search
CalHHS Open Data PortalCalHHS Geoportal

13. Appendix A: Legal Framework

The overarching legal framework for the CalHHS Data De-Identification Guidelines (DDG) is the California Information Practices Act, California Civil Code 1798 et seq., which was established in 1977 and applies to all state government entities. The IPA includes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual. The IPA and other California statutes limit the disclosure of personal information, consistent with the California Constitutional right to privacy. However, state agencies are generally permitted (and sometimes required under the California Public Records Act and other laws) to disclose data that have been de-identified. Summarized or aggregated data may still be identifiable; the DDG provides Guidelines for assessing whether data have been de-identified.

While most state agencies are covered by the IPA, some are also covered by or impacted by HIPAA. Unlike the IPA, which applies to all personal information, HIPAA only applies to certain health or health care-related information. HIPAA requirements apply in combination with IPA requirements. While the IPA does not include specific de-identification methods or criteria, the basic concept of statistical de-identification has no different meaning, and the basic standard of protection of identifiable data is no different for IPA covered PI than for HIPAA covered PHI.

“Personal Information” is defined by the California Civil Code section 1798.3(a) as “any information that is maintained by an agency that identifies or describes an individual, including, but not limited to:

  • his or her name,

  • social security number,

  • physical description,

  • home address,

  • home telephone number,

  • education,

  • financial matters, and

  • medical or employment history.

It includes statements made by, or attributed to, the individual.”

Under Section 1798.24 of the IPA, “An agency shall not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains,” unless it is disclosed as described in Section 1798.24.

Senate Bill 13 updated the IPA, effective January 1, 2006, to require Committee for the Protection of Human Subjects (CPHS) review and approval before personal information (linkable to any individual) that is held by any state agency or department can be released for research purposes. CPHS does not delegate reviews for compliance with the IPA to other institutional review boards. (https://www.cdii.ca.gov/committees-and-advisory-groups/committee-for-the-protection-of-human-subjects-cphs/arrow-up-right )

hashtag
A.1 California Laws Governing the Collection and Release of Confidential, Personal, or Sensitive Information

circle-exclamation

Please note that this is not an exhaustive list

hashtag
General State Collected Information and Data

  • Civil Code 1798.24, 1798.24a, 1798.24b (all personal information including health data)

  • Government Code 11015.5 (electronically collected personal information)

hashtag
General Medical Data

  • Civil Code 56.10 – 56.11

  • Civil Code 56.13

  • Civil Code 56.29

  • Health & Safety Code 128730

  • Health & Safety Code 128735

  • Health & Safety Code 128736

  • Health & Safety Code 128737

  • Health & Safety Code 128745

  • Health & Safety Code 128766

hashtag
Birth Defects

  • Health & Safety Code 103850

hashtag
Blood Lead Analysis

  • Health & Safety Code 124130

hashtag
Cancer

  • Health & Safety Code 103875

  • Health & Safety Code 103885

  • Health & Safety Code 104315

hashtag
Child Health Information

  • Health & Safety Code 130140.1

hashtag
Child Health Screening

  • Health & Safety Code 124110

  • Health & Safety Code 124991

hashtag
Cholinesterase Testing

  • Health & Safety Code 105206

hashtag
Developmentally Disabled

  • Health & Safety Code 416.18

  • Health & Safety Code 416.8

  • Welfare & Institutions Code 4514, 4514.3, 4514.5

  • Welfare & Institutions Code 4517 (aggregation and publication of data)

  • Welfare & Institutions Code 4659.22

  • Welfare & Institutions Code 4744

hashtag
Environmental Health Hazards

  • Health & Safety Code 59016

hashtag
General Public Health Records

  • Health & Safety Code 100330

  • Health & Safety Code 121035

hashtag
Genetic Information

  • Health & Safety Code 124975

  • Health & Safety Code 124980

  • Health & Safety Code 125105 (prenatal test)

  • Civil Code 56.17

hashtag
HIV/AIDS

  • Health & Safety Code 120820

  • Health & Safety Code 120962

  • Health & Safety Code 120970

  • Health & Safety Code 120972

  • Health & Safety Code 120975

  • Health & Safety Code 120980

  • Health & Safety Code 121010

  • Health & Safety Code 121022

  • Health & Safety Code 121023

  • Health & Safety Code 121025

  • Health & Safety Code 121075

  • Health & Safety Code 121080

  • Health & Safety Code 121085

  • Health & Safety Code 121090

  • Health & Safety Code 121095

  • Health & Safety Code 121110

  • Health & Safety Code 121120

  • Health & Safety Code 121125

  • Health & Safety Code 121280

  • Revenue & Taxation Code 19548.2

hashtag
Immunizations

  • Health & Safety Code 120440

hashtag
Independent Medical Review

  • Health & Safety Code 1374.33

hashtag
Involuntary Mental Health (LPS covered records)

  • Welfare & Institutions Code 4135

  • Welfare & Institutions Code 5328 through 5328.9

  • Welfare & Institutions Code 5329 (aggregation and publication of data)

  • Welfare & Institutions Code 5540

  • Welfare & Institutions Code 5610

  • Education Code 56863

hashtag
Medi-Cal Data

  • Welfare & Institutions Code 14015.8

  • Welfare & Institutions Code 14100.2

  • Welfare & Institutions Code 14101.5

hashtag
Neurological

  • Health & Safety Code 103871

hashtag
Parkinson’s Disease Registry

  • Health & Safety Code 103865

hashtag
Payment and Billing Info

  • Health & Safety Code 440.40 (applies only to GACHs)

hashtag
Prenatal Tests

  • Health & Safety Code 120705

  • Health & Safety Code 125105

hashtag
Public Assistance

  • Welfare & Institutions Code 10850 (Confidential Information)

hashtag
Public Social Services

  • Welfare & Institutions Code 10850

hashtag
Substance Abuse Treatment Data

  • Health & Safety Code 11845.5

  • Health & Safety Code 11812

Vital Records

  • Health & Safety Code 102425

  • Health & Safety Code 102426

  • Health & Safety Code 102430

  • Health & Safety Code 102455

  • Health & Safety Code 102460

  • Health & Safety Code 102465

  • Health & Safety Code 102475

  • Health & Safety Code 103025

hashtag
A.2 Federal Laws Governing Public Data Release

circle-exclamation

Please note that this is not an exhaustive list

  • HIPAA - Section 164.514 of the HIPAA Privacy Rule (45 CFR)

  • 42 CFR Part 2

  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)

  • Freedom of Information Act (FOIA) (5 U.S.C. § 552)

PreviousAppendixNext14. Appendix B: The HIPAA De-Identification Standard

Last updated

Was this helpful?