Return to flip book view
DRAFT DEC 2018 CONSENT & CONFIDENTIALITYPRIVACY FRAMEWORKC A L I F O R N I AMarsali Hancock, CEOElinela Pérez, LL.M, CIPP/E. VP, Global PrivacyThis material is provided for informational purposes only, and should not be construed as legal adviceon any subject matter. You should not act or refrain from acting on the basis of any content included inthis material without seeking legal or other professional advice.
DRAFT Dec 2018Dedicated toSanta Clara County Behavioral Health Service (SCCBH)for their extraordinary leadership to enable coordinated systems ofcommunity and self care. TABLE OF CONTENTSHEALTH AND MEDICAL INFORMATION PRIVACY 3 EDUCATION PRIVACY 6 CONSUMER DATA 8 ONLINE PRIVACY 9 RECORDS 10 PRIVACY NETWORKS 11 ABOUT EP3 Foundation, a 501c3 non-profit, is a multi-sector community of nonprofits, commercial vendors, standards organizations, enterprises, research institutions, government agencies and individuals committed to empowering people with privacy and personalization. This document creates a framework for the confidentiality, permissions, and privacy requirements unique to California mental health, substance use, electronic health and education records.Santa Clara County Behavioral Health Services (SCCBHS)Mission: To assist individuals in our community affected by mental illness and serious emotional disturbance to achieve their hopes, dreams and quality of life goals. To accomplish this, services must be delivered in the least restrictive, non-stigmatizing, most accessible environment within a coordinated system of community and self-care, respectful of a person's family and loved ones, language, culture, ethnicity, gender and sexual identity. Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 1info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 2018 Santa Clara County Behavioral Health Services Five Regulatory Authorities. 1. Center for Mental Health Services and Department of Health Care Services(CMHS/DHCS) Mental Health Plan Contract and the Substance Use TreatmentServices (SUTS) for Organized Delivery System Intergovernmental Agreement2. Centers for Medicare and Medicaid Services and the Department of HealthCare Services (CMS/DHCS) Waiver Provisions - subject to change very two tofive years.3. California Department of Health Care Services (DHCS) Triennial ReviewProtocol - published and updated annually4. California State Law (Welfare and Institutions Code)5. California State regulations (Title 9) Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 2info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 20181. HEALTH AND MEDICAL INFORMATION PRIVACYINFORMATION TYPE FEDERAL CALIFORNIA General Clinical Information Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule 45 C.F.R. § 164.500 et seq California Constitution, Article 1 §1 HIPAA Security Rule 45 C.F.R. § 164.300 et seq. Cal. Civ. Code § 56 et seq. – Confidentiality of Medical Information Act (CMIA) Medical Information Confidentiality - California Civil Code sections 56-56.37. This law puts limits on the disclosure of patients' medical information by medical providers, health plans, pharmaceutical companies, and many businesses organized for the purpose of maintaining medical information. It specifically prohibits many types of marketing uses and disclosures. It requires an electronic health or medical record system to protect the integrity of electronic medical information and to automatically record and preserve any change or deletion Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 3info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 2018 Clinical Laboratory Improvement Amendments (CLIA) 42 U.S.C § 263a and 42 U.S.C § 493.1291 Clinical Laboratory Registration. California Business and Professions Code. BPC § 1265 Health Information Technology for Economic and Clinical Health Act (HITECH) 78 Fed. Reg. 5566 - 5702 Substance Use Disorder Confidentiality of Substance Use Disorder Patient Records - 42 C.F.R. Part 2 . Implements Federal Drug Abuse, Prevention, Treatment and Rehabilitation Act (42 U.S.C. §290dd-2) CA Health and Safety Code (HSC) including § 11845.5, § 123110 and § 123125 | Records for Substance Use Disorder - CA HSC § 11845.5 45 C.F.R. Parts 160-164 – Health Insurance