exceptions applicable to the revocation. 

  • Signature and Date

    • For the patient, the authorization shall be signed and dated by the patient and the signature shall serve no other purpose than to execute the authorization.

    • For the agent, the authorization shall be signed and dated by the agent and shall include a description of the agent’s authority to act on behalf of the patient. A copy documenting the agent’s authority shall be attached (e.g., power of attorney, letters issued in estate proceeding, or declaration of next of kin.)

  • Authorization as a Condition

    • The authorization shall state that CCHCS cannot condition treatment of the patient on obtaining a signed authorization.

  • Redisclosure

    • The authorization shall state that if the person or organization that receives the PHI is not subject to the Health Insurance Portability and Accountability Act of 1996, then the PHI may be subject to disclosure and may no longer be protected by federal and state privacy regulations.

  • Copy

    • The authorization shall state that the person signing it has the right to receive a copy of the authorization.

• Defective Authorizations

  • An authorization is not valid, and shall not be relied upon to disclose PHI if:

    • The expiration date or event has passed.

    • Any required information is missing.

    • It has been revoked.

    • CCHCS becomes aware that information in the authorization is false.

    • The authorization violates restrictions on authorizations, such as combining the release of PHI with a patient’s consent for care.

  • If an authorization is not valid, HIM shall notify the patient of why the authorization is not valid.

  • If changes are necessary to an authorization, the requester may submit a new authorization form.

• Releasing PHI

  • Verification of Identity and Legal Authority

    • Identity

      • CCHCS shall verify the identity of any person or entity requesting disclosure if the identity is not already known.

    • Authority

      • CCHCS shall verify the authority of any person or entity requesting disclosure that is not the patient and if the authority is not already known.  Acceptable forms of documentation that give authority include:

      • Power of Attorney (shall include a provision that allows medical decision-making or release of health records).

      • Next of Kin declaration (for deceased patients only).

      • Other form of official documentation (e.g., identification of party as executor of the will, administrator of the estate or conservator).

    • The verification requirements are satisfied if CCHCS relies on the exercise of professional judgement in making a use or disclosure or acts on a good faith belief in making a disclosure.

  • Processing Request and Preparation of Records

    • Log Receipt of Request

      • Upon receipt of a valid authorization or a properly executed court order, administrative order, or subpoena, CCHCS shall log the request into the Access HIM application in the Electronic Health Record System.

    • Identify Information for Release

      • CCHCS shall retrieve the requested documents from the record, corresponding with the requestor if necessary. If the requested documents are in paper format, they shall be scanned into the health record.

      • CCHCS shall prepare only the minimum necessary amount of PHI to be released pursuant to the authorization, order, or subpoena; however, if the patient has requested the release of information, the minimum necessary standard does not apply.

      • HIM shall redact information that has not been authorized for release.

      • HIM shall include a disclosure statement when applicable.

        • The following disclosure statement must accompany a disclosure of HIV test results:

        • “This information has been disclosed to you from records whose confidentiality is protected by state law. State law prohibits you from making any further disclosure of it without the specific written consent of the person to whom it pertains, or as otherwise permitted by law. A general authorization for release of medical or other information is not sufficient for this purpose.”

        • The following disclosure statement must accompany a disclosure of substance use treatment information (services provided outside CDCR):

        • “(1) This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see §2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65; or (2) 42 CFR part 2 prohibits unauthorized disclosure of these records.”

    • Exceptions to Granting Access

      • For access purposes, patient representatives shall be treated in the same manner as the patient who is the subject of the health information unless there is a reasonable belief that:

        • The patient has been or may be subject to domestic violence, abuse, or neglect by the individual.

        • Treating such individual as the patient’s representative could endanger the individual.

        • CCHCS, in the exercise of their expert knowledge and opinion, decides it is not in the best interest of the patient to treat the individual as the patient’s representative.

      • CCHCS shall not release health information compiled in anticipation of use in a civil, criminal, or administrative action or proceeding.

      • CCHCS may deny releasing PHI obtained from someone other than a health care provider under a promise of confidentiality if the release would be reasonably likely to reveal the source of the information.

      • Review of Mental Health Records Prior to Release

        • If a request is for release of mental health records to an individual (e.g., patient, patient representative, family member), then HIM shall submit the records to the Chief of Mental Health, or their designee for review to determine whether there is a substantial risk of significant adverse or detrimental consequences to the patient or another person if the patient or patient representative reviews the records.

        • If the Chief of Mental Health, or designee, determines the records may be released, then they shall notify HIM and HIM shall release the records within 15 business days of the date of the patient’s initial request.

        • If the Chief of Mental Health, or designee, determines the records should not be released in their current form, then the following shall occur:

          • The Chief of Mental Health, or designee, shall provide HIM with the following:

            • Documentation which indicates what records shall not be released with a description of the “specific adverse or detrimental consequences to the patient” the provider anticipates would occur if review were permitted.

            • A statement to be shared with the patient that, in plain language, provides an explanation for refusing the release and information regarding the patient’s option to permit inspection by an alternative licensed mental health provider or licensed social worker, and information regarding how to file a complaint or health care grievance.

          • Upon receipt of that information, HIM shall:

            • Scan the provider’s documentation and statement into the health record.

            • Provide the patient with notification of the refusal to permit inspection of certain records, reason for the refusal (the statement prepared by the provider), information regarding the patient’s option to permit inspection by an alternative licensed mental health provider or licensed social worker, and information regarding how to file a complaint or health care grievance.

