Authorization to Share Confidential Member Information (ASCMI) and Data Sharing Authorization Guidance (DSAG) Toolkit All Comer Webinar Questions​​  

Consent and Privacy​​ 

1. What is a “Part 2 provider or Part 2 program”​​ 
• A “Part 2 provider or program” provides substance use disorder (SUD) services to people who need them. The term “Part 2” comes from the regulation called 42 C.F.R. Part 2 - Confidentiality of Substance Use Disorder Patient Records. There are two important things to know about Part 2 providers or programs. First, they must receive what is known as “federal assistance.” Federal assistance is money that comes from the federal government to help pay for Part 2 services or programs, which includes participation in Medi-Cal. Second, they must be able to help people get care if they have a substance use disorder. This usually means that the Part 2 provider or program advertises that they provide SUD services. Some providers and programs give SUD services, but are not a “Part 2 provider or program” This may be because they do not receive federal assistance. More information about SUD services and Part 2 providers or programs can be found here:​​ 
• California Department of Health Care Services:​​ 
• California Advancing and Innovating Medi-Cal (CalAIM) Data Sharing Authorization Guidance 2.1​​ 
• Տվյալների փոխանակման թույլտվության ուղեցույցի գործիքներ​​ 
• California Health and Human Services: State Health Information Guidance (SHIG) about Sharing Behavioral Health Information. 
  ​​ 
• Substance Abuse and Mental Health Services Administration (SAMHSA): Substance Use Confidentiality Regulations
  ​​ 
2. What does "provide Substance Use Disorder (SUD) services” mean?​​ 
• It means providing services to people who struggle with substance use, including alcohol. Services could include medical care, therapy, and other things that help people get better.​​  
3. When is client consent required to share protected health information (PHI)?​​ 
• In most cases, consent to share information is not needed to share health and social services information. But there are laws that tell us when someone’s consent is needed to share some of their personal information. One important law protecting health information is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA lets doctors and other people who provide care share information without someone’s consent in certain situations and for certain reasons. For example, a doctor or health plan can share someone’s information to make sure they get the care they need, and to coordinate care, without needing individual consent. Doctors and other health care professionals can also share information with insurance companies so they can get paid. Whenever they share information, they must always keep it safe and secure. Health information can also be shared for other reasons if the client, or sometimes their parent or guardian, gives written permission on a consent form.​​ 
• 42 C.F.R. Part 2 (sometimes called “Part 2”) is a set of federal regulations that protects the confidentiality of some types of substance use disorder (SUD) information. Part 2 rules do not apply to all SUD information, but only to information that has been collected by a Part 2 provider, or Part 2 program that would identify an individual as having or having had a SUD. For more information on Part 2 providers and programs, see Question 2 and the U.S Department of Health and Human Services’ (HHS) Fact Sheet 42 CFR Part 2 Final Rule. When Part 2 applies, it is often stricter than HIPAA because it does not allow information to be shared for treatment or care coordination purposes without a client’s consent. Part 2 also does not allow sharing of Part 2 information for payment purposes without consent. This means that Part 2 programs need their clients to provide written consent if they want to submit claims to their clients’ health insurers, including Medi-Cal.​​ 
• California Assembly Bill (AB) 133) was passed in 2021. It changes some state privacy laws so that information can be shared without a client’s permission to help coordinate care. This means that the Department of Health Care Services (DHCS) may allow data to be shared even if other California privacy laws don’t allow it, as long as Medi-Cal Partners follow federal law. They can share a client’s information to provide services, coordinate care, get paid for services, and improve the quality of care.​​ 
• DHCS guidance about state laws that are overridden by AB 133 can be found in the Data Sharing Authorization Guidance 2.1.​​ 
4. What Health Insurance Portability and Accountability Act (HIPAA) rules should be followed when sharing health data?​​ 
• Health care providers and health plans that are required to follow HIPAA rules can share protected health information (PHI) without asking the client first if it’s for treatment, payment, or help with care. But if they want to share it for things like advertising, they need the client’s permission. Other activities for which they can share protected health information (PHI) without permission include, but are not limited to, court or government actions.​​ 
• When sharing a client’s information, doctors and health plans must share the least amount of information needed because of HIPAA’s “minimum necessary” rule. This rule applies when doctors or plans are sharing a client’s information for purposes of obtaining payment for services they provided, or for coordinating care. It doesn’t apply to doctors when they’re sharing information for purposes of treatment.​​ 
• Doctors and health plans can share a client’s information with organizations that must follow HIPAA rules and with other organizations that don’t have to. When sharing information with an organization that is helping with payment or care and is not required to follow HIPAA rules, the organization must sign an agreement that requires them to follow HIPAA rules when handling a client’s information.​​  
• For example, a doctor might share PHI with another doctor to help treat a client. In this case, both doctors are required to follow HIPAA rules and no agreement is required. In another example, a health plan might share PHI with a housing group to help someone get care. In this case, the housing organization would need to sign an agreement to receive the person’s PHI.​​ 
5. What is the difference between consent for care coordination and consent for payment purposes?​​ 
• Consent for care coordination means a client gives their permission to share their health and/or social service information so their care team can work together and help provide them with timely services and referrals. Consent for payment purposes means a client gives permission to share their health and/or social service information so their care provider can get paid.​​ 
6. What is the Authorization to Share Confidential Member Information (ASCMI) Form?​​ 
• The ASCMI Form is a release of information form a doctor can use to request a client’s consent to share their information with providers that are also a part of their care team. A doctor, their office, or a health plan may need to exchange a client’s information to:​​ 
• Համակարգել նրանց խնամքը։​​ 
• Նրանց տրամադրել բժշկական, ատամնաբուժական, հոգեկան առողջության և թմրամոլության խանգարումների բուժման և ծառայությունների ծառայություններ։​​ 
• Obtain payment for treatment and services a doctor provides.​​ 
• Օգնեք նրանց կապել ծրագրերի, ծառայությունների և ռեսուրսների հետ։​​ 
• The Form complies with authorization form requirements under applicable federal and state data sharing laws (see Question 2 and Question 3) and details the types of information that require consent to share data.​​ 
7. How can someone take back their consent?​​ 
• The Department of Health Care Services (DHCS) made a form called the “Authorization to Share Confidential Member Information (ASCMI) Revocation Form.” Clients can fill out this Form if they want to take back their permission to share substance use disorder (SUD) information. If a client only wants to change some but not all of their choices, they should fill out a new ASCMI Form instead.​​ 
