California HIPAA training for small businesses


Consider the Purpose

Doctor and Police Officer

Every disclosure of protected health information (PHI) must be authorized, permitted, required or justified by law. Consider the purpose before you decide what information should be disclosed. HIPAA requires the provider to "...make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." § 164.502(b)

For example; disclosing PHI for the purpose of preventing an imminent threat is legally justified if the doctor " good faith, believes...the disclosure necessary for law enforcement authorities to identify or apprehend an individual." § 154.512(j)

Authorized Disclosures

Doctor and Child

The surest way to disclose PHI legally is to obtain the patient's signature on a valid authorization that conforms to HIPAA regulation § 164.508(c) California has additional requirements of 14-point font and a date (not an event) for terminating the authorization. Civ.C. § 56.11

Signed authorizations are required if the disclosure involves psychotherapy notes, marketing and sale of PHI. § 164.508(a)

If a personal representative (PR) signs the authorization, HIPAA requires "...a description of such representative's authority to act for the individual must also be provided." § 164.508(c)(vi) A health-care-agent may sign if authority is in effect. Prob.C § 4701

Permitted Disclosures (TPO)

Doctor and Child

Many kinds of uses and disclosures of PHI are permitted by HIPAA and do not require a formal, signed authorization.

A provider may use and disclose PHI to carry out treatment, payment, or health care operations (TPO). § 164.506 Definitions of each term (treatment, payment, health care operations) are given in § 164.501.

The consent requirement for TPO disclosures was eliminated in 2002. But some CEs continue to use consent procedures. HIPAA allows, but does not encourage, the use of TPO consent forms. A CE should make sure the consent procedure does not conflict with the CE's notice of privacy practices (NPP). The website gives a more thorough explaination of TPO uses and disclosures.

Permitted Disclosures (Family & Friends)

yes we train our employees

The term family member now includes same-sex spouses, and dependents of such marriages, regardless of where services are provided. A spouse is a "spouse," if the couple was married legally. § 160.103

CEs may use or disclose TPO information to friends or family if that information is directly relevant to their personal involvement with the patient's treatment. Disclosures are also permitted when the CE seeks information necessary to make notifications about the patient's location, general condition, or death. § 164.510(b)

Required Disclosures (PRs & Surrogates)

Doctor and Child

A CE must treat a personal representative as the individual for purposes of HIPAA except for specific situations involving minors and abuse, neglect, endangerment. State law determines whether the personal representative (PR) has the right to act on the patient's behalf. §164.502(g)

In California, an adult patient (whose health care is under consideration) includes the advance-directive-agent and an adult who was given an individual health care instruction or designated a surrogate. Prob C § 4625 If a patient is deceased, the authorization can be signed by the PR of the decedent, PR of the estate or a beneficiary of the estate. Civil C § 56.11(c)(4), H&S C § 123105(e)

Social Media Disclosures

yes we train our employees

PHI must be absolutely isolated from social media. Workforce training is key.

If possible, the CE privacy officer should evaluate each member of the workforce to make sure they can distinguish PHI from social communications. Discuss the importance of leaving work at the office. Never share war stories on Facebook. PHI cannot be de-identified by simply omitting patient names.

Maintaining friendships in a small community requires special care. Providers should reassure patients they remain in complete control of how much they reveal of themselves. HIPAA allows patients to request extra privacy protections. § 164.522

Permitted Disclosures (Minors)

yes we train our employees

A parent, guardian, or person acting in loco parentis is treated the same as a personal representative (PR) if that person has legal authority to make health care decisions on behalf of the unemancipated minor. § 164.502(g)(3)

The minor's PR may sign authorizations or obtain access to PHI within the scope of the PR's legal authority under State law. California laws regarding minors is set forth in §§ 6920-6929 of the Family Code.

For example, a 12-year-old child has a right to exclude parents from accessing information that concerns sexually transmitted diseases reportable to the local health officer. Family C § 6926

Required Disclosures (Legal)

yes we train our employees

Privacy rule § 164.508 defines uses and disclosures of PHI for which an authorization or opportunity to agree or object is not required. CEs may be required to disclose PHI to serve the public. For example;

FDA investigates adverse events, public health investigates communicable diseases, OSHA tracks employee illnesses, courts issue subpoenas, law enforcement may use PHI if certain conditions are met, coroners use decedents' records, etc.

Certain groups are exempt from HIPAA. Workers compensation is governed by state law. § 164.512(l) Military personnel, certain overseas personnel and prisoners are exempt.


If you prefer a different size or shape, please ask. Contact

California HIPAA training for small businesses

Search Our Site

    © Darnall Law Office 2016