Your Claim is Confidential
All VCP claims and related documents, including medical information and records, are highly confidential. Except as otherwise required by California law, the VCP may only disclose a victim or applicant's information with his/her written permission. This confidentiality applies to all material in a victim compensation claim file, whether it is the paper file or the claimant’s “file” in CaRES. Staff are prohibited from disclosing any personal information about a claimant or crime victim.
The Information Release signed by the applicant allows staff to share information with entities such as government agencies or medical, dental, mental health, and funeral providers. However, staff may only disclose information to those entities for the purpose of assisting a claimant or reviewing a claim. Staff may receive information about a claim from any person or agency, including providers and insurance companies.
The VCP may publicly disclose information about its activities in general, including summary data, such as the information contained in the annual report or posted on the Board’s website.
The Victim Compensation Program and HIPAA
Overview
California law (Government Code §13954(a)) gives the Victim Compensation Program (CalVCP) the authority to request and receive patient medical information. The disclosure rules of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that prohibit providers from disclosing patient information do not apply this to CalVCP.
Providers do not need to obtain a patient release when sending patient medical information to CalVCP. CalVCP uses patient medical information to determine compensation. Compensation can be significantly delayed by lack of or incomplete patient information.
All CalVCP claims and related documents, including medical information and records, are highly confidential. Except as otherwise required by California law, CalVCP only discloses a victim or applicant's information with their written permission.
What is HIPAA?
Recognizing the need for minimum national healthcare privacy standards to protect the confidentiality of healthcare information, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. [1]
HIPAA required the adoption of federal privacy protections for individually identifiable health information. The Federal Department of Health and Human Services adopted regulations, commonly referred to as the "Privacy Rule," which required compliance by most "covered entities" by April 14, 2003. The regulations can be found at 45 Code of Federal Regulations parts 160.103 and 164. [2]
The California Victim Compensation Program and HIPAA disclosure rules:
The California Office of Health Information and Integrity (CalOHii) has ruled that the California Victim Compensation Program's authority to receive patient medical information is not preempted by HIPAA. CalVCP has very clear statutory authority to request and receive patient medical information (Government Code §13954(a)). While HIPAA preempts state law, the statutes governing CalVCP remain intact. [3]
- CalVCP has the final, official opinion from CalOHii's State Office of HIPAA Implementation. Any state law determined by CalOHii to be preempted is no longer applicable to the extent of the preemption (See Sen. Bill No. 456 (2001-2002 Reg. Sess.); and Sen. Bill No. 1914 (2001-2002 Reg. Sess.)). The California Legislature has given the CalOHii the authority to determine which state laws are preempted by HIPAA. CalOHii is within the California Health and Human Services Agency and is generally responsible for insuring state agency compliance with HIPAA. [4]
Questions?
For questions about the CalVCP and HIPAA, please e-mail the Victim Compensation and Government Claims Board.
References:
1. United States Department of Health & Human Services Office of Civil Rights -HIPAA
2. United States Department of Health & Human Services Office for Civil Rights - Code of Federal Regulations
3. California Government Code Section 13954(a)
4. California Office of HIPAA Implementation. (2002) Report to the Legislature: Statewide HIPAA Assessment (p.134).