Skip to Content

Security of Health Information in California

California provides safeguards to protect the security of patients’ medical information.  The law requires licensed hospitals, nursing homes, and other health care facilities to protect against the unauthorized access or disclosure of patient medical information or be subject to a fine.1  Providers that use electronic records system to maintain patient records must use an offsite backup storage system, and have security policies in place to protect against the unauthorized disclosure of patient medical information.2  California also requires all licensed insurance companies to implement a comprehensive, written information security program that has safeguards to protect consumer information.3  This information security program must ensure the security and confidentiality of a patient’s information.  The program must also protect against unauthorized use or access to the information that could result in harm to the patient.4

Notably, California has established the Office of Health Information Integrity to evaluate health providers’ efforts to prevent against unauthorized access or disclosure of patient records.  In making its evaluation, the Office will take into account factors such as the provider’s size, complexity and history of compliance.5  In order to further maintain the security of health information, the state of California has made it a crime to alter the medical record of an individual with the intent to commit fraud.6

Footnotes

  • 1. Health & Safety Code §1280.15
  • 2. Health & Safety Code §123149
  • 3. 10 CA ADC §2689.14
  • 4. 10 CA ADC §2689.15
  • 5. Health & Safety Code §130203
  • 6. Cal. Penal Code §471.5

 

Security of Health Information in California

Subtopic Statute/Regulation Description
Security of health information in hospitals or other health care facilities (Cross reference Health Information Technology): Passwords Written Statement of Confidentiality to Patients for Health Service Plans – Cal. Health & Safety Code § 1364.5 All health service plans operating in the state of California must provide to the Director of the Department of Managed Care, a copy of their...
Patient Medical Record Availability Requirements for Hospitals – Cal. Code Regs. tit. 22 § 70751 Records must be kept for all patients admitted to the hospital.  All records must be maintained in a form that is legible and readily available...
Security of health information in hospitals or other health care facilities (Cross reference Health Information Technology): Other methods of protecting electronic information Written Statement of Confidentiality to Patients for Health Service Plans – Cal. Health & Safety Code § 1364.5 All health service plans operating in the state of California must provide to the Director of the Department of Managed Care, a copy of their...
Patient Medical Record Availability Requirements for Hospitals – Cal. Code Regs. tit. 22 § 70751 Records must be kept for all patients admitted to the hospital.  All records must be maintained in a form that is legible and readily available...
Security of health information in hospitals or other health care facilities (Cross reference Health Information Technology): Encryption Written Statement of Confidentiality to Patients for Health Service Plans – Cal. Health & Safety Code § 1364.5 All health service plans operating in the state of California must provide to the Director of the Department of Managed Care, a copy of their...
Patient Medical Record Availability Requirements for Hospitals – Cal. Code Regs. tit. 22 § 70751 Records must be kept for all patients admitted to the hospital.  All records must be maintained in a form that is legible and readily available...
Penalties for violating the security of health information Alteration or Modification of Medical Record or Creation of False Medical Record With Fraudulent Intent – Cal. Penal Code § 471.5 “Alteration or modification of medical record or creation of false medical record with fraudulent intent”   Any person who alters or...
Destruction of Records-Cal. Civ. Code § 56.101 All health care providers, health service plans, pharmaceutical companies, contractors or other entities must preserve, store, maintain or destroy...
Violations of Patient Confidentiality of Medical Information – Cal. Civ. Code §56.36 Any violation of the provisions of patient confidentiality of medical information that results in economic loss or personal injury to a patient is...
Storage of health information in a secure location (Cross reference Medical Record Collection) Destruction of Records-Cal. Civ. Code § 56.101 All health care providers, health service plans, pharmaceutical companies, contractors or other entities must preserve, store, maintain or destroy...
Reporting Requirements for Cancer Cases and Regional Cancer Registry Requirements – Cal. Code Regs. tit. 17 § 2593 Cancer cases must be reported by all counties to a regional cancer registry, which will then report to the Department of Health Services.  The...
Security of Health Information Establishment of the Office of Health Information Integrity – Cal. Health & Safety Code § 130200 An Office of Health Information Integrity is established within the California Health and Human Services to ensure enforcement of state law mandating...
Reporting of Unlawful or Unauthorized Access or Disclosure of Patient Medical Information – Cal. Health & Safety Code § 1280.15 A licensed hospital, community health clinic, nursing facility, or other health facility must prevent unlawful or unauthorized access or disclosure...