Confidentiality of Medical Information

  • Issue Date: August 2007
  • Revision Date: April 2010
  • Expiration Date: N/A

  1. Policy Statement

    It is the policy of California State University, Long Beach to ensure the confidentiality of all medical information maintained by any University or auxiliary organization providers of health care and to protect that information from unauthorized use and disclosure.


    1. PURPOSE

      The purpose of this policy is to provide information concerning the legal requirements for confidentiality and security of medical information.  The legal requirements are designed to:

      • Ensure the confidentiality, integrity, and availability of medical information;
      • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
      • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted; and
      • Ensure compliance with governing law and policy.
    2. SCOPE

      This policy applies to all entities of the University or auxiliary organization that provide health care or maintain employee, student or patient medical records.  Entities may include, but are not limited to, Department of Athletics, Disabled Student Services, Safety and Risk Management, University Police, Department of Kinesiology, Kinesiotherapy Clinic, Dance Department, Speech-Language and Hearing Clinic, Staff Human Resources, and Academic Personnel.


      Terms used in this Policy are defined in Appendix A.


    Each health care facility shall implement a written policy for the control of access to the facility which addresses the following:

    1. Keys and/or access cards to the facility shall be issued only to personnel approved by the health care facility director or campus custodial service personnel.  The facility director shall review the control lists of key holders and/or access cardholders annually;
    2. Access to the health care facility during the hours the facility is closed shall be limited to personnel authorized by the health facility director; and
    3. Provisions permitting non-health care facility employees continuing access to the facility if medical records, medications, and equipment are maintained in locked rooms and/or health facility staff is on duty.  Authorization for such access shall be provided by the health care facility director.

    Confidentiality of all medical information shall be maintained in accordance with the Information Practices Act, the Confidentiality of Medical Information Act, and CSU policy.

    The following standards and controls shall be implemented and maintained in all areas where medical records are located:

    1. Only persons authorized by the health care facility director may gain access;
    2. The medical record shall document any consent to treat, all exams, diagnoses, services, and follow up, indicating the date, name of patient, name of the service provider(s), and description of the service.  The provider of the service shall sