HIPAA California: How to Comply with California HIPAA Laws

California HIPAA Laws

California HIPAA laws consist of both the federal HIPAA law and California state privacy law CCPA. Healthcare entities that create, receive, maintain, or transmit the information of California residents must comply with HIPAA as well as the California state privacy law.

Complying with HIPAA

To meet the requirements of the HIPAA regulations, healthcare organizations (healthcare providers, healthcare vendors, and MSPs) must implement a HIPAA compliance program.

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

Employee HIPAA Training

To make sure that your employees are aware of their responsibilities regarding the HIPAA rules, they must be trained annually. This training must cover HIPAA basics, an overview of your organization’s policies and procedures, and cybersecurity best practices.

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, they cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.

CCPA and HIPAA

HIPAA and CCPA directly interact. The CCPA “carves out,” or excludes, “HIPAA covered entities” and “business associates” from its requirements; the CCPA does not apply to protected health information (PHI), as that term is defined under HIPAA. 

Despite these carve outs, personal information (as that term is defined under the CCPA) created, received, maintained, or transmitted by entities subject to HIPAA is also subject to the CCPA under several circumstances. 

Collection of Personal Information From Non-patients and Non-plan Members

Covered entities, as HIPAA defines that term, perform activities that involve the collection of personal information, as the term “personal information” is defined under the CCPA. Such personal information is often collected from individuals who are neither patients nor enrollees in a health plan. For example, covered entities may collect geolocation from employee smartphones in the course of their business. This personal information does not constitute PHI but falls under the definition of CCPA “personal information” and is protected under the CCPA. Therefore, covered entities ARE subject to the requirements of the CCPA if the information the covered entities collect is personal information.

PHI That Has Been De-Identified Under HIPAA 

Under the HIPAA Privacy Rule, once PHI has adequately been de-identified, it is no longer considered PHI. Therefore, the de-identified information is no longer subject to the HIPAA Privacy Rule. Since the CCPA “carves out” PHI from its terms, it is no longer subject to the carve out once the information is no longer PHI. Therefore, de-identified PHI under HIPAA may nonetheless still constitute personal information under the CCPA. Covered entities must observe CCPA requirements with respect to personal information.

1. Information that is not PHI but is derived from PHI
2. The CCPA definition of personal information is extremely broad. One of the eleven types of information that constitutes “personal information” under the CCPA is “inferences” – specifically, “inferences drawn from…. [information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

The CCPA defines the term inference as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information of data.”

For example, if inferences are drawn from protected health information, which is then used to create new data that is used for marketing activities, the new data is likely “derived” from PHI or drawn from PHI.  As such, the information is personal information, subject to the CCPA.

HIPAA Notice of Privacy Practices in California

Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:   

• The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
• A description of how PHI can be used for treatment, payment, and health care operations.
• A description of the types of PHI uses and disclosures requiring patient authorization.

• A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
  •  A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.

• The name, title, and phone number of a person or office to contact for further information or questions about the notice.
• The date on which the notice is first in effect.
• A statement that an individual may revoke an authorization.

HIPAA Training California

HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training in California must be provided to each employee that has the potential to access PHI. Training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material. 

HIPAA Release Form California

Under the California Confidentiality of Medical Information Act (CMIA), patient medical records may not be disclosed without authorization unless disclosure is required for litigation or is required to communicate important medical information to other healthcare providers, insurers, and other interested parties.

California law imposes very specific requirements (more stringent than those under HIPAA) for authorizations to be valid. 

Under California law, a medical release form allowing disclosure by a provider of healthcare must (among other requirements): 

• State the specific uses and limitations on the types of medical information
• State the name or functions of the healthcare provider 
• State a specific date after which the provider is no longer authorized to disclose the medical information
• Be handwritten by the person who signs it, or be in a typeface no smaller than 14-point type
• Be clearly separate from any other language present on the same page
• Be executed by a signature that serves no other purpose than to execute the authorization
• Be signed and dated by the patient. A patient who is a minor may only sign an authorization for the release of treatment information records, if the medical services given to the minor were services the minor could have lawfully consented to in the first place (California minors as young as 12 years old may provide consent for certain medical services. For other services, the age of consent is higher – in some cases, the age of consent is 18)
  • If the patient is incapacitated, a legal representative may sign and date the authorization
  • A spouse of the patient, or the person financially responsible for the patient, may sign and date the authorization, if (and only if) the information is being sought to process a healthcare insurance application, or to enroll a patient in an employee benefit plan in which the patient is to be enrolled as a spouse or dependent
  • In cases where the patient is deceased, the patient’s personal representative may sign and date the California medical release form 

California HIPAA Breach Notification Requirements

California HIPAA breach notification requirements can be complex. This is because both HIPAA and California laws impose breach notification requirements.

The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information. 

Incidents that are considered reportable breaches include:

• Hacking or IT incidents
• Unauthorized access or disclosure of PHI
• Theft or loss of an unencrypted device with access to PHI
• Improper disposal of medical records

When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.

Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.

• Breaches affecting 1 – 499 patients: organizations must keep an account of any breach that involved less than 500 patients over the course of the calendar year. Organizations have 60 days from the end of the calendar year in which the breach occurred to report these incidents to the HHS – March 1st.
• Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal.

While the California Health and Safety Code states that healthcare providers must notify the department and affected individuals no later than 15 days after “unlawful or unauthorized access.” 

So in summation, California HIPAA breach notification requirements dictate that PHI breaches be reported to the Department of Health and Human Services under HIPAA guidelines, and to patients and the California state department under California’s guidelines. 

HIPAA Violation California

HIPAA violations in California occur when healthcare organizations fail to comply with the standards set forth by HIPAA and CCPA. While many HIPAA violations occur as the result of breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.