For a quick cheatsheet on how to remain in compliance with both Federal (HIPAA) and State privacy breach reporting laws, please see the regulatory crosswalk listed below in the Resources section.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996, and became effective July 1, 1997. HIPAA provides standards for electronic transaction and code sets, security, identifiers, and individually identifiable health information. This helps resolve issues with billing and claims processing, inconsistent transactions and codes, confusing forms and formats, vulnerability of individuals’ medical records and other personal health information to violators, improper disclosures, and unreliable safeguards.



Aside from being part of the law, healthcare providers and payers should comply with HIPAA as it is crucial in protecting client health information and in maintaining the trust and confidence of providers, payers and patients in the healthcare and public health systems.


Entities Affected by HIPAA

The law applies directly to three groups referred to as “covered entities”:

Health Care Providers – any provider of medical or other health services or supplies who transmits any health information in electronic form in connection with a transaction for which standard requirements have been adopted.

Health Plans – any individual or group plan that provides or pays the cost of health care.

Health Care Clearinghouses – a public or private entity that transforms health care transactions from one format to another.

HIPAA also indirectly affects other entities in the health care field, and as such, they may need to change their business operations if they are trading partners or business associates of a covered entity. This includes the software billing vendors and third party billing services that do not qualify as clearinghouses or some other covered entities.


Four Parts to HIPAA's Administrative Simplification

  1. Transactions and Code Sets Standard
  2. Privacy Standard
    Click here to view an extensive fact sheet that includes case scenarios by the U.S. Department of Health and Human Services-National Institutes of Health on the application of HIPAA to the Privacy Requirements.
  3. Security Standard
    Click here to view the final rule adopting the HIPAA standards for the security of electronic health information.
  4. National Provider Identifier Standard
    Click here to view the final rule adopting the HIPAA standards for the unique health identifier for health care providers.



Calfiornia and Federal Privacy Breach Reporting - Regulatory Crosswalk: coming soon. 6/9/15

Public HIPAA Security Rule Toolkit

California Releases the First-Of-Its-Kind Public HIPAA Security Rule Toolkit
 Providing California an online resource to conduct a basic risk assessment
SACRAMENTO - The California Health and Human Services Agency’s (CHHS), Office of Health Information Integrity (CalOHII) today announced the release of its Health Insurance Portability and Accountability Act (HIPAA) Security Rule Toolkit. The online toolkit will provide aid to organizations in California to help them better understand the requirements of the HIPAA Security Rule, and assist organizations in implementing HIPAA requirements. The online toolkit can be accessed on the CalOHII website: http://ohii.ca.gov/calohi/.

Centers of Medicaid and Medicare Services (CMS)

The CMS website has an entire section dedicated to HIPAA. The information here focuses on how health centers can implement the changes to their systems and business processes as they try to embrace the national standards for electronic health care transactions and national identifiers for providers, health plans and employers as well as the security and privacy of health data in relation to Medicare and Medicaid.

California Office of Health Information Integrity (CalOHii)
The CalOHii website gives you tools and resources about HIPAA in relation to existing California regulations. This is the best site to know more about the integration of HIPAA with the state regulations. The CalOHii was formerly called California Office of HIPAA Implementation.

HIPAA Case Scenarios

There are two documents entitled “Understanding the HIPAA Privacy and Security Rule” and “An Overview of Expectations, Roles & Responsibilities” by the American Health Information Management Association (AHIMA) and CSI Solutions, respectively, that enumerates common scenarios that health care centers might face about HIPAA.

Documents (PDF, PowerPoint, Word)


CPCA Staff Contact

For more information, please contact Emily Shipman, Senior Program Coordinator of Health Center Operations, at eshipman@cpca.org.

2017 Annual Sponsors