(a) Demonstration Project Participants shall adhere to the following principles of fair information practices:
(1) Openness -- There should be a general policy of openness among entities that participate in electronic health information exchange about developments, practices, and policies with respect to individual health information.
(2) Individual Health Information Quality -- Health information shall be relevant, accurate, complete, and kept up-to-date.
(3) Individual Participation -- Individuals or their personal representatives have the right to:
(A) Ascertain the person responsible for individual health information for an entity, obtain confirmation of whether the entity has specific individual health information relating to the individual, and obtain its location.
(B) Receive their individual health information in a reasonable time and manner, at a reasonable charge, and in a format that is generally accessible by individuals.
(C) Challenge the accuracy of their individual health information and, if successful, to have the individual health information corrected, completed, or amended.
(D) Control the access, use, or disclosure of their individual health information, unless otherwise specified by law or regulation.
(4) Collection Limitation -- There shall be limits to the collection of individual health information. Individual health information shall be obtained by lawful and fair means. Where appropriate, it shall be obtained with the knowledge or consent of the individual or their personal representative. The specific purposes for which individual health information is collected shall be specified not later than at the time of collection.
(5) Individual Health Information Limitation -- Use and disclosure of individual health information shall be limited to the specified purpose. Certain use and disclosure shall require consent.
(6) Purpose Limitation -- Individual health information shall be relevant to the purpose for which it is to be used and, limited to the minimum information necessary for the specified purpose. The subsequent use shall be limited to the specified purpose.
(7) De-Identified Information -- De-identified individual health information shall not be re-identified unless specified in law. If de-identified individual health information is re-identified, it shall be subject to these principles. De-identified individual health information shall not be disclosed if there is a reasonable basis to believe that the information can be used to identify an individual.
(8) Security Safeguards -- Individual health information should be protected by appropriate security safeguards against such risks as loss or destruction, unauthorized access, use, modification or disclosure of data.
(9) Accountability -- An entity shall comply with laws, regulations, standards and organizational policies for the protection, retention and destruction of individual health information. Any person who has access to individual health information shall comply with those provisions.
Credits
Note: Authority cited: Sections 130277 and 130278, Health and Safety Code. Reference: Sections 130200, 130277 and 130279, Health and Safety Code.
History
1. New section filed 1-31-2012; operative 1-31-2012. Exempt from the rulemaking requirements of the Administrative Procedure Act and submitted to OAL for printing only pursuant to Health and Safety Code section 130278 (Register 2012, No. 5).
This database is current through 4/26/24 Register 2024, No. 17.
