Cal. Code Regs. tit. 15 § 3999.215

Current through Register 2024 Notice Reg. No. 50, December 13, 2024
Section 3999.215 - Protected Health Information and Personally Identifiable Information
(a) Protected Health Information (PHI) maintained by the California Department of Corrections and Rehabilitation (CDCR) is private and confidential. CDCR shall not use or disclose PHI, except as permitted or required by law.
(b) CDCR may use or disclose PHI for Treatment, Payment, or Health Care Operations (TPO) purposes without patient authorization as follows:
(1) For CDCR's own TPO.
(2) For treatment activities of another health care provider.
(3) To another covered entity or health care provider for its payment activities.
(4) To another covered entity for its health care operations activities, if CDCR and the other covered entity has or had a relationship with the patient who is the subject of the PHI being requested, and the disclosure is for the purpose of health care fraud and abuse detection or compliance.
(c) CDCR shall not use and disclose PHI for non-TPO purposes, unless the disclosure is pursuant to a valid authorization for disclosure of PHI from the patient or the personal representative of the patient or unless the disclosure meets one of the following exceptions:
(1) To a coroner or medical examiner, for the purpose of identifying a deceased person, determining a cause of death, or other duties authorized by law.
(2) To organ procurement organizations or other entities engaged in procuring, banking, or transplantation of cadaver organs, eyes, or tissue, for the purpose of facilitating transplantation.
(3) A Limited Data Set only if the receiving entity enters into a written Data Use Agreement (DUA) with CDCR. A DUA is to ensure such entity shall use or disclose the PHI only as specified in the written agreement.
(4) If a business associate is required by law to perform a function, activity, or service on behalf of CDCR, CDCR shall disclose the minimum necessary PHI to comply with the legal mandate.
(d) Minimum necessary use or disclosure. CDCR shall limit PHI/Personally Identifiable Information (PII) to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request when disclosure of a patient's PHI/PII is permitted or when requesting PHI/PII from another entity.
(1) The minimum necessary uses or disclosures of PHI does not apply to the following:
(A) Disclosures to or requests by a health care provider for treatment.
(B) Disclosures to the patient who is the subject of the information.
(C) Uses and disclosures based upon a valid authorization to use and disclose PHI.
(D) Uses or disclosures required by law.
(e) CDCR shall provide patients the following rights related to the use and disclosure of their PHI and PII:
(1) The right to inspect their PHI/PII and to obtain a copy of it with the following exceptions:
(A) Mental health records when the health care provider determines there is a substantial risk of significant adverse or detrimental consequences to the patient in seeing or receiving a copy of the requested records.
(B) Documents protected by attorney work-product privilege.
(C) When obtaining such information would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other incarcerated persons, or the safety of any officer, employee, other person at the correctional facility, or individual responsible for the transporting of the patient.
(2) The right to request an amendment to their PHI/PII.
(3) The right to an accounting of PHI disclosures made by CDCR for up to six years prior to the date of request except for disclosures:
(A) To carry out TPO activities.
(B) Made to the patient.
(C) Authorized by the patient.
(D) To persons involved in the patient's care.
(E) For national security or intelligence purposes.
(F) Made to correctional facilities or law enforcement officials having lawful custody of a patient.
(4) The right to an accounting of PII disclosures made by CDCR for up to three years after disclosure or until the disclosed information is destroyed, except for disclosures:
(A) Made to the patient or the patient's duly appointed guardian, representative, or conservator.
(B) Authorized by the patient.
(C) To CDCR where disclosure is necessary for the performance of official duties and is related to the purpose for which the information was acquired.
(D) Pursuant to the California Public Records Act.
(5) The right to request restrictions on the uses and disclosures of their PHI/PII made by CDCR.
(6) The right to request that CDCR communicate with them about their PHI/PII at an alternative location or via alternative means.
(7) The right to file complaints, if they believe their PHI/PII has been improperly disclosed, through the standard health care grievance process.
(f) General use and disclosure of PII. CDCR shall only disclose PII in a manner that would not link the information disclosed to the individual to whom it pertains unless the information is disclosed as follows:
(1) To the individual to whom the information pertains.
(2) With the prior written voluntary consent of the individual to whom the record pertains, when consent has been obtained within 30 calendar days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(3) To the duly appointed guardian or conservator of the individual or a person representing the individual.
(4) To a governmental entity when required by state or federal law.
(5) To a person who has provided the agency with advance, adequate written assurance that the information shall be used solely for statistical research or reporting purposes, and only if the information to be disclosed is in a form that shall not identify any individual.
(6) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, CDCR reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
(g) The Department shall take steps to protect the privacy of all verbal exchanges or discussions of PHI/PII including, but not limited to, the use of enclosed offices or interview rooms.
(1) In work environments with few offices or closed rooms such as facilities with open office environments, uses or disclosures that are incidental to an otherwise permitted use or disclosure could occur. Such incidental usage or disclosure is not considered a privacy violation provided that the minimum necessary use requirements were met.
(2) The Department shall promote employee awareness of the potential for inadvertent verbal disclosure of PII and PHI.
(h) Privacy breach notifications to patients, or others as applicable, shall be made by the Department as follows:
(1) Notifications shall be written in plain language and meet the following requirements if the information is available at the time the notice is provided:
(A) Name and contact information of CDCR.
(B) A list of the types of personal information reasonably believed to have been the subject of a breach.
(C) The date of the breach, the estimated date of the breach, or the date range within which the breach occurred, the date of discovery of the breach, and the date of the notice.
(D) Whether the notification was delayed as a result of a law enforcement investigation.
(E) A general description of the breach incident.
(F) CDCR actions related to gathering facts and investigating the breach, mitigating harm to individuals, and protecting against further breaches.
(G) Any steps individuals should take to protect themselves from potential harm.
(H) If the breach exposed a social security, driver's license, or California identification card number, CDCR shall provide toll-free telephone numbers and addresses of the major credit reporting agencies.