Portability and Accountability Act (HIPAA) Rehabilitative and Developmental Services - CA Code of Regulations Title 9 § 10568(c) Mental Health Information 45 CFR 164.510(b). (HIPAA) Healthcare providers and Patient Family | Psychotherapy notes 45 CFR 164.501 and 45 CFR 164.508(a)(2) CA Welfare and Institutions Code (WIC) – various, including the Lanterman-Petris-Short (LPS) Act at § 5328 et seq HIV AIDS Information HIPAA 45 C.F.R. § 164.500 et seq Privacy protections for HIV blood tests. Cal Health & Safety Code § 120975 – 121020 Genetic Information The Genetic Information Nondiscrimination Act (GINA) California Genetic Information Nondiscrimination Act (CalGINA) added “genetic information” to the list of protected classes found in California laws, including public accommodations statutes, the California Fair Employment and Housing Act (“FEHA”), and the Health and Safety Code Treatment Information for Minors 42 USC § 290dd–2; 42 CFR 2.11, et. seq. | HIPAA 45 CFR 164.502(g) Cal. Civ. Code § 56.10(c)(1); California Health and Safety Code § 11812(c); California Welfare and Institutions Code § 5328(a). California Health and Safety Code § 124260(b). A provision of California’s family law, however, says that to consent to mental health treatment, the minor must demonstrate such maturity and must either “present a danger of serious physical or mental harm to self or to others without the mental health treatment or counseling or residential shelter services” or be “the alleged victim of incest or child abuse.” California Family Code § 6924(b). Other Health and Medical Laws Information Practices Act (IPA) Cal. Civ. Code. §§ 1798-1798.78 Office of Health Information Integrity - California Health and Safety Code sections 130200. Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 4info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 2018 Health Information Data Breach Notification Covered entities must comply with HIPAA’s data breach notice requirements. 45 CFR §§ 164.400 - 164.414 | HITECH § 13400(1) - 13407 | 78 Fed. Reg. 5641–5646 Data breach notice Cal. Civ. Code §§ 1798.29, 1798.82. Additional breach notice requirements for clinics, health facilities, home health agencies, and hospices. Cal. Health & Safety Code § 1280.15 Breach of Confidential Patient Medical Information unauthorized access to patient medical information. Health Information Marketing Purposes HIPAA 45 CFR § 164.508 subdivision (a)(3) Collection of Medical Information for Direct Marketing Purposes. Cal. Civ. Code § 1798.91 and §§ 56.05 and 56.10. Access to Records HIPAA 45 CFR § 164.524 Patient Access to Health Records Act (PAHRA) Cal. Health & Safety Code §§ 123100-123149.1 Birth and Death Certificate Access - California Health and Safety Code sections 103525, 103525.5, 103526, 103526.5, 103527, and 103528. Birth and Death Record Indices - California Health and Safety Code sections 102230, 102231, and 102232. Records Amendments HIPAA 45 CFR § 164.526 California Health and Safety Code § 123111 | Data Disposal Cal Civ Code 1798.81 Audit Trails of Records HIPAA 45 CFR 164.528. HITECH Act § 13405(c). Cal. Civ. Code § 56.101 Insurance Information Insurance Information and Privacy Protection Act (IIPPA) Cal. Ins. Code §§ 791-791.29 California Welfare and Institutions Code §§ 15925(b)(3)(G) and 15926(m) California Health Benefit Exchange, Applicant Privacy - Government Code § 100503 Shared Information California Shine the Light Law. Cal. Civ. Code § 1798.83 Other Federal Laws on Health Information Americans with Disability Act 42 U.S.C § 12101 Patient Safety and Quality Improvement Act (PSQIA) 42 U.S.C § 299B-21 - b-26 Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 5info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 20182. EDUCATION PRIVACY INFORMATION TYPE FEDERAL CALIFORNIA Student's Information Family Educational Rights and Privacy Act (“FERPA”) 20 U.S.C. §1232g; 34 CFR Part 99 California's Student Online Personal Information Protection Act ("SOPIPA") Cal. Bus. & Prof. Code § 22584 Children’s Online Privacy Protection Act (COPPA) Early Learning Personal Information Privacy Act (ELPIPA). Personal Information: preschool and prekindergarten purposes. Chapter 22.2.5 to Division 8 of the Business and Professions Code. Applies