Sign In
Welcome to the California Department of Health Care Services 
Skip Navigation LinksHome > Data & Statistics > Statistics > HIPPA

HIPPA Privacy Rule Information and Recommended Links

The Health Insurance Portability and Accountability Act (HIPAA) privacy rules that were implemented on April 14, 2003, have created new restrictions as to the type of entities that may receive personal medical data and for what purposes the data may be applied. A summary of the HIPAA privacy rules for researchers, "Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule", can be found at the web site for the US Department of Health and Human Services, Office of Civil Rights along with other information and links pertaining to the new rules.

MCSS has prepared a document, "HIPAA Claims & MEDS Files Variable Checklists" (Adobe Acrobat format), that lists variables from the DHS paid claims and eligibility files that are available to researchers and illustrates how those variables fall into the three different levels of data described in the HIPAA privacy rules.

In brief, there are three categories of data sets described in the HIPAA Privacy Rule regulations (45 CRF, Parts 160, 162 and 164). These categories are De-Identified, Limited and Fully Identified. There are no restrictions for releasing De-Identified data sets. Anyone may request and receive De-Identified data sets.

Limited and Fully Identified data sets may be disclosed only for the purposes of research, public health, or standard health care operations (please see the HIPAA regulations for details). Research is defined in the Privacy Rule as, "a systematic investigation including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge." The intent to disseminate findings outside of the requestor's organization or industry is an essential condition for generalizability. Research should not be confused with healthcare operations such as quality assurance, marketing or other internal operations. In addition, Department regulations require that data released for research purposes must directly relate to the administration of Medi-Cal.

Release of data in Limited and Fully Identified data sets is restricted to the minimum necessary to achieve the stated goals of the requesting entity.

Release of Limited and Fully Identified data sets will require legal approval from the California Department of Health Services (DHS) and approval of the DHS Committee for The Protection of Human Subjects.

MCSS Home