(a) The center shall assume statewide leadership, coordination, policy formulation, direction, and oversight responsibilities for compliance with state and federal health information privacy laws, including, but not limited to, the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), the Information Practices Act of 1977 (Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code), the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), and the federal Health Information Technology for Economic and Clinical Health Act (Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5)), and implementing regulations. The center shall exercise full authority relative to state entities to establish policy, provide direction to state entities, provide guidance on data sharing, monitor progress, and report on compliance activities. (b) Beginning January 1, 2022, the center shall complete an independent security assessment as described in Section 11549.3 of the Government Code at least once every three years and, consistent with subdivision (d) of that section, submit any resulting report and recommendations to the Office of Emergency Services. (c) All state entities subject to HIPAA shall complete an assessment, in a form specified by the center, to determine the impact of HIPAA on their operations. All state entities shall cooperate with the center to determine whether the state entity is subject to HIPAA, including, but not limited to, providing a completed assessment, as prescribed by the center. (d) All state entities shall cooperate with the efforts of the center to monitor HIPAA and health information privacy compliance activities and to obtain information on these activities. Information obtained about these activities shall not include personal information, as defined in subdivision (a) of Section 1798.3 of the Civil Code. (e) All state entities affected by HIPAA shall comply with the decisions of the director in achieving compliance with HIPAA and other health information privacy laws, including whether a state entity is subject to HIPAA and other state and federal health information privacy requirements. (f) (1) The center shall assume statewide leadership, coordination, direction, and oversight responsibilities for determining which provisions of state law concerning health information are preempted by HIPAA, or are more protective of individually identifiable health information, pursuant to Section 160.203 of Title 45 of the Code of Federal Regulations. State entities impacted by HIPAA shall, at the direction of the center, do both of the following: (i) Assist in determining which state laws concerning personal medical information are preempted by HIPAA. (ii) Conform to all determinations made by the center concerning HIPAA preemption issues. (2) If the center determines that a state law is preempted by HIPAA, the center shall provide the determination and a recommendation for a solution to the Secretary of California Health and Human Services. (g) State entities are responsible for ensuring compliance with state and federal health information privacy laws, including, but not limited to, HIPAA. To the extent that funds are appropriated in the annual Budget Act, the center shall do all of the following to assist state entities in complying with health information requirements: (1) Develop uniform policies on privacy, patient rights, and other matters related to health information requirements that shall be adopted and implemented by all state entities. In developing these policies, the center shall consult with representatives from the private sector, state government, and other public entities, including at least two consumer representatives, at least one of whom shall have expertise in privacy and security of health information. (2) Specify training and tools
‹ Prev All California sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.