            • If the patient requests an alternative provider review their records, HIM shall log the request and provide copies of the records to the licensed mental health professional designated by the patient.

      • CCHCS may deny, in whole or in part, a patient’s request to obtain PHI, if obtaining PHI would jeopardize the health, safety, security, custody, or rehabilitation for the patient or other patients, or the safety of any officer, employee, or other person at CCHCS or responsible for the transporting of the patient.

      • CCHCS shall comply with the federal information blocking regulations as outlined in 45 CFR Part 171 and will not engage in practices that unreasonably interfere with the access, exchange, or use of electronic health information.

      • If CCHCS denies access, a written statement shall be provided by the determinant describing the basis for the denial and an explanation of the patient’s options for review of the denial, which may include completing a CDCR 602-HC Health Care Grievance.  Further, HIM shall make a written record to be included with the health records requested, noting the date of the request and the reason for refusing to permit release of the records.

  • Arrange Delivery

    • Verbal

      • CCHCS shall verbally release information to a recipient who has a valid authorization and shall document such release in the health record.

    • Written

      • HIM shall release the records along with a declaration of records and shall document such release in the health record.

  • If the records were released pursuant to a court order, administrative order, or subpoena, HIM shall scan the signed document into the health record.

• Accounting of Disclosures

  • CCHCS shall keep an accurate accounting of each disclosure as set forth in the HCDOM Section 2.2.18, Accounting of Disclosures.  The accounting shall include the name of the patient, a description of the PHI disclosed, a brief description of the reason for the disclosure (e.g., subpoena, completed CDCR 7385), the date of the disclosure, and the name, title, and address of the individual or organization to whom the disclosure was made.

• Processing Timeframes

  • If a request is valid and the information can be located, CCHCS staff shall provide the records within 15 business days.

  • If a request is valid but CCHCS does not maintain the record, CCHCS workforce members shall notify the patient within 15 business days and advise the patient of where to direct their request for access if CCHCS knows where the PHI is maintained.

  • If a request is valid but CCHCS cannot produce the records within 15 business days, CCHCS staff shall provide written notification advising the patient of a delay and the estimated date by which the records will be provided.  CCHCS has an additional 15 business days to produce the records.

  • If an authorization is not valid CCHCS staff shall notify the patient within 15 business days and provide them with the opportunity to complete a new authorization.

• Fee Schedule

  • CCHCS shall not charge a currently incarcerated person for the release of health records.

  • CCHCS may charge a fee (to parties that are not currently incarcerated persons, pursuant to section (e)(9)(A) above) to offset the costs associated with responding to requests for health records. The fee shall be consistent with applicable federal and state law and shall be based on an assessment of factors such as the current cost of equipment and supplies, labor costs, postage, and administrative overhead.

• Authorization Modification or Revocation

  • To modify or revoke an authorization, the patient shall send a written revocation to CCHCS. If CCHCS receives a written revocation, all disclosure of PHI shall stop, except as follows:

    • Any actions taken in reliance on the authorization before the receipt of the modification or revocation are not affected by the modification or revocation.

    • If a partial revocation is received, the disclosure of PHI not affected by the partial revocation shall continue.

  • Exceptions to a Written Revocation Rule.

    • CCHCS may request but cannot require a revocation for substance use treatment information (services provided outside CDCR) to be in writing.  The patient may revoke the authorization verbally or in writing.

• Documentation of all Authorizations, Modifications and Revocations
  CCHCS shall maintain any authorization, modification, or revocation applied to authorizations for a minimum of six years from the date of request.

Policy

• California Correctional Health Care Services (CCHCS) health care and administrative programs that exchange data shall ensure Protected Health Information (PHI) transmitted through the Health Information Exchange (HIE) is in compliance with applicable federal and state privacy and information security laws and regulations and CCHCS Information Technology (IT) policies. Data/information shall be conveyed via an encrypted enterprise standard transfer mechanism.

Purpose

• To ensure patient confidentiality and privacy protection during the exchange of health-related documentation via the designated portal, and to ensure disclosure of PHI is documented pursuant to Code of Federal Regulations, Section 164.528, Right to Accounting Disclosures of PHI.

Responsibility

• Under the direction of the Chief Privacy Officer, or designee, the Privacy Office (PO) is responsible for the monitoring and evaluation of this policy.

• Health care and administrative programs and institutional Hiring Authorities, or designees, are responsible for the implementation of this policy.

Procedure Overview

• HIE is used by providers to securely transmit patient health information directly to external health care professionals. This information is transmitted via the internet in an encrypted and secure method amongst health care professionals with a trusted relationship. This form of information exchange enables coordinated care, benefitting both providers and patients.

• When HIE is initially requested on behalf of CCHCS, another state agency or entity, or a contracted organization, the health care and administrative programs shall notify the PO, IT, Health Information Management (HIM), and other relevant headquarters administrative programs such as Direct Care Contracts Services (DCCS), Acquisitions Management Services (AMS), and Health Care Invoicing Section (HIS).

• After an agreed-upon HIE is implemented, health care or administrative programs shall notify the PO, DCCS, IT, HIS, and HIM, and the contract managers for contracts executed by AMS, when HIE begins, to ensure tracking or logging of all HIE events.

• CCHCS utilizes the following measures and processes to disclose PHI for HIE purposes.