8. What are the best practices for storing and accessing consent forms?​​ 
• The Department of Health Care Services (DHCS) lets each organization decide how to store and access these forms. This means every organization can choose the way that works best for them, as long as they comply with state and federal laws and regulations that apply to their organization. When sharing 42 C.F.R. Part 2 substance use disorder (SUD) information, federal law requires the written consent or an explanation of the consent to be attached to the relevant records.​​ 
9. What kinds of organizations can use the Authorization to Share Confidential Member Information (ASCMI) Form?​​ 
• The ASCMI Form is used to authorize the sharing of certain types of sensitive information by those who maintain such data. The current ASCMI Form is primarily designed for use by 42 C.F.R. Part 2 providers, housing providers, and Justice Involved Reentry providers who are assisting clients with substance use disorders (SUDs) and/or housing needs.​​ 
• The Department of Health Care Services (DHCS) is in the process of creating the ASCMI Form 3.0 to help share important information like child welfare and conservatorship data, as well as information protected by the Family Educational Rights and Privacy Act (FERPA). This next version of the Form will expand the types of providers for whom the Form will be useful. DHCS will update the CalAIM ASCMI Initiative page when the ASCMI Form 3.0 is available.​​  
10. Can the Authorization to Share Confidential Member Information (ASCMI) Form be used to serve specific populations such as incarcerated youth? Could a tribal agency use the form?​​ 
• Yes. When an incarcerated youth has received substance use disorder (SUD) services from a 42 C.F.R. Part 2 provider, or needs help with housing upon reentry, the Form can be used to authorize the disclosure of SUD or previous housing information with providers who can help coordinate their continued care. Similarly, a tribal agency or housing providers delivering 42 C.F.R. Part 2 services could use the Form to obtain authorization for the release of SUD data with other care partners.​​  
11. How can data be shared between health and housing providers? What should people think about when sharing health data about Medi-Cal members in the Homeless Management Information System (HMIS)?​​ 
• A HMIS is a computer system used in local areas to keep track of people who need help with housing. It collects information about the help they get, like places to live and other services. Each community group (or, Continuum of Care), chooses a computer system that follows the rules from the United States Department of Housing and Urban Development to make sure the information is collected and shared in the right way.​​  
• Health providers can share information with housing providers to help someone get care or housing. They don’t always need written consent if the sharing is for treatment or care coordination (see Question 16 for more information on care coordination). This is allowed by a law called the Health Insurance Portability and Accountability Act (HIPAA), which protects people’s health information. More information about HIPAA can be found above (See Question 3). For more information about sharing data between health and housing providers, see the Data Sharing Authorization Guidance (DSAG) Medi-Cal Housing Support Services Toolkit.​​ 
• Information about HMIS data sharing rules can be found on page 14 of the Data Sharing Authorization Guidance (DSAG) Medi-Cal Housing Support Services Toolkit.​​ 
12. How can clients learn about privacy and understand how their data is used?​​ 
• The Department of Health Care Services (DHCS) has a set of frequently asked questions (FAQs) posted online to help clients and care partners understand how the Authorization to Share Confidential Member Information (ASCMI) Form is used to protect and consent to release sensitive information that has special protections under state and federal law:​​ 
• For Clients: This set of FAQs is for clients and explains what the Form is, why they may be asked to sign the form, and how their personal information might be shared if they choose to sign the form.​​ 
• For Care Partners: This set of FAQs is for providers and should be used to help them and their clients understand what the ASCMI Form is. This FAQ gives more information about how to use the Form, how to support the client in their completing the Form, and discusses data privacy considerations for different types of care partners and uses of the Form.​​ 
• DHCS intends to update the FAQs as new issues arise. DHCS also plans to work with care partners to make more materials that are easy for everyone to understand. This is to make sure clients give informed consent, which means they understand what they are agreeing to share and not to share.​​ 
13. What are the rules for sharing Human Immunodeficiency Virus (HIV) and reproductive health information for treatment?​​ 
• HIV Test Results: In California, under Assembly Bill (AB) 133, which was passed in 2021, providers who work with Medi-Cal can share certain health and social service information to help coordinate care and/or get paid for services. AB 133 overrides state laws that limit the ability to share health and social services information. Because of this, HIV test results can be shared more widely than what would be allowed under Health and Safety Code Section 120985 (including as amended by State Bill (SB) 278, passed in 2025). But they still have to follow the Health Insurance Portability and Accountability Act (HIPAA) regulations that protect health information.​​ 
• Reproductive health information: Some information can be shared for care coordination and payment purposes without consent. But AB 133 does not change laws that:​​ 
• Require or allow a client, including a patient who is a minor, to agree to treatment.​​ 
• Protect a minor’s privacy by limiting what can be shared with parents or guardians. For example, under Civil Code §56.107, a minor can ask that messages about reproductive health services not be shared with parents or guardians, even under AB 133.​​ 
14. What can Sheriff's Office staff and pre-release care managers do with health data?​​ 
• Assembly Bill (AB) 133 amended California Welfare and Institutions Code Section 14184.102(j) and says that Medi-Cal partners (like health care providers, counties, and health plans) can share protected health information (PHI) with each other if it helps with care and follows federal rules. This includes things like names, medical records, and other private details. Additionally, Penal Code 4011.11(h)(4)(B) says that the Department of Health Care Services (DHCS), counties, sheriffs, and probation officers must share the information needed to help clients sign up for Medi-Cal before they leave jail.​​ 
• More information about coverage of Justice-Involved individuals under AB 133 data-sharing provisions can be found in the Data Sharing Authorization Guidance 2.1​​ 
• More information about how data can be shared for things like Medi-Cal applications before someone is released from jail, or for care after they are released can be found here: Justice-Involved Reentry Initiative.​​  
15. When can an individual’s Client Index Number (CIN) be shared with doctors or care providers, and do you always need the individual’s permission first?​​ 
• A CIN, or medical record number, is the first nine characters of the identification number on a member’s Benefits Identification Card and is protected health information (PHI). Health plans, counties, and doctors often include this number when they share information to make sure it goes to the right person. Like other PHI, this number can be shared without asking for consent if it's being used to help with treatment, payment, or coordinating care.​​ 