student privacy protections to preschool personal data. Cal. Bus & Prof. Code § 22586 Protection of Pupil Rights Amendment (“PPRA”) 20 U.S.C. § 1232h; 34 CFR Part 98 California Education Code § 49073.1 (Formerly AB 1584) – Privacy of Pupil Records: 3rd-Party Digital Storage & Digital Education Software Data Privacy Requirements for Contracts with Technology Providers No Child Left Behind Act 20. U.S.C § 1232 f-j, 7908 Collection of Student Information from Social Media. Cal. Educ. Code § 49073.6 Individuals with Disabilities Education Act (IDEA) 20. U.S.C §1400 National School Lunch Act (NSLA) 40. U.S.C § 1758 (6) Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) 20 U.S.C 20. § 1092 (f) Other Regulations: Gainful Employment Rule 20. U.S.C § 1002 and Electronic Communications Privacy Act (ECPA) 18 U.S.C § 2510-2522 The Healthy, Hunger-Free Kids Act of 2010 (the Act), Public Law 111-296, amends statutory requirements for collection of Social Security Numbers in all Child Nutrition Programs. Education Sciences Reform Act (ESRA) 20 U.S.C § §9501-9584 Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 6info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 2018Other California Student Information Regulations Digital Privacy Rights for Minors - Cal. Bus.& Prof. Code §§ 22580-22582. California SB 178 California Electronic Communications Privacy Act (CalECPA) Under CalECPA, no California government entity – including schools – can search phones or devices and no police officer can search online accounts without going to a judge, getting our consent, or showing it is an emergency. Title 12 of Part 2 of the Penal Code, relating to privacy. California AB 2097 Relating to Pupil Records SSN: modified section 5660 Education Code. The superintendent is required to assign a student identification number to individuals with exceptional needs for purposes of evaluating special education programs and related services. This bill prohibits school districts from collecting or soliciting social security numbers of the last 4 digits of social security numbers from pupils or their parents or guardians unless otherwise required to do so by state or federal law. This also authorizes the State Dept. of Education to additionally prohibit the collection and solicitation of other PII. Amend Section 56601 of, and to add Section 49076.7 Cal. Education. Code California AB 2828 Data Breach Personal information: privacy – It requires a person or business conducting business in California, and any agency, that owns or licenses computerized data that includes personal information to disclose a breach of the security of the data to the person whose information was breached. § 1798.82 Cal. Civ. Code Cyber Sexual Bullying Education Code § 234.2 and §48900 (amended) (Cal. Educ. Code) This law adds cyber sexual bullying to the definition of an act of bullying for which a pupil may be suspended or expelled. The law also requires the California Department of Education to include information specifically about cyber sexual bullying on a dedicated website. Cyberbullying - Cal. Educ. Code § 32261. This law defines bullying as one or more acts of sexual harassment, hate violence, or intentional harassment, threats, or intimidation, directed against school district personnel or pupils, committed by a pupil or group of pupils. Bullying, including bullying committed by means of an electronic act, as defined, including a post on a social network Internet Web site, is a ground on which suspension or expulsion may be based. Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 7info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 2018 California Welfare and Institutions Code [WIC] § 58 DMH shall ensure and protect the privacy and confidentiality of all sources of client information in accordance with all applicable County, Sand Federal laws, policies and procedures, including but not limited to: All information and records obtained in the course of providing services to voluntary and involuntary recipients of specified services, including mental health, community mental health, admissions and judicial commitments to mental institutions. 