California Health Information Privacy Manual
Laws regarding patient privacy rights, use/disclosure of PHI, and breaches

New 2017 Edition Coming Soon!


Significant requirements have been imposed on hospitals and other health facilities with the passage of federal and state laws regulating the privacy, security, use and disclosure of health information.  The California Health Information Privacy Manual was written to help hospitals understand and comply with these increasingly complex laws.

This valuable publication addresses privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA), the federal Health Information Technology for Economic and Clinical Health (HITECH) act, the Genetic Information Nondiscrimination Act (GINA), the California Confidentiality of Medical Information Act, the California Patient Access to Health Records Act, the Lanterman-Petris-Short Act, and other California state laws.

To assist providers in determining which law provides greater patient protection and therefore must be followed, the manual includes a one-of-a-kind preemption analysis chart that compares California laws to the corresponding federal regulations.

Changes to this edition reflect all state and federal health information privacy laws through January 2015. The manual discusses each new law, revision or judicial decision in detail.

Highlights of some of the notable changes to this edition include:

  • Effective Jan. 1, 2015, the deadline for reporting privacy breaches to patients and to the California Department of Public Health (CDPH) under Health and Safety Code Section 1280.15 will be increased from five to 15 business days after detection. In addition, if a patient submits a written request for notification by email, a breach notification may be provided electronically.
  • Effective Jan. 1, 2015, a breach of unencrypted computerized information that contains a person’s Social Security number, driver’s license number or California identification card number, along with their first name or first initial and last name, may require an offer to provide appropriate identity theft prevention and mitigation services, if any, for not less than a year.
  • A description of Office of Civil Rights’ (OCR) permanent audit program, which started in 2014, has been added.
  • Discussion of several significant judicial decisions regarding breaches of health information that 1) stipulated that plaintiffs must prove that an unauthorized person actually viewed medical information to receive monetary relief; 2) clarified the definition of “medical information” in terms of assessing whether a breach took place and when making intentional disclosures of patient information, and 3) asserted that “disclosure” as used in the Confidentiality of Medical Information Act (CMIA) requires an affirmative communicative act by the provider – not merely being the victim of a theft.

(Seventh edition, 2014)


The 2014 edition is over 400 pages and contains 13 chapters. The manual includes a CD with more than 40 useful forms, many in English and Spanish, which providers may use to comply with the patients’ rights requirements. A comprehensive index has also been added.


  • Understand the Laws
  • Administrative Processes and Considerations
  • Privacy Rights and Notice of Privacy Practices
  • Use and Disclosure of PHI: Fundamentals and Preemption Analysis
    • Preemption Analysis: HIV Test Results
  • Use and Disclosure of PHI: Patients Covered by CMIA
    • Preemption Analysis: Patients Covered by CMIA
  • Use and Disclosure of PHI: Patients Covered by LPS
    • Preemption Analysis: Patients Covered by LPS
  • Use and Disclosure of PHI: Substance Abuse
  • Privacy and the Conduct of Research
  • Employee Health Information
  • Health Information Security
  • Business Associate Contracts
  • Breaches
  • Enforcement and Penalties