Health Care Department Operations Manual

Cancel

Chapter 5 – Administrative

Article 3 – Information Technology

View All Sections >

5.3.27 Generative Artificial Intelligence

  • Policy

    • California Correctional Health Care Services (CCHCS) shall maintain requirements for all CCHCS workforce members on the appropriate use of Generative Artificial Intelligence (Gen AI) in its operations including, but not limited to, content creation, data analysis, and decision-making. CCHCS values information security and is committed to providing the necessary resources and training to support a secure environment.

  • Purpose

    • This policy defines the roles and processes for using Gen AI and applies to all information assets owned or operated by CCHCS or third parties on behalf of CCHCS.

  • Responsibility

    • The Chief Information Officer (CIO), CCHCS, shall act as primary executive sponsor for this policy.

  • Governance Roles

    • The CIO shall:

      • Determine risk response for all Gen AI uses and purchases, whether intentional or unintentional and shall not delegate the determination.

      • Ensure that all users of information assets are aware of this policy and acknowledge their individual responsibilities.

      • Review this policy annually and update as necessary to remain compliant with National Institute of Standards and Technology (NIST) PL-1 and California state regulations.

    • The Information Security Officer (ISO) shall:

      • Participate in risk assessments associated with Gen AI and related technologies.

      • Ensure that all use of Gen AI and related technologies are governed and approved prior to implementation.

      • Audit and assess compliance with this policy at least once every two years.

    • Information asset owners and program management shall ensure:

      • Personnel using Gen AI are trained for use according to their roles and responsibilities.

      • Risks associated with the use of Gen AI are identified, managed, monitored, and captured in the appropriate risk registry.

      • Gen AI applications are documented and inventoried.

      • All Gen AI usage has a qualified human reviewer as the ultimate decision maker for any process, input, or output that would directly impact a human.

      • A non-Artificial Intelligent (AI) alternative process is available if there are identified risks to humans, services, or systems.

    • Information Asset Custodians shall:

      • Implement, maintain, and monitor Gen AI access and security controls.

      • Collaborate with information asset owners and program management as necessary.

    • Information Asset Users shall be aware of and adhere to all information security and privacy policies.

  • Coordination Among Business Units

    • Information security policy development, review, and authorization shall be facilitated by the Regulation and Policy Section who is responsible for ensuring interdisciplinary participation from all business units.

    • This interdisciplinary engagement ensures policy alignment with operational reality, clinical needs, security and privacy obligations coupled with federal and state mandates.

  • Compliance

    • CCHCS workforce members shall adhere to all CCHCS Information Security policies and procedures.

    • Non-compliance with this policy may result in corrective or disciplinary action, up to and including termination as set forth in California Department of Corrections and Rehabilitation Department Operations Manual, Chapter 3, Article 22 and Title 15 Chapter 1.

    • If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request an exemption as defined by the Chief information Security Officer.

  • Directives for AI Usage

    • CCHCS shall ensure:

      • Gen AI procurements shall complete all processes and assessments for Gen AI as outlined in the Statewide Information Management Manual and the State Administrative Manual.

      • Gen AI and related technologies are approved and governed prior to use for official business purposes to ensure compliance with applicable industry standards, regulations, and laws.

        • Governance shall be conducted by a committee of relevant business stakeholders and technical experts from CCHCS as determined by the CIO and ISO.

      • The CIO and ISO shall document and inventory all Gen AI applications. The inventory shall contain a System Security Plan, which includes, but is not limited to:

        • System documentation.

        • Incident response plans.

        • Data dictionaries, if applicable.

        • Links to implementation software or source code.

        • Names and contact information for relevant AI actors.

      • CCHCS workforce members using Gen AI with data and information assets are trained regarding Gen AI use according to their roles and responsibilities.

      • Use of Gen AI in clinical settings, such as diagnostic support, care documentation, or summarization, include clinical validation and oversight by a licensed health care staff.

