Current through Register 2024 Notice Reg. No. 38, September 20, 2024
(a)
Protected Health Information (PHI) maintained by the California Department of
Corrections and Rehabilitation (CDCR) is private and confidential. CDCR shall
not use or disclose PHI, except as permitted or required by law.
(b) CDCR may use or disclose PHI for
Treatment, Payment, or Health Care Operations (TPO) purposes without patient
authorization as follows:
(1) For CDCR's own
TPO.
(2) For treatment activities
of another health care provider.
(3) To another covered entity or health care
provider for its payment activities.
(4) To another covered entity for its health
care operations activities, if CDCR and the other covered entity has or had a
relationship with the patient who is the subject of the PHI being requested,
and the disclosure is for the purpose of health care fraud and abuse detection
or compliance.
(c) CDCR
shall not use and disclose PHI for non-TPO purposes, unless the disclosure is
pursuant to a valid authorization for disclosure of PHI from the patient or the
personal representative of the patient or unless the disclosure meets one of
the following exceptions:
(1) To a coroner or
medical examiner, for the purpose of identifying a deceased person, determining
a cause of death, or other duties authorized by law.
(2) To organ procurement organizations or
other entities engaged in procuring, banking, or transplantation of cadaver
organs, eyes, or tissue, for the purpose of facilitating
transplantation.
(3) A Limited Data
Set only if the receiving entity enters into a written Data Use Agreement (DUA)
with CDCR. A DUA is to ensure such entity shall use or disclose the PHI only as
specified in the written agreement.
(4) If a business associate is required by
law to perform a function, activity, or service on behalf of CDCR, CDCR shall
disclose the minimum necessary PHI to comply with the legal mandate.
(d) Minimum necessary use or
disclosure. CDCR shall limit PHI/Personally Identifiable Information (PII) to
the minimum necessary to accomplish the intended purpose of the use,
disclosure, or request when disclosure of a patient's PHI/PII is permitted or
when requesting PHI/PII from another entity.
(1) The minimum necessary uses or disclosures
of PHI does not apply to the following:
(A)
Disclosures to or requests by a health care provider for treatment.
(B) Disclosures to the patient who is the
subject of the information.
(C)
Uses and disclosures based upon a valid authorization to use and disclose
PHI.
(D) Uses or disclosures
required by law.
(e) CDCR shall provide patients the following
rights related to the use and disclosure of their PHI and PII:
(1) The right to inspect their PHI/PII and to
obtain a copy of it with the following exceptions:
(A) Mental health records when the health
care provider determines there is a substantial risk of significant adverse or
detrimental consequences to the patient in seeing or receiving a copy of the
requested records.
(B) Documents
protected by attorney work-product privilege.
(C) When obtaining such information would
jeopardize the health, safety, security, custody, or rehabilitation of the
individual or of other incarcerated persons, or the safety of any officer,
employee, other person at the correctional facility, or individual responsible
for the transporting of the patient.
(2) The right to request an amendment to
their PHI/PII.
(3) The right to an
accounting of PHI disclosures made by CDCR for up to six years prior to the
date of request except for disclosures:
(A)
To carry out TPO activities.
(B)
Made to the patient.
(C) Authorized
by the patient.
(D) To persons
involved in the patient's care.
(E)
For national security or intelligence purposes.
(F) Made to correctional facilities or law
enforcement officials having lawful custody of a patient.
(4) The right to an accounting of PII
disclosures made by CDCR for up to three years after disclosure or until the
disclosed information is destroyed, except for disclosures:
(A) Made to the patient or the patient's duly
appointed guardian, representative, or conservator.
(B) Authorized by the patient.
(C) To CDCR where disclosure is necessary for
the performance of official duties and is related to the purpose for which the
information was acquired.
(D)
Pursuant to the California Public Records Act.
(5) The right to request restrictions on the
uses and disclosures of their PHI/PII made by CDCR.
(6) The right to request that CDCR
communicate with them about their PHI/PII at an alternative location or via
alternative means.
(7) The right to
file complaints, if they believe their PHI/PII has been improperly disclosed,
through the standard health care grievance process.
(f) General use and disclosure of PII. CDCR
shall only disclose PII in a manner that would not link the information
disclosed to the individual to whom it pertains unless the information is
disclosed as follows:
(1) To the individual
to whom the information pertains.
(2) With the prior written voluntary consent
of the individual to whom the record pertains, when consent has been obtained
within 30 calendar days before the disclosure, or in the time limit agreed to
by the individual in the written consent.
(3) To the duly appointed guardian or
conservator of the individual or a person representing the
individual.
(4) To a governmental
entity when required by state or federal law.
(5) To a person who has provided the agency
with advance, adequate written assurance that the information shall be used
solely for statistical research or reporting purposes, and only if the
information to be disclosed is in a form that shall not identify any
individual.
(6) To any person
pursuant to a subpoena, court order, or other compulsory legal process if,
before the disclosure, CDCR reasonably attempts to notify the individual to
whom the record pertains, and if the notification is not prohibited by
law.
(g) The Department
shall take steps to protect the privacy of all verbal exchanges or discussions
of PHI/PII including, but not limited to, the use of enclosed offices or
interview rooms.
(1) In work environments
with few offices or closed rooms such as facilities with open office
environments, uses or disclosures that are incidental to an otherwise permitted
use or disclosure could occur. Such incidental usage or disclosure is not
considered a privacy violation provided that the minimum necessary use
requirements were met.
(2) The
Department shall promote employee awareness of the potential for inadvertent
verbal disclosure of PII and PHI.
(h) Privacy breach notifications to patients,
or others as applicable, shall be made by the Department as follows:
(1) Notifications shall be written in plain
language and meet the following requirements if the information is available at
the time the notice is provided:
(A) Name and
contact information of CDCR.
(B) A
list of the types of personal information reasonably believed to have been the
subject of a breach.
(C) The date
of the breach, the estimated date of the breach, or the date range within which
the breach occurred, the date of discovery of the breach, and the date of the
notice.
(D) Whether the
notification was delayed as a result of a law enforcement
investigation.
(E) A general
description of the breach incident.
(F) CDCR actions related to gathering facts
and investigating the breach, mitigating harm to individuals, and protecting
against further breaches.
(G) Any
steps individuals should take to protect themselves from potential
harm.
(H) If the breach exposed a
social security, driver's license, or California identification card number,
CDCR shall provide toll-free telephone numbers and addresses of the major
credit reporting agencies.
Note: Authority cited: Section
5058, Penal
Code. Reference: Section
5054, Penal
Code; Plata v. Newsom (No. C01-1351 JST), U.S. District Court, Northern
District of California; Clark v. California (No. C96-1486 CRB), U.S. District
Court, Northern District of California; and Armstrong v. Newsom (No. C94-2307
CW), U.S. District Court, Northern District of California.
Note: Authority cited: Section
5058, Penal
Code. Reference: Section
5054, Penal
Code; Plata v. Newsom (No. C01-1351 JST), U.S. District Court, Northern
District of California; Clark v. California (No. C96-1486 CRB), U.S. District
Court, Northern District of California; and Armstrong v. Newsom (No. C94-2307
CW), U.S. District Court, Northern District of California.