Cal. Code Regs. Tit. 15, § 3999.215

Note: Authority cited: Section 5058, Penal Code. Reference: Section 5054, Penal Code; Plata v. Newsom (No. C01-1351 JST), U.S. District Court, Northern District of California; Clark v. California (No. C96-1486 CRB), U.S. District Court, Northern District of California; and Armstrong v. Newsom (No. C94-2307 CW), U.S. District Court, Northern District of California.

Note: Authority cited: Section 5058, Penal Code. Reference: Section 5054, Penal Code; Plata v. Newsom (No. C01-1351 JST), U.S. District Court, Northern District of California; Clark v. California (No. C96-1486 CRB), U.S. District Court, Northern District of California; and Armstrong v. Newsom (No. C94-2307 CW), U.S. District Court, Northern District of California.

1. New article 3 (section 3999.215) and section filed 7-1-2019 as an emergency; operative 7/1/2019 (Register 2019, No. 27). Pursuant to Penal Code section 5058.3, a Certificate of Compliance must be transmitted to OAL by 12-9-2019 or emergency language will be repealed by operation of law on the following day.
2. New article 3 (section 3999.215) and section refiled 12-5-2019 as an emergency; operative 12/10/2019 (Register 2019, No. 49). Pursuant to Penal Code section 5058.3, a Certificate of Compliance must be transmitted to OAL by 3-9-2020 or emergency language will be repealed by operation of law on the following day.
3. New article 3 (section 3999.215) and section refiled 3-9-2020 as an emergency; operative 3/10/2020 (Register 2020, No. 11). A Certificate of Compliance must be transmitted to OAL by 6-8-2020 or emergency language will be repealed by operation of law on the following day.
4. Certificate of Compliance as to 3-9-2020 order transmitted to OAL 6-8-2020 and filed 7/20/2020 (Register 2020, No. 30).
5. Change without regulatory effect amending subsection (e)(1)(C) filed 7-1-2024 pursuant to section 100, title 1, California Code of Regulations (Register 2024, No. 27).