Code Section Group

Health and Safety Code - HSC


DIVISION 110. THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY IMPLEMENTATION ACT OF 2001 [130300 - 130315]
  ( Division 110 added by Stats. 2001, Ch. 635, Sec. 1. )

130300.
  

This division shall be known and may be cited as the Health Insurance Portability and Accountability Implementation Act of 2001.

(Added by Stats. 2001, Ch. 635, Sec. 1. Effective October 9, 2001.)

130301.
  

The Legislature finds and declares the following:

(a) The federal Health Insurance Portability and Accountability Act (Public Law 104-191), known as HIPAA, was enacted on August 21, 1996.

(b) HIPAA extends health coverage benefits to workers after they terminate or change employment by allowing the worker to participate in existing group coverage plans, thereby avoiding the additional expense associated with obtaining individual coverage as well as the potential loss of coverage because of a preexisting health condition.

(c) Administrative simplification is a key feature of HIPAA, requiring standard national identifiers for providers, employers, and health plans and the development of uniform standards for the coding and transmission of claims and health care information. Administration simplification is intended to promote the use of information technology, thereby reducing costs and increasing efficiency in the health care industry.

(d) HIPAA also contains standards for safeguarding the privacy and security of health information. Therefore, the development of policies for safeguarding the privacy and security of health records is a fundamental and indispensable part of HIPAA implementation that must accompany or precede the expansion or standardization of technology for recording or transmitting health information.

(e) The federal Department of Health and Human Services has published, and continues to publish, rules pertaining to the implementation of HIPAA. Following a 60-day congressional concurrence period, health providers and insurers have 24 months in which to implement these rules.

(f) These federal rules directly apply to state and county departments that provide health coverage, health care, mental health services, and alcohol and drug treatment programs. Other state and county departments are subject to these rules to the extent they use or exchange information with the departments to which the federal rules directly apply.

(g) In view of the substantial changes that HIPAA will require in the practices of both private and public health entities and their business associates, the ability of California government to continue the delivery of vital health services will depend upon the implementation of, and compliance with, HIPAA in a manner that is coordinated among state departments as well as our partners in county government and the private health sector.

(h) The implementation of HIPAA shall be accomplished as required by federal law and regulations and shall be a priority for state departments.

(Amended by Stats. 2016, Ch. 30, Sec. 9. Effective June 27, 2016.)

130302.
  

For the purposes of this division, the following definitions apply:

(a) “Director” means the Director of the Office of Health Information Integrity.

(b) “HIPAA” means the federal Health Insurance Portability and Accountability Act.

(c) “Office” means the Office of Health Information Integrity established by the office of the Governor in the Health and Human Services Agency.

(d) “State entities” means all state departments, boards, commissions, programs, and other organizational units of the executive branch of state government.

(Amended by Stats. 2015, Ch. 455, Sec. 8. Effective January 1, 2016.)

130303.
  

The office shall assume statewide leadership, coordination, policy formulation, direction, and oversight responsibilities for HIPAA implementation and compliance. The office shall exercise full authority relative to state entities to establish policy, provide direction to state entities, monitor progress, and report on implementation and compliance activities.

(Amended by Stats. 2016, Ch. 30, Sec. 10. Effective June 27, 2016.)

130304.
  

The office shall be under the supervision and control of a director, known as the Director of the Office of Health Information Integrity, who shall be appointed by, and serve at the pleasure of, the Secretary of the Health and Human Services Agency.

(Amended by Stats. 2015, Ch. 455, Sec. 9. Effective January 1, 2016.)

130305.
  

The office shall be staffed, at a minimum, with the following personnel:

(a) Legal counsel to perform activities that may include, but are not limited to, determining the application of federal law pertaining to HIPAA.

(b) Staff with expertise in the rules promulgated by HIPAA.

(c) Staff, as necessary, to coordinate and monitor the progress made by all state entities in HIPAA implementation and compliance.

(Amended by Stats. 2016, Ch. 30, Sec. 11. Effective June 27, 2016.)

130306.
  

The office shall perform the following functions:

(a) Standardizing the HIPAA implementation process used in all state entities, which includes the following:

(1) Developing an overall state strategy for HIPAA implementation and compliance that includes timeframes within which specified activities will be completed.

(2) Specifying tools, such as protocols for assessment and reporting, and any other tools as determined by the director for HIPAA implementation and compliance.

(3) Developing uniform policies on privacy, security, and other matters related to HIPAA that shall be adopted and implemented by all state entities. In developing these policies, the office shall consult with representatives from the private sector, state government, and other public entities affected by HIPAA.

(4) Providing an ongoing evaluation of HIPAA implementation and compliance in California and refining the plans, tools, and policies as required to effect implementation.

(5) Developing standards for the office to use in determining the extent of HIPAA compliance.

(b) Representing the State of California in HIPAA discussions with the federal Department of Health and Human Services and at the Workgroup for Electronic Data Interchange and other national and regional groups developing standards for HIPAA implementation, including those authorized by the federal Department of Health and Human Services to receive comments related to HIPAA. The office may review and approve all comments related to HIPAA that state entities or representatives from the University of California, to the extent authorized by its Regents, propose for submission to the federal Department of Health and Human Services or any other body or organization.