  • When contracted with an organization to exchange PHI via HIE, CCHCS shall enter into a contract with the organization with which it intends to exchange information. The agreement shall address the minimum requirements of a valid Business Associate Agreement (BAA) or comparable Data Sharing Agreement (DSA) to fulfill all of the requirements and obligations of a Business Associate regarding the privacy, security, and administrative activities relating to health information pursuant to the Health Care Department Operations Manual (HCDOM) Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information.

  • The agreement shall ensure that the organization safeguards electronic health information created, received, maintained, or transmitted to or by the organization on behalf of CCHCS, and that the documents address the same safeguards and protections for electronic health information as for any other health information shared.

  • A valid contract or other agreement shall be agreed upon and implemented between CCHCS and organizations prior to using, disclosing, moving, or storing PHI for HIE purposes.

  • When CCHCS and the organization are both government entities, CCHCS may fulfill the agreement requirement with a Memorandum of Understanding that contains terms that accomplish the objectives of a BAA.

Procedure

• Health care and administrative programs within CCHCS, including, but not limited to, contracting units, involved in data transfer of PHI for treatment, payment, research, or continuity of care for oversight, compliance, or litigation purposes, shall report all HIE activities to the Chief Privacy Officer. The PO shall provide a current list of HIE contracted entities to oversight agencies upon request.

• BAA or DSA shall be executed prior to the exchange of health information.

• Health care administrative programs shall coordinate communication between the contracted organization and IT to begin the process of HIE.

• IT staff shall coordinate with health care, administrative programs, or other entities that request HIE when new HIE is initiated under existing or newly negotiated contracts, or DSAs. IT staff shall generate a report of all contracted entities CCHCS engages in HIE and provide the report to the PO on a quarterly basis, at minimum, and as needed.

• Health care and administrative programs shall report changes to the contract list to the PO quarterly.

• Health care and administrative programs shall notify the PO when CCHCS engages in HIE with different types of entities pursuant to the Statewide Health Information Policy Manual Section 2.2.17.

• Health care and administrative programs engaging in HIE shall verify with IT that a BAA or DSA is on file for each entity CCHCS engages in HIE.

• The PO shall maintain a current list of all contracted entities CCHCS engages in HIE and generate a current list based on contracting unit updates upon request.

• Requirements for HIE

  • Under direction of executive leadership, directors, or their designees, staff in each health care and administrative program shall contact the contracted organization to execute all necessary controls prior to initiating HIE.

• Downtime

  • The paper process to exchange the documentation shall be followed pursuant to the HCDOM, Section 2.3.13, Health Record Application/System Downtime Contingency Plan.

• Facsimile Correspondence

  • Cover Sheet

    • Attach the cover sheet to all facsimile correspondence as the first page.

    • Include the following two statements on the cover sheet:

      • “Transmittal is Confidential.”

      • “If the information transmitted is received by someone other than the intended individual, the sender shall be immediately notified.”

  • Transmittal and Post Transmittal Verification

    • When documents are sent by facsimile, the responsible CCHCS staff shall:

      • Phone the recipient to verify the recipient’s name and facsimile number along with patient name and CDCR number and inform him/her of the imminent transmission.

      • Ask that the recipient stay near the facsimile machine to intercept the documents.

      • Obtain verification of receipt of health care information by reviewing the confirmation print-out from the facsimile machine.

      • Contact the recipient to verify that all documents were received and document the verification task. If the recipient confirms that the record is incomplete, then the documents should be resent to the recipient. Once the documents are successfully confirmed to be received by the recipient, the facsimile log will reflect all attempts to provide the documents via facsimile.

  • Facsimile Log

    • Record all facsimile transmissions into the Facsimile Log and include:

      • The name, address, and telephone number of the sending and/or receiving entities.

      • The name of the patient and CDCR number.

      • The number of pages sent and/or received.

      • The date of transmittal.

      • The date Recipient verified receipt of the documents.

  • Misdirected facsimile tracking

    • In a document has been determined to be sent to the incorrect party the following steps must be taken:

      • Verify the information with the internal log (i.e., facsimile number, recipient name).

      • Contact the recipient via telephone or facsimile to explain the misdirection.

      • Request the destruction or return of all documents sent via facsimile in error.

      • Record the response on the facsimile cover letter and in the Facsimile Log.

      • Follow the CCHCS Health Care Department Operations Manual, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure all health related patient documents are located in the health record. The health record shall be organized systematically to facilitate data retrieval and compilation, and information shall be arranged in an easily accessible format and order.

Purpose

• To ensure all patient health related information is contained in the health record.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure all health care documentation is accurately included in the health record following patient encounters/treatment. The health record shall be organized systematically in order to facilitate data retrieval and compilation. HIM staff shall reference the Organization List when including documents in the appropriate sections of the health record. The Organization List shall be used as a reference tool for training and ongoing maintenance of patient health record documentation.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, the Medical Records Directors at headquarters are responsible for the oversight, implementation, monitoring, and evaluation of this procedure through consultation.

• The CEO, or designee, HRT III, and HRT II are responsible for ensuring that applicable patient health related information is contained in the health record.

• HIM supervisors are responsible for ensuring all staff are trained on current policies and procedures related to the organization and placement of documents in the health record.

Procedure

• Chart Organization

  • HIM staff organize documents according to document type and then by encounter/treatment date.

