California State Laws
California Welfare and Institutions Code
14100.2. (a) “All types of information, whether written or oral, concerning a person, made or kept by any public officer or agency in the connection with the administration of any provision of this chapter…and for which a grant-in-aid is received by this state form the United States government pursuant to Title XIX of the Social Security Act shall be confidential, and shall not be open to examination other than for purposes directly connected with the administration of the Medi-Cal program….”
14100.2 (c) “Purposed directly connected with the administration of the Medi-Cal program….encompass those administrative activities and responsibilities in which the State Department of Health Care Services and its agents are required to engage to insure effective program operations. These activities include, but are not limited to: establishing eligibility and methods of reimbursement; determining the amount of medical assistance; providing services for recipients; conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to the administration of the Medi-Cal program; and conducting or assisting a legislative investigation or audit related to the administration of the Medi-Cal program.”
14100 (f) “The State Department of Health Care Services may make rules and regulations governing the custody, use and preservation of all records, papers, files, and communications pertaining to the administration of the laws relating to the Medi-Cal program….The rules and regulations shall be binding on all departments, officials, and employees of the state and may provide for giving information to or exchanging information with agencies, public or political subdivision of the state, and may provide for giving information to or exchanging information with agencies, public or private, which are engaged in planning, providing or securing such services for or in behalf of recipients; and for making case records available for research purposes, provided, that that research will not result in the disclosure of the identify of the applicants for or recipient of those services.”
California Civil Code (Information Practices Act)
1798.24. “No agency may disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:”
"(e) To a person, or to another agency where the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is accounted for in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency, or information transferred to another law enforcement or regulatory agency, a use is compatible if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency."
“(t) (1) To the University of California or a nonprofit educational institution conducting scientific research, provided the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHS). The CPHS approval required under this subdivision shallinclude a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(3) Reasonable costs to the agency associated with the agency's process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency's costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(4) The CPHS may enter into written agreements to enable other institutional review boards to provide the data security approvals required by this subdivision, provided the data security requirements set forth in this subdivision are satisfied.”