(a) The center shall assume statewide leadership, coordination, policy formulation, direction, and oversight responsibilities for compliance with state and federal health information privacy laws, including, but not limited to, the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), the Information Practices Act of 1977 (Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code), the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), and the federal Health Information Technology for Economic and Clinical Health Act (Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5)), and implementing regulations. The center shall exercise full authority relative to state entities to establish policy, provide direction to state entities, provide guidance on data sharing, monitor progress, and report on compliance activities.

(b) Beginning January 1, 2022, the center shall complete an independent security assessment as described in § 11549.3 of the Government Code at least once every three years and, consistent with subdivision (d) of that section, submit any resulting report and recommendations to the Office of Emergency Services.

(c) All state entities subject to HIPAA shall complete an assessment, in a form specified by the center, to determine the impact of HIPAA on their operations. All state entities shall cooperate with the center to determine whether the state entity is subject to HIPAA, including, but not limited to, providing a completed assessment, as prescribed by the center.

(d) All state entities shall cooperate with the efforts of the center to monitor HIPAA and health information privacy compliance activities and to obtain information on these activities. Information obtained about these activities shall not include personal information, as defined in subdivision (a) of § 1798.3 of the Civil Code.

(e) All state entities affected by HIPAA shall comply with the decisions of the director in achieving compliance with HIPAA and other health information privacy laws, including whether a state entity is subject to HIPAA and other state and federal health information privacy requirements.

(f) (1) The center shall assume statewide leadership, coordination, direction, and oversight responsibilities for determining which provisions of state law concerning health information are preempted by HIPAA, or are more protective of individually identifiable health information, pursuant to Section 160.203 of Title 45 of the Code of Federal Regulations. State entities impacted by HIPAA shall, at the direction of the center, do both of the following:

(i) Assist in determining which state laws concerning personal medical information are preempted by HIPAA.

(ii) Conform to all determinations made by the center concerning HIPAA preemption issues.

(2) If the center determines that a state law is preempted by HIPAA, the center shall provide the determination and a recommendation for a solution to the Secretary of California Health and Human Services.

(g) State entities are responsible for ensuring compliance with state and federal health information privacy laws, including, but not limited to, HIPAA. To the extent that funds are appropriated in the annual Budget Act, the center shall do all of the following to assist state entities in complying with health information requirements:

(1) Develop uniform policies on privacy, patient rights, and other matters related to health information requirements that shall be adopted and implemented by all state entities. In developing these policies, the center shall consult with representatives from the private sector, state government, and other public entities, including at least two consumer representatives, at least one of whom shall have expertise in privacy and security of health information.

(2) Specify training and tools, such as protocols for assessment and reporting and any other tools determined by the director, for compliance with health information requirements.

(3) Develop statewide guidance on health information sharing to support integrated health care and social services, including guidance on state and federal health information privacy laws, regulations, and policies. In developing this guidance, the center shall consult with representatives from the private sector, state government, and other public entities relevant to the provision of health care and social services, including privacy advocates, patient rights representatives, and county administrators of health and human services programs and their association representatives.

(4) Represent the State of California in discussions on health data sharing, data interoperability, HIPAA, and substance use disorder information requirements contained in Part 2 of Title 42 of the Code of Federal Regulations with the federal Department of Health and Human Services. The center may review and approve all comments related to data sharing, data interoperability, HIPAA, and substance use disorder information requirements contained in Part 2 of Title 42 of the Code of Federal Regulations that state entities propose for submission to the federal Department of Health and Human Services or any other body or organization.

(5) Coordinate and communicate with other affected entities, including, but not limited to, the Department of Technology and State Chief Data Officer.

(6) Monitor the compliance activities of state entities with state and federal health information requirements and require these entities to report on their activities at times specified by the director, using a format prescribed by the director.

(7) Develop standards for the center’s use in determining the extent of compliance with health information requirements.

(8) Provide technical assistance to state entities on information sharing and compliance with state and federal health information privacy requirements.

(h) (1) (A) Beginning March 1, 2022, and annually thereafter, the center shall provide to the Legislature, and post on its internet website, a written update that outlines its major endeavors, including the challenges encountered, the milestones achieved toward meeting set objectives to achieve a person-centered approach in health and human services, and the data collection and sharing practices employed by the center during the preceding year.

(B) An update to be submitted to the Legislature pursuant to subparagraph (A) shall be submitted in compliance with § 9795 of the Government Code.

(2) Upon the issuance of the update pursuant to subparagraph (A), the center shall meet with legislative staff representing the health and human services fiscal and policy areas to report on efforts for health and human services to become more person-centered in service delivery. The center shall provide updates on specific major programs serving or attempting to serve populations that are by definition considered underserved and vulnerable, including populations living in poverty and deep poverty, and who may lack access or face limitations due to age, disability, functional impairment, educational level, adverse childhood experiences, and cultural and linguistic challenges. This meeting shall occur through virtual or in-person meetings.

(Added by Stats. 2021, Ch. 696, Sec. 11. (AB 172) Effective October 8, 2021.)