(c) Monitoring the HIPAA implementation and compliance activities of state entities and requiring these entities to report on their activities at times specified by the director using a format prescribed by the director. The office shall seek the cooperation of counties in monitoring HIPAA implementation and compliance in programs that are administered by county government.

(d) Providing state entities with technical assistance as the director deems necessary and appropriate to advance the state’s implementation and compliance of HIPAA as required by the schedule adopted by the federal Department of Health and Human Services. This assistance shall also include sharing information obtained by the office relating to HIPAA.

(e) Reviewing and approving all HIPAA legislation and regulations proposed by state entities, other than state control agencies, prior to the proposal’s review by any other entity and reviewing all analyses and positions, other than those prepared by state control agencies, on HIPAA related legislation being considered by either Congress or the Legislature.

(f) Ensuring state departments claim federal funding for those activities that qualify under federal funding criteria.

(g) Maintaining an Internet Web site that is accessible to the public to provide information in a consistent and accessible format concerning state HIPAA implementation activities, timeframes for completing those activities, HIPAA implementation requirements that have been met, and the promulgation of federal regulations pertaining to HIPAA implementation.

(Amended by Stats. 2016, Ch. 30, Sec. 12. Effective June 27, 2016.)

130308.
  

The office may contract for the provision of services required to implement this division. The Legislature finds that these contracts are for a new state function and authorizes the performance of this work by independent contractors, pursuant to paragraph (2) of subdivision (b) of Section 19130 of the Government Code.

(Added by Stats. 2001, Ch. 635, Sec. 1. Effective October 9, 2001.)

130309.
  

(a) All state entities subject to HIPAA shall complete an assessment, in a form specified by the office to determine the impact of HIPAA on their operations.

(b) All state entities shall cooperate with the office to determine whether they are subject to HIPAA, including, but not limited to, providing a completed assessment as prescribed by the office.

(Amended by Stats. 2016, Ch. 30, Sec. 14. Effective June 27, 2016.)

130310.
  

All state entities shall cooperate with the efforts of the office to monitor HIPAA implementation and compliance activities and to obtain information on those activities.

(Amended by Stats. 2016, Ch. 30, Sec. 15. Effective June 27, 2016.)

130311.
  

All state entities affected by HIPAA shall comply with the decisions of the director in achieving compliance with HIPAA.

(Added by Stats. 2001, Ch. 635, Sec. 1. Effective October 9, 2001.)

130311.5.
  

(a) The office shall assume statewide leadership, coordination, direction, and oversight responsibilities for determining which provisions of state law concerning personal medical information are preempted by HIPAA pursuant to Section 160.203 of Title 45 of the Code of Federal Regulations. State entities impacted by HIPAA shall, at the direction of the office, do the following:

(1) Assist in determining which state laws concerning personal medical information are preempted by HIPAA.

(2) Conform to all determinations made by the office concerning HIPAA preemption issues.

(b) Any provision of state law concerning personal medical information that is determined by the office to be preempted by HIPAA pursuant to Section 160.203 of Title 45 of the Code of Federal Regulations, shall not be applicable to the extent of that preemption. The remainder of the provisions of state law concerning personal medical information shall remain in full force and effect.

(Amended by Stats. 2007, Ch. 700, Sec. 1. Effective January 1, 2008. Repealed as of January 1, 2008, by its own provisions.)

130313.
  

To the extent that funds are appropriated in the annual Budget Act, the office shall perform the following functions in order to comply with HIPAA requirements:

(a) Ongoing support of departmental HIPAA project management offices.

(b) The development, revision, and issuance of HIPAA compliance policies.

(c) Modifications of programs in accordance with any revised policies.

(d) Staff training on HIPAA compliance policies and programs.

(e) Coordination and communication with other affected entities.

(f) Evaluate, monitor, and report on HIPAA implementation and compliance activities of state entities affected by HIPAA.

(g) Consultation with appropriate stakeholders.

(Amended by Stats. 2016, Ch. 30, Sec. 17. Effective June 27, 2016.)

130314.
  

The office shall report to the Legislature, upon its request, any services or programs that were temporarily reduced or suspended due to the redirection of funds for HIPAA compliance activities.

(Added by Stats. 2001, Ch. 635, Sec. 1. Effective October 9, 2001.)

130315.
  

State entities may adopt emergency regulations in accordance with the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement HIPAA requirements set forth in final federal regulations. This authority shall terminate one year after the last final rule for HIPAA is issued by the federal government. The adoption of emergency regulations described in this section shall be deemed to be an emergency and necessary for the immediate preservation of the public peace, health and safety, or general welfare. An emergency regulation adopted under this section shall remain in effect for not more than two years.

(Added by Stats. 2001, Ch. 635, Sec. 1. Effective October 9, 2001.)

HSCHealth and Safety Code - HSC