  • Patient identification:

    • Verify the Protected Health Information is referencing the correct patient California Department of Corrections and Rehabilitation (CDCR) number.

    • Verify the CDCR number is on all of the documents.

    • Validate the CDCR number is the same in the health record.

  • Proper placement of documentation in the health record viewer:

    • Refer to the Organization List (on the CCHCS Intranet) for correct placement of all approved health care forms/documents in the health record.

• Unidentifiable Information

  • HIM staff verify patient identifiers such as name, date of birth, and CDCR number in the CDCR California Incarcerated Records and Information Search and/or Strategic Offender Management System.  If unable to verify the patient identifiers, notify the HIM Supervisor immediately.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure all paper documents received are scanned in a timely manner and readily accessible in the health record for viewing to support continuity of care.

Purpose

• To ensure availability of patient health information.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure all staff are informed of and follow established rules and guidelines for scanning patient health information.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this procedure.

• The CEO, or designee, HRT III, and HRT II of each institution are responsible for the implementation, monitoring, and evaluation of this procedure.

Procedure

• HIM staff shall scan Day Forward Documents received within 24 hours of receipt.

• HIM staff shall scan urgent/emergent documents immediately upon receipt.

• Specialty Reports shall be scanned into the chart within five calendar days from the date of the patient encounter.

• Hospital records (outside facility) shall be scanned into the chart within three calendar days from the date the patient is discharged.

• HIM staff shall combine multiple documents into a single PDF.

• HIM shall index and perform quality checks prior to uploading the document(s) into the health record.

• HRC staff is responsible for scanning archive documents that are housed at the HRC.

Policy

• California Correctional Health Care Services (CCHCS) shall ensure all health record documentation meets federal and state legal, regulatory, and accreditation requirements.  Health Information Management (HIM) and Health Records shall implement systems and processes for quality control and analysis; documents must be complete in order to provide the information necessary for timely continuity of care and patient safety.

Purpose

• To ensure HIM staff adheres to federal and state legal, regulatory, and accreditation requirements.  These requirements shall encompass systems that will allow for analytical and statistical retrieval of data.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Records Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Records Technician III (HRT III), and Health Records Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• To ensure HIM staff adhere to state and federal legal, regulatory, and accreditation requirements.  These requirements must encompass systems that will allow for analytical and statistical retrieval of data.

Procedure Responsibility

• The CEO, or designee, HRT III, and HRT II Supervisor are responsible for ensuring the health record is analyzed for accuracy and completion and is readily accessible for patient care.  They are also responsible for ensuring health care documents are in the health record timely.

• Under the direction of the Deputy Director, Medical Services, the Medical Record Directors at headquarters are responsible for the oversight, implementation, monitoring, and evaluation of this procedure through consultation.

Procedure

• HIM staff shall analyze documents in the health record to ensure compliance with the following general documentation guidelines:

  • An individual health record shall be established for every patient who receives care.

  • Content and format of the health record shall be uniform and use only approved California Department of Corrections and Rehabilitation (CDCR) forms.

  • For patient safety reasons, abbreviations, acronyms, and symbols shall be used only when their meanings are understood and they are on the CCHCS approved list of abbreviations and symbols.

  • All entries shall be legible.

  • The patient’s name and CDCR number shall appear on every individual paper document that contains Protected Health Information (PHI).  The patient demographic information shall appear on every screen in the health record.

  • Documentation shall be clear, concise, objective, reflect factual information, and be written using specific language.  Avoid using vague or generalized language. Remarks critical to the care or services provided by others shall not be included in the health record.

  • Clinicians shall indicate that they have reviewed diagnostic reports by initialing and dating each report.  A plan of care that addresses any abnormal test results shall be documented in the health record.

  • All verbal consents for health care procedures shall be documented, and the originals of signed consent forms shall be placed/scanned in the health record.

  • All health record entries must be authenticated and include the date (month, day, and year), time, and signature or initials and credentials of the author.

  • All patient encounters shall be documented in the health record including all patient education and validation that effective communication was provided and appropriately documented.

  • In addition to the handwritten signature, the clinician may use a personal rubber stamp which contains the clinician’s name and title for increased legibility.

• Any author documenting in the health record shall be responsible for the completeness and accuracy of their entries.

• All clinical documentation errors shall be corrected by the clinician in compliance with federal and state statutes and regulations.

• All amended documents shall be scanned into the health record.

  • Request for amendments are received by the HIM Department.

  • HIM staff shall:

    • Log each request into the Patient Access Log.

    • Review the request for the type of changes requested.

    • Conduct a preliminary review of the health record.  Compare the original entry with the requested changes.

  • If informational content changes are requested:

    • Forward the request to the Chief Medical Executive (CME) or Chief of Mental Health as appropriate for review and action.

    • The CME or Chief of Mental Health and the treating clinician shall confer and review the amendment request.

    • If request for amendment is approved, clinicians shall follow Section (f)(4)(D) below.

    • If request for amendment is not approved, clinicians shall follow Section (f)(4)(E) below.

    • HIM staff shall scan all patient requests for amendment into the Medico-Legal section of the health record upon receipt from the clinician.

  • To process amendment requests:

    • The original entry shall not be obliterated or deleted.

    • Enter the amended information into the health record.

    • Make a notation at the point of the original entry, in the margin or by attaching a note to the entry, that an amendment notice has been made and reference the amended information.