Խնամքի համակարգում​​  


16. How is care coordination defined? Does it include housing services?​​ 
• Care coordination means helping someone get services (such as physical health, behavioral health, and social services) when and where they need them from all of their providers. Care coordination is about making sure all providers helping a client communicate with each other to provide their client with the services and referrals they need.​​ 
• Care coordination can also include other necessary services, such as housing. For example, through the California Advancing and Innovating Medi-Cal (CalAIM) initiative, care coordination includes housing services that can be available through Enhanced Care Management (ECM) and Community Supports. These services help people find housing, pay rent, or get help with housing deposits and require coordination between various providers to support their client.​​ 
17. What is the difference between “clinical staff” and “non-clinical staff” in jails or correctional settings?​​ 
• Clinical staff in jails and correctional facilities—like doctors, nurses, or mental health workers—are hired or contracted by the facility to provide health care and/or social services. They help with physical and mental health care inside the facility.​​ 
• Non-clinical staff are those that do not provide direct health care or social services—such as administrative staff.​​ 

Consent Management Platform Implementation & Integration​​ 

18. What is a Consent Management Platform (CMP)?​​ 
• The Department of Health Care Services (DHCS) is currently developing a consent management platform (CMP) to store and manage Authorization to Share Confidential Member Information (ASCMI) Forms. The goal of the CMP is to facilitate the collection, maintenance, and sharing client’s consent to share information preferences, minimizing the need for duplicate consent forms and streamlining data sharing processes across providers.​​