3. CONSUMER DATA INFORMATION TYPE FEDERAL CALIFORNIA General Section 5 of the Federal Trade Commission Act 15 U.S.C § 45 California Consumer Privacy Act of 2018 (2020) * will become effective on January 1, 2020 Disposal of Customer Records - California Civil Code sections 1798.80 - 1798.81 and 1798.84. Marketing Telecommunications Act 47 U.S.C. § 222 Telemarketing: State do-not-call list - California Business and Professions Code §§ 17590 -17594. Telephone Consumer Protection Act 47 U.S.C. § 227 Robocalls - California Public Utilities Code §§ 2871-2876 Controlling the Assault of Non- Solicited Pornography and Marketing (CAN-SPAM Act) 15 USC § 7701 et seq. California Anti-Spam law. Cal. Bus. & Prof. Code § 17529.5 Cellular Telephone Number Directory - California Public Utilities Code § 2891.1 California Do-Not-Call Law. Cal. Bus. and Prof. Code §§ 1759-17594 Unsolicited Cell Phone/Pager Text Act. Cal. Bus. and Prof. Code §17538.41 Marketing to State University Alumni. Cal. Educ. Code § 89090 -89090.5; Cal. Educ. Code §§ 92630-92630.9 Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 8info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 20184. ONLINE PRIVACYTYPE OF INFORMATION FEDERAL CALIFORNIA Online Information Children's Online Privacy Protection Act (COPPA) 15 USC § § 6501-6506 Digital Privacy Rights for Minors - California Business and Professions Code §§ 22580-22582. In addition to online-specificprivacy laws, organizationshave to comply with otherlaws in the context of onlineservices offering Electronic Communications Privacy Act (ECPA) 18 § 2510-3127. The attempts to use ECPA to regulate commercial entities using personal information primarily seek to use the Wiretap Act or the SCA Online Privacy Protection Act. (CalOPPA) Cal. Bus. & Prof. Code § 22575 | California States Agencies are not covered by CalOPPA with respect to non-commercial websites but must comply with notice requirements under Cal. Gov. Code § 11015.5 Computer Fraud and Abuse Act of 1984 - 18 U.S. Code section 1030. Consumer Protection Against Computer Spyware Act . Cal. Bus. and Prof. Code § 22947 and following. Computer Matching & Privacy Protection Act of 1988 & Amendments of 1990 - 5 U.S. Code section 552a (a)(8)-(13), (e)(12), (o), (p), (q), (r), & (u) Medical Apps - Cal. Civ. Code § 56.06 Anti-Phishing Act - Cal. Bus. & Prof. Code §§ 22948-22948.3. Personal Information Collected on Internet - Cal. Gov. Code § 11015.5. Reproductive Health Care, Online Privacy - Cal. Gov. Code §§ 6209.5, 6215.10, and 6215.12 and 6218 and following Cyber Exploitation - California Penal Code sections 502, 502.01, 647, 647.8, 786 and Civil Code § 1708.85 Safe at Home. Cal. Gov. Code §§ 6206.5, 6206.7, 6208, 6209.5, 6215.3, 6215.4, 6215.7, 6215.10, 6208.1, 6208.2, 6215.12 and 6218.01 Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 9info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 20185. RECORDSTYPE OF INFORMATION FEDERAL CALIFORNIA Public Records Freedom of Information Act (FOIA) 5 USC 552 a California Public Records Act. California Government Code sections 6250-6268 . Public Record Exemption for Sex Offense Victims - California Government Code § 6254 and California Penal Code section 293. Clinical Infrastructure Information Act (CIIA) 6 USC 131 et seq. California Welfare Records. California Welfare and Institutions Code §10850 Research Use of Personal Data. Cal. Civ. Code. § 1798.24 Privacy Rights in Gov. Records The Federal Privacy Act 5 USC § 552 a Cal Information Practices Act (IPA) Cal. Civ. Code § 1708 et esq Computer Matching and Privacy Protection Act (CMPPA) 5 U.S.C § 552 a (o) DNA Databases DNA Identification Act 42 USC §§14131-14135 Records of People detained for psychiatric evaluation California Welfare & Institutions Code § 5328 Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 10info@EP3Foundation.org, CC Attribution 4.0 2018
DRAFT Dec 2018PRIVACY NETWORKSHealth, Education, Public Safety, and ResearchAdditional Resources:● To find the full text of California laws, visit California Legislative Information● Library of Congress, Database Laws and eResources● California Office of the Attorney General, Privacy Laws● California Data Breach Laws and Mandatory Reporting Marsali Hancock, Elinela Perez, EP3 Foundation , 177 Park Avenue, Suite 200, San Jose, CA 94113. 11info@EP3Foundation.org, CC Attribution 4.0 2018