2013 California Health Information Privacy Manual
Laws regarding patient privacy rights, use/disclosure of PHI, and breaches


Significant requirements have been imposed on hospitals and other health facilities with the passage of federal and state laws regulating the privacy, security, use and disclosure of health information.  The California Health Information Privacy Manual was written to help hospitals understand and comply with these increasingly complex laws.

This valuable publication addresses privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA), the federal Health Information Technology for Economic and Clinical Health (HITECH) act, the Genetic Information Nondiscrimination Act (GINA), the California Confidentiality of Medical Information Act, the California Patient Access to Health Records Act, the Lanterman-Petris-Short Act, and other California state laws.

To assist providers in determining which law provides greater patient protection and therefore must be followed, the manual includes a one-of-a-kind preemption analysis chart that compares California laws to the corresponding federal regulations.

Changes to this edition reflect the HIPAA/HITECH Omnibus rule published on Jan. 25, 2013 and include:

  • Patient’s right to copies of electronic PHI
  • Patient’s right to direct that electronic PHI be sent to third parties
  • Patient’s right to nondisclosure of PHI to HMO if patient paid for service
  • The federal breach harm threshold replaced by four-factor risk assessment
  • New rules regarding use and disclosure of PHI for marketing, fundraising
  • A discussion of ACOs and health information privacy
  • Addition of the Genetic Information Nondiscrimination Act (GINA) and Cal/OSHA required records
  • Combined authorization related to research
  • Revision of California law regarding electronic posting of lab test results
  • New prohibition on releasing mental health information to parent who has lost custody of child in a juvenile court dependency hearing

New and updated tools include:

  • Notice of Privacy Practices
  • Federal and State Breach Notification Chart
  • HIPAA Breach Decision Tool and Risk Assessment Documentation Form
  • Questionnaire and Confidentiality Agreement (for breaches involving paper, verbal, or electronic PHI)
  • Business Associate Agreement

(Sixth edition, 2013)


The 2013 edition is over 400 pages and contains 13 chapters. The manual includes a CD with more than 40 useful forms, many in English and Spanish, which providers may use to comply with the patients’ rights requirements. A comprehensive index has also been added.


  • Understand the Laws
  • Administrative Processes and Considerations
  • Privacy Rights and Notice of Privacy Practices
  • Use and Disclosure of PHI: Fundamentals and Preemption Analysis
    • Preemption Analysis: HIV Test Results
  • Use and Disclosure of PHI: Patients Covered by CMIA
    • Preemption Analysis: Patients Covered by CMIA
  • Use and Disclosure of PHI: Patients Covered by LPS
    • Preemption Analysis: Patients Covered by LPS
  • Use and Disclosure of PHI: Substance Abuse
  • Privacy and the Conduct of Research
  • Employee Health Information
  • Health Information Security
  • Business Associate Contracts
  • Breaches
  • Enforcement and Penalties