    • Record the reason for the amendment or refer to the patient’s written request.

    • Document the statement of facts.

    • Date and time the amendment using the 24-hour clock.

    • Sign the amendment with full name and title.

    • Identify the location of any secondary records that substantiate the amendment.

  • Respond in writing to the patient if the request is denied:

    • Indicate action taken, e.g., “amendment notice filed this date.”

    • Attach a copy of the response to the written request and forward to HIM to incorporate into the patient’s health record.

  • Include any amendments or requests for amendments in all subsequent releases of health information requests.

• An addendum is another type of late entry that is used to provide additional information in conjunction with a previous entry.  With this type of correction, a previous note has been made and the addendum provides additional information to address a specific situation or incident.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure patient health information is stored and maintained in a secured environment.

Purpose

• To ensure all health record documents are stored in a safe and secure environment from which patient health information can be easily retrievable, available, accessible, and viewable to clinicians.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure all health record documents are stored in a safe and secure environment. Patient health information shall be easily retrievable, accessible, and viewable electronically by clinicians.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this procedure.

• The CEO, or designee, HRT III, and HRT II of each institution are responsible for the implementation, monitoring, and evaluation of this procedure.

Procedure

• Health Record Document Storage and Retrieval

  • Document Storage

    • HIM staff shall package and ship documents to a designated archive location.

    • All Day Forward scanned documents shall be sent to the HRC for storage.

  • Document Retrieval

    • All scanned documents archived at the HRC shall be stored in an easily retrievable manner.

• Paper Health Record Storage and Retrieval

  • All paper based health records shall be maintained and stored at the HRC.

  • Documents indexed in the paper health records shall be easily retrievable upon request.

• Inpatient Paper Health Records

  • The paper health records for inpatient admissions shall be stored in the local HIM Department at the institution where the admissions occurred.

  • The local HIM Department shall be responsible for the maintenance and retrieval of the complete original inpatient chart.

Policy

• California Correctional Health Care Services Health Information Management (HIM) shall ensure the Error Process is utilized to help mitigate and correct scanned documents that may have been misfiled or have other documentation errors in the health record.

Purpose

• To ensure the health record is accurate.

Applicability

• This policy applies to HIM and Exception Processing Team (EPT) staff who are responsible for correcting scanned patient health documentation.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Records Center staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer, or designee, Health Records Technician III, and Health Records Technician II of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall ensure staff is knowledgeable of the EPT process. The Exception Types include:

• Document belongs to a different California Department of Corrections and Rehabilitation number.

• Document is filed in the wrong Tab.

• Document is filed in the wrong Sub Tab.

• Wrong Document Type.

• Wrong Encounter Date.

• Other.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, and the Chief of HIM, the EPT is responsible for making all necessary corrections to the health record.

Procedure

• The EPT process is utilized when the health record user discovers an error in scanning (i.e., the document is scanned to the wrong Tab or Sub Tab or the document is placed in the wrong health record) at which time the user shall file/send an exception report to the EPT.

• All reported exceptions shall be reviewed and processed by the EPT.

Policy

• California Correctional Health Care Services Health Information Management (HIM) shall ensure retention for health records, both paper-based and electronic format, are in accordance with federal, state, and local regulations.  Paper-based and electronic health records are retained for ten years after discharge from the California Department of Corrections and Rehabilitation.

Purpose

• To ensure HIM staff adhere to the recommended retention period for paper-based and electronic health records.

Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer, or designee, Health Record Technician III, and Health Record Technician II of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

• HRC and Institution Health Records staff are responsible for destroying or arranging for the destruction of paper-based health records.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall:

• Ensure federal and state privacy protections continue to apply to a patient’s health information even after death. These protections also require institutions to release health records to those people either appointed by the patient or who are deemed a personal representative by state law. 

• Allow authorized users to place a health record on Administrative Hold which prohibits the scanning of additional documents without authorization.

• Remove Administrative Holds under certain circumstances such as adding documents to the health record.

Purpose

• To ensure the health record is protected after death.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall determine the appropriate release of a deceased patient’s Protected Health Information (PHI) documents.  Federal and state privacy protections continue to apply to a patient’s PHI even after the patient’s death.  These protections also require facilities to release health records to those people either appointed by the patient or who are deemed a personal representative by state law.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The CEO, or designee, HRT III, and HRT II of each institution are responsible for the implementation, monitoring, and evaluation of this procedure.

Procedure

• Placing an Administrative Hold

  • In the event that a health record needs to be placed on Administrative Hold, the application shall be utilized to allow a Supervisor or authorized user to do so.

• Removing an Administrative Hold

  • An Administrative Hold can be removed under certain circumstances such as adding documents to the health record.

  • A supervisor or an authorized user may remove an Administrative Hold.

• Scanning Additional Documents During an Administrative Hold

  • When additional documents need to be scanned and the health record is on Administrative Hold:

  • An HRT II supervisor or a Health Record Technician I (HRT I) who has been designated as the supervisor backup shall remove the Administrative Hold temporarily.

  • HIM staff shall scan the documents.

  • Once the documents are scanned, the chart shall be put back on Administrative Hold.

• Replacing an Administrative Hold

  • When replacing an Administrative Hold, the health record must remain locked indefinitely.

Policy

• California Correctional Health Care Services (CCHCS) Health Information Management (HIM) shall ensure that the documentation of patient care continues in the event of application or system downtime.