      • Gen AI tools shall not be integrated with Electronic Health Record Systems or clinical decision systems without explicit risk assessment and approval by the CIO and an equivalent Chief Medical Officer, if applicable.

      • Gen AI tools do not process or store Protected Health Information (PHI) or Personally Identifiable Information (PII) unless explicitly reviewed and approved by the Privacy Office and the CIO.

      • Use of Gen AI for data analysis in connection with any research project is prohibited unless the specific Gen AI model complies with all applicable federal and state laws and regulations, including but not limited to the HIPAA, the Common Rule (45 Code of Federal Regulations [CFR] Part 46), and state privacy and information security laws.  If a Gen AI model is used with a research project the following shall occur:

        • De-identified of PHI and PII in accordance with 45 CFR 164.514.

        • Undergo an expert review and receive determination that the risk of re-identification is minor.

        • Incorporate safeguards to prevent bias and promote equity as outlined in California Government Code 11549.63.

        • Be approved by or receive a letter of exemption from an Institutional Review Board where required.

      • Gen AI and related technologies shall utilize the NIST 800-53 Revision 5 family of security controls at the moderate baseline.

      • Gen AI usage shall have a qualified human reviewer for any process, input, and output that could potentially yield unwanted impact to:

        • A person’s civil liberties, rights, physical or psychological safety, or economic opportunity.

        • A group such as discrimination against a population sub-group.

        • Democratic participation or educational access.

        • The business operations, reputation, information security or finances of an organization.

        • Interconnected and interdependent information assets.

        • The global financial system, supply chain, or interrelated systems.

        • Natural resources, the environment, or planet.

        • A human.

      • Gen AI usage shall have a non-AI process available if it could potentially harm the items listed in subsection (J).

  • References

    • Code of Federal Regulations, Health Insurance Portability Accountability Act, Summary of HIPAA Privacy Rule (45 CFR Parts 160, 164 Subparts A, C, and E)

    • Code of Federal Regulations, Health Insurance Portability Accountability Act, Security Rule (45 CFR 164 Subpart C)

    • Executive Order 14110 (Oct 2023) – “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”

    • Executive Order N-12-23

    • California Civil Code, Division 1, Part 2.6, Section 56-56.16, et seq., Confidential Medical Information Act

    • California Civil Code, Division 3, Part 4, Section 1798.100, et seq., California Consumer Privacy Act & CPRA & 2023 Update

    • State Administrative Manual, Section 4986, Artificial Intelligence Introduction

    • State Administrative Manual, Section 4986.3, Gen AI Use Identification and High-Risk Inventory

    • State Administrative Manual, Section 4986.9, Gen AI Procurement

    • State Administrative Manual, Section 4986.10, Privacy for Gen AI

    • State Administrative Manual, Section 4986.11, Security for Gen AI

    • State Administrative Manual, Section 4986.12, Acceptable Use of Gen AI

    • State Administrative Manual, Section 4986.13, Gen AI Workforce Training

    • State Administrative Manual, Section 5305.5, Information Asset Management

    • State Administrative Manual, Section 5310.4, Individual Access to Personal Information

    • State Administrative Manual, Section 5310.6, Data Retention and Destruction

    • Statewide Health Information Policy Manual Section 3.3.5: Access Control

    • Statewide Information Management Manual, 5305-F, Generative Artificial Intelligence Risk Assessment

    • Statewide Information Management Manual, 5310-C, Privacy Threshold Assessment and Privacy Impact Assessments

    • Statewide Information Management Manual, 180 – Statement of Work Guidelines

    • Statewide Information Management Manual, 71A – Certification of Compliance with IT Policies Preparation Instructions

    • Statewide Information Management Manual, 71B – Certification of Compliance with IT Policies Template

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.15, Acceptable Use

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.19, Audit and Accountability

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.21, Data Security

  • Revision History

    • Effective: 03/18/2026