Maintaining the confidential nature of patient records is
integral to patient care and the practice of health
information management. In addition to the federal Health
Insurance Portability and Accountability Act (HIPAA), which
includes privacy regulations, California has several state laws
governing health information privacy, such as the
Confidentiality of Medical Information Act, California Patient
Access to Health Records Act and the Lanterman-Petris-Short
To help providers comply with the myriad of regulations, CHA
offers the California Health
Information Privacy Manual, a California-specific
resource that compares privacy requirements under HIPAA to state
laws. Information pertaining to privacy laws is
also contained in CHA’s Consent
Manual and CHA’s Record and
Data Retention Schedule. Educational opportunities are
available periodically for specific privacy-related topics. CHA
also advocates on behalf of member hospitals in the Legislature
and regulatory arenas regarding health information privacy laws.
CHA filed an amicus curiae (“friend of the court”) letter April
16 supporting the petition for writ of mandate in
Eisenhower v. Superior Court. This class action lawsuit
arose from the theft of a password-protected desktop computer
containing the name, birth date, age, medical record number, and
last four digits of the Social Security number of 500,000
patients. The Confidentiality of Medical Information Act (CMIA)
authorizes nominal damages of $1,000 per patient whose medical
information was negligently released. The amicus curiae letter
argues that, because “medical information” is defined in the CMIA
to mean any individually identifiable information “regarding a
patient’s medical history, mental or physical condition, or
treatment,” that plaintiffs are not entitled to these damages. A
copy of CHA’s letter is attached.
There’s a lot of buzz around the new HIPAA/HITECH final rule, and
hospitals are moving quickly to review and understand the new
federal regulations. But, California has its own set of laws to
consider that are sometimes more stringent. So, which laws do you
need to follow?
Several legislative bills related to health information privacy
have been introduced in the California Legislature. AB 268
(Holden, D- Pasadena) would entitle a patient’s representative to
a summary of the patient’s medical record under specified
conditions. SB 138 (Hernandez, D-Los Angeles) would regulate the
confidentiality of explanation of benefit (EOB) documents for
sensitive services provided to adults under age 26 who are
insured as dependents under another person’s (such as a parent)
health plan. SB 222 (Padilla, D-Pacoima) would enact legislation
to protect individuals from the unauthorized use or disclosure of
their genetic information. SB 249 (Leno, D-San Francisco) would
allow the California Department of Public Health to disclose
health records involving the treatment of HIV or AIDS for a
beneficiary enrolled in federal Ryan White Act-funded programs
who may be eligible for coverage under an Affordable Care Act
program. Finally, it is expected that the Senate Judiciary
Committee will introduce a bill to make technical clarifying
changes to California’s health information privacy laws. CHA will
monitor these bills and advocate for hospitals’ interests in the
health information privacy arena.
The U.S. Department of Health and Human Services Office for Civil
Rights (OCR) has released the long-awaited final rule
modifying existing HIPAA privacy regulations and implementing the
Health Information Technology for Economic and Clinical
Health Act. The rule will become effective March 26;
however, OCR has indicated it will not enforce the new provisions
until Sept. 23. Existing business associate agreements do not
need to be modified until Sept. 23, 2014, or their next amendment
date, whichever comes first.
Yesterday, the Office for Civil Rights (OCR) in the U.S.
Department of Health and Human Services released guidance on
methods and approaches to de-identify protected health
information (PHI) in accordance with the HIPAA Privacy Rule.
De-identification — the process of removing identifiers from PHI
— mitigates privacy risks to individuals and thereby supports the
secondary use of data for comparative effectiveness studies,
policy assessment, life sciences research and other endeavors.
The OCR guidance explains and answers questions regarding the two
methods that can be used to satisfy the Privacy Rule’s
de-identification standard: expert determination and safe harbor.
The guidance is intended to help HIPAA-covered entities
understand de-identification, the general process for
de-identifying information, and the options available for
performing the process. The guidance is available at
You’ve just been served. The subpoena “looks” okay, and
seems “official,” but you’re wary — and you should be. The stakes
are often high if you get this wrong. This
webinar thoroughly explains the nuances of civil and
criminal subpoenas. Participants will learn how to review what
they receive and respond with confidence.
Learn about the fundamentals of health information privacy
to make decisions with confidence. Expert faculty
explain the many laws governing patient privacy and
how they apply to the most common situations. Case scenarios
are used to challenge participant knowledge and critical
Please note that the manual is currently being updated to reflect the recently released HIPAA/HITECH Final Rule. The new 2013 edition will be available July.
Significant requirements have been imposed on hospitals and other health facilities with the passage of federal and state laws regulating the privacy, security, use and disclosure of health information. The California Health Information Privacy Manual was written to help hospitals understand and comply with these increasingly complex laws.
The Office of Civil Rights within the U.S. Department of Health
and Human Services has released its first report to Congress on
breaches of unsecured protected health information that occurred
between September 23, 2009 (The date the breach notification
requirements became effective) and December 31, 2010. The
report is required by the Health Information Technology for
Economic and Clinical Health (HITECH) Act.