Purpose

• To ensure continuity of care and documentation continuity for all patients in the event the Electronic Health Record System (EHRS) is not available.

Policy Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and Health Record Center (HRC) staff are responsible for the oversight, implementation, monitoring, and evaluation of this policy.

• The Chief Executive Officer (CEO), or designee, Health Record Technician III (HRT III), and Health Record Technician II (HRT II) of each institution are responsible for the implementation, monitoring, and evaluation of this policy.

Procedure Overview

• CCHCS HIM shall maintain a Health Record Application/System Downtime Contingency Plan (Plan) to ensure continuity of care and documentation for all patients in the event the EHRS is not available during scheduled and non-scheduled downtimes.

Procedure Responsibility

• Under the direction of the Deputy Director, Medical Services, HIM Headquarters, Institution Health Records, and HRC staff are responsible for the oversight, implementation, monitoring and evaluation of this procedure.

• The CEO, or designee, has overall responsibility for local implementation of the Plan and shall ensure that a Local Operating Procedure is established to provide site-specific direction.

• The Health Program Manager III (HPM III) at the HRC has overall responsibility for local implementation of the Plan and shall ensure that a Local Operating Procedure is established to provide site-specific direction.

Procedure

• Plan maintenance and implementation

  • The headquarters HIM Program shall maintain the Plan which shall be reviewed and updated at least annually to reflect current practices and enhancements to EHRS.

  • Institution health care and HRC staff shall activate downtime procedures as directed in the Plan.

• The Plan can be accessed electronically via Lifeline at the following link: EHRS Interdisciplinary Downtime Procedures.pdf (sharepoint.com).  The institution HRT II, Supervisor, shall ensure that a printed copy is available to all staff within the institution and inform staff where the printed copies are stored. The Plan shall include, but is not limited to:

  • Types of downtime.

  • Roles and responsibilities.

  • Incident Commander.

  • Communication process during downtime.

  • Downtime viewer, forms, and supporting materials.

  • Recovery phase including scanning procedures.

  • Downtime companion documents specific to:

    • Dental.

    • Dietary Services.

    • Health Information Management.

    • Laboratory.

    • Medical Providers.

    • Mental Health.

    • Nursing.

    • Pharmacy.

    • Radiology.

    • Registration Services.

    • Medical Scheduling.

• Training

  • All institution health care and HRC staff shall be trained in downtime procedures and updates.  A system for orientation shall be maintained by the HPM III at the HRC and the HRT II at the institutions.

Policy

• The California Department of Corrections and Rehabilitation (CDCR) and California Correctional Health Care Services (CCHCS) shall maintain a statewide Patient Health Care Inquiries (PHCI) process to communicate with patients under CDCR jurisdiction and individuals authorized to receive information regarding a patient’s health care.

• For PHCI regarding urgent changes in a patient’s health care condition or status, the department shall maintain a PHCI phone line at each institution for authorized individuals to call.

• For non-urgent PHCI, authorized individuals shall submit their patient-specific health care concerns, via email or by mail to the Health Care Correspondence and Appeals Branch (HCCAB) at CCHCS headquarters (HQ).

Purpose

• To maintain processes for authorized individuals and patients under CDCR jurisdiction to inquire and receive timely responses to PHCI.

Responsibility

• The Deputy Director (DD), Policy and Risk Management Services (PRMS), and the Chief, HCCAB, are responsible for the oversight and evaluation of the statewide PHCI policy and procedure.

• The Chief Executive Officer (CEO), or designee, shall ensure compliance with this policy and the PHCI Operating Standards.

• At the direction of the CEO, the clinical chief of designated health care discipline (Chief Medical Executive, Chief of Mental Health, or Supervising Dentist), or clinician designee, is responsible for releasing verbal health care information via the PHCI line at their institution.

• The Chief, HCCAB, is responsible for tracking and reporting PHCI to the Regional Health Care Executives monthly.

Release Of Information and Health Records Requests

• The PHCI process is not the correct venue to submit an Authorization for Release of Protected Health Information form or to request patient health care records pursuant to the Health Care Department Operations Manual (HCDOM), Chapter 2, Article 3, Section 2.3.4, Release of Information policy.

Procedure

• PHCI Timeframes

  • Institutions shall:

    • Retrieve messages from their PHCI line at least once on each business day.

    • Commence processing PHCI on the date received.

    • Make every effort to verbally respond within the following timeframes:

      • Urgent change in the patient’s health care condition or status within five business days.

      • Patient death, serious injury or serious illness, including incidents of serious injury due to self-harm, suicide attempts or accidents within one business day.

      • Non-urgent PHCI regarding patient-specific health care or treatment concerns shall not receive a response. Pursuant to the PHCI Operating Standards and (e)(2)(A) below, outgoing messages shall instruct these callers to contact HCCAB.

  • HCCAB shall:

    • Commence processing written PHCI on the date received.

    • Make every effort to provide a written response for PHCI within 45 business days.

• Institution PHCI Outgoing Message

  • The institution CEO or designee shall follow established PHCI Operating Standards for the recorded outgoing message on the PHCI line.

• Review and Response to PHCI Line

  • The institution CEO or designee shall follow established PHCI Operating Standards to ensure the PHCI is:

    • Retrieved and received date are documented.

    • Reviewed for urgent concerns.

    • Responded to if a valid release of information (ROI) is on file for the caller.  Health care information shall only be released to authorized individuals.

