Click the forward button to advance to the next screen.
Resources
A federal law regulating the sharing of information about substance use disorders such as alcohol and drug addictions.
Also known as CMIA. A state law that mandates patient privacy protections and sets penalties for unlawful disclosure.
It sets fines and notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health.
Acronym for the Health Insurance Portability and Accountability Act. This law mandated national healthcare privacy regulations (known as the Privacy Rule). These regulations address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities.” It also established standards for individuals' privacy rights to control how their health information is used.
Acronym for the Health Information Technology for Economic and Clinical Health Act. A federal law that sets privacy and data security requirements for electronic health records.
This state law gives patients the right to see and copy information maintained by health care providers relating to the patients' health conditions. It also establishes certain patient rights in regard to medical records.
Click on the laws to learn more.
Privacy Definitions
Authorization
The formal consent document signed by an individual or their designee to allow a covered entity to use or disclose specified PHI for a particular purpose. Except as otherwise permitted by HIPAA, a covered entity may not use or disclose PHI without a valid authorization.
Breach
The unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
Business Associate
A person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. For example, DPH contracts with CBO’s to provide services such as mental health services, substance use disorder services, case management and other services.
Covered Entity
A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form according to federal government standards. For example, these transactions include claims, benefit eligibility inquiries, and referral authorization requests.
Disclosure
The release, transfer, access to, or divulging of information in any other manner outside the organization holding the information.
Minimum Necessary
Use, disclose, and request only the least possible amount of protected health information needed to accomplish its intended purpose.
Operations
Refers to financial, legal, administrative, and quality improvement activities that are necessary to run a healthcare organization.
Payment
Activities related to obtaining compensation for services.
Protected Health Information
"Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
“Individually identifiable health information” is health information that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
Plus, information that identifies the individual (e.g., name, address, birth date, Social Security Number).
TPO
Treatment, Payment and Operations. Protected Health Information that is exchanged as part of treatment, payment or operations does not require a patient authorization
Treatment
Services that provide care to patients. Providers exchange information with other providers to care for shared patients.
“Thank you for taking the SFDPH Annual Compliance and Privacy Training. In order to get credit for having completed the SFDPH Annual Compliance and Privacy Training you must score 100% on each test in all of the modules. Since you did not meet this requirement, you need to tell your Supervisor. Your Supervisor will then need to contact the Office of Compliance & Privacy Affairs for additional instructions.”
Would you like to resume your course where you left off?