      • If there is no valid ROI on file for the requester, the CEO, or designee, shall notify the caller of Release of Information processes pursuant to Local Operating Procedures and the HCDOM, Section 2.3.4 Release of Information.

      • PHCI containing threatening, obscene, demeaning, or abusive language, shall not receive a response.

      • No response will be provided to PHCI for patients who have paroled or discharged from CDCR.

    • Documented in the health record including the verbal discussion regarding the PHCI.

      • Health care staff shall not disclose any information regarding visiting or patient location.

      • Three attempts shall be made to reach the caller and all attempts shall be documented.  If after three attempts no contact is made, the PHCI is considered closed.

  • HCCAB shall ensure written PHCI is:

    • Triaged within one business day of receipt at a level no less than a Registered Nurse, utilizing clinical expertise within their licensure to determine if the PHCI contains an urgent or health care issue requiring clinical intervention.

      • Urgent medical, mental health, and dental clinical needs shall be immediately referred to a clinician for evaluation consistent with HCDOM Section 3.1.5, Scheduling and Access to Care.

      • Urgent issues that cannot be immediately resolved or require follow-up shall be referred to executive health care staff for review or action.

    • Confirmed to have a valid ROI on file for the requester. Health care information shall only be released to authorized individuals.

    • Responded to when the PHCI includes the requestor’s name, address, patient’s full name, CDCR identification number, date of birth, and a brief description of the patient-specific health care or treatment concern.

      • Written PHCI from patients under CDCR jurisdiction submitted to HCCAB shall be limited to issues that cannot be addressed through the Health Care Grievance Process.

      • No response will be provided to PHCI for patient who have paroled or discharged from CDCR.

      • PHCI containing threatening, obscene, demeaning, or abusive language, shall not receive a response.

Policy

• The California Correctional Health Care Services (CCHCS) shall provide guidance to patients regarding requests for changes, corrections, or amendments to documentation contained within their health records.

Responsibility

• Statewide

  • The Deputy Director, Dental Services; Deputy Director, Medical Services; Deputy Director, Nursing Services; and Deputy Director, Statewide Mental Health Program are responsible for the oversight, implementation, and evaluation of this policy.

  • The Chief, Health Information Management (HIM), is responsible for the monitoring and evaluation of this policy and shall establish and maintain procedures to carry out the requirements herein.

• Regional

  • Regional Health Care leadership is responsible for oversight and implementation of this policy at the subset of institutions within an assigned region.

• Institutional

  • Health care leadership is responsible for the implementation, monitoring, and evaluation of this policy and shall establish and maintain local operating procedures to carry out the requirements herein.

Procedure

• Request for Change, Correction, or Amendment

  • A patient or patient’s representative may request any portion of the patient’s health record to be changed, corrected, or amended. 

  • The request for amendment must be in writing, utilizing the CDCR 7236, Request to Amend Health Records.

  • The request for amendment must be submitted to HIM at the patient’s institution. In the case of supervised persons, the request must be sent to Health Records Imaging Center.

    • Upon receipt of the request for amendment HIM staff shall review the request for the type of changes requested.

      • If the request is incomplete or does not clearly identify the record that the patient or patient’s representative requests to be amended, the request shall be returned to be clarified.

      • If a request is returned to the submitter for clarification, HIM staff shall include a description of what information is needed to clarify the request.

    • The content of a complete request shall include:

      • What information is being requested to amend (i.e., encounter date, provider, etc.).

      • The reason for the request to amend. 

      • Only one record amendment request per form.

      • No more than 250 words amending or to be added to the identified record.

    • HIM shall forward the CDCR 7236 to the appropriate institution discipline leadership (e.g., Chief Medical Executive, Chief Nurse Executive, Chief of Mental Health, Chief Psychiatrist, or Supervising Dentist), or designees, where the patient’s record was created, for assignment to the author of the document. If the CDCR 7236 is received from a patient representative, the envelope containing the patient representative’s address shall also be provided to the appropriate discipline.

      • If the author of the document is an unlicensed professional, working under the supervision of a licensed clinician, the licensed clinician shall review and respond to the amendment request.

      • In the event that the author of the document is unavailable, and will not be available within a reasonable timeframe to respond to this request, the appropriate institution discipline leadership, or designee shall review and respond to the amendment request.

      • In instances where the author of the document has relocated to another institution or within CCHCS Headquarters, the request shall be forwarded to the author by HIM to the appropriate location.

  • HIM staff shall maintain a master log to record all patient requests for amended records.

• Decisions

  • The author of the document, or designated reviewer as described in Section (c)(1)(C)3, shall respond to the request for amendment within 30 days using the CDCR 7236 with either of the following:

    • The amendment request is approved and the patient’s health record has been amended.

      • A copy of the patient’s amended health records shall be included with the response.

    • The amendment request is denied in whole or in part.

      • The response shall be written in plain language and at a minimum must address the following:

        • The reasons for the denial.

        • A description of how the patient may submit a written statement of disagreement as described on the CDCR 7236.

        • A description of how the patient may file a complaint with the Department or to the Secretary of the U.S. Department of Health and Human Services (HHS). The description must include the name or title and telephone number of the contact person for the complaint as described on the CDCR 7236.

      • In instances where the amendment is denied in part, the author of the document, or designated reviewer, shall also:

        • Indicate which portion of the request was amended and which portion of the request was denied.

        • Provide a copy of the patient’s partially amended health records.

    • The Department shall have an additional 30 days to review and respond, for a maximum of 60 days, to amendment requests.

  • If the request is approved, the author of the document shall:

    • Not redact or delete the original entry.

    • Enter the amended information into the health record.

    • Make a notation at the point of original entry that an amendment notice has been made and reference the amended information.

    • Note in the health record the reason for the amendment or refer to the patient’s CDCR 7236.

    • Document the statement of facts.

    • Date and time the amendment using the 24-hour clock.

    • Sign the amendment with full name and title.

    • Identify the location of any secondary records that substantiate the amendment.

  • A request for amendment may be denied if it is determined that the health information or health record that is the subject of the request:

    • Was not created by CCHCS, unless the patient explains that the originator of the health information is no longer available and the unavailability can be verified;

    • Would not be available for inspection; or

    • Is accurate and complete.

  • Once the response is received by HIM from the author of the document or designated reviewer, HIM staff shall scan the CDCR 7236 and response into the health record.

    • The CDCR 7236 shall be returned to the patient or patient’s representative with the response and amended health records, if applicable.

  • When a correction is made, reasonable efforts shall be made to provide the amended information to business associates and others who are known to have the patient health information that was amended.

    • HIM staff shall notify the persons entitled to receive the amended information, as identified by the patient or patient’s representative on the original amendment request. If the patient or patient’s legal representative is unsure who is entitled to receive the amended information, staff shall work with the patient or patient’s representative to ensure that all parties are appropriately identified in accordance with the HCDOM, Section 2.3.4, Release of Information.

    • HIM staff shall identify other persons, including business associates, that are known to have the patient’s health information and that may have or may rely on it.

  • If the patient requests a disclosure after the amended record is approved, the patient shall execute a new CDCR 7385.

• Statement of Disagreement

  • The patient or patient’s representative may file a statement of disagreement, if they do not agree with the denial or partial approval of their request.

    • The statement of disagreement shall be submitted to the institution’s HIM.

  • If the patient or patient’s representative does not submit a statement of disagreement, they may request that the CDCR 7236 and the denial is provided with any future disclosures.

  • The patient or patient’s representative may file a complaint with the Secretary of the U.S. Department of HHS.

• Rebuttals to the Statement of Disagreement

  • CCHCS shall prepare a written rebuttal to the patient or patient’s representative to the statement of disagreement and is responsible for providing a copy to them.

  • The person that responds to the statement of disagreement shall not be the author of the original document and must be at a classification not less than that of the institutional clinical leadership of the designated discipline.

• Inclusion in Health Record

  • All documentation related to the CDCR 7236 shall be appended (or otherwise linked) to the health information that is the subject of the disputed amendment and shall be retained for ten years in accordance with the HCDOM, Section 2.3.11, Retention and Destruction.

    • This includes all correspondence and statements of disagreement related to the patient’s or patient representative’s requests for amendment and relating to denial or acceptance of requests to amend.

    • If the health record has been amended, the amendment shall be appended to the original documentation, as described in Section (c)(2)(B).

  • All documents shall be accessible and available to appropriate staff within the health record.

  • All documentation related to the request for addendum including amended records, statement of disagreement, and the written rebuttal shall be retained and distributed with the health record for as long as the records are maintained.

Policy

• California Correctional Health Care Services (CCHCS) shall disclose information to Public Health Authorities, without a patient’s authorization, when required by law.  CCHCS may disclose Protected Health Information PHI for public health activities, without the patient’s authorization, when the reason for the disclosure is related to the purpose for which the PHI was collected and under the circumstances outlined below.

Purpose

• To define the parameters for releasing PHI for public health activities.

Responsibility

• Statewide

  • Under the direction of the Deputy Director, Medical Services, and Health Information Management Chief:

    • Institution Health Records staff within the scope of their authority are responsible for oversight, implementation, monitoring, and evaluation of this policy for patients.

    • Health and Imaging Record Center staff within the scope of their authority are responsible for oversight, implementation, monitoring, and evaluation of this policy for paroled or discharged persons.

• Regional

  • Health Care Executives are responsible for the administration of this policy at the subset of institutions within their assigned region.

• Institutional

  • The Chief Executive Officer, or designee, of each institution has the overall responsibility for implementation and ongoing oversight of this policy.

Procedure

• CCHCS may disclose PHI to Public Health Authorities who are legally authorized to receive such reports to prevent or control disease, injury, or disability pursuant to the Health Care Department Operations Manual Section 3.8.1, Public Health Disease Reporting, or state law.  This includes but is not limited to the following:

  • The reporting of a disease or injury.

  • Conducting public health surveillance, investigations, or interventions.

• PHI may be disclosed as needed to notify a person that they have been exposed to a communicable disease or are at risk of contracting or spreading a disease or condition, if CCHCS is legally authorized to do so to prevent or control the spread of the disease.

• Verification of identity

  • CCHCS shall verify Public Health Authorities’ status and identity prior to releasing PHI.

• Minimum Necessary

  • CCHCS is responsible for reasonably limiting the PHI disclosed for public health purposes to the Minimum Necessary to accomplish the intended purpose.

• Accounting of Disclosures

  • CCHCS shall document, track, and maintain information concerning disclosures of PHI. This tracking shall document what, when, why, and to whom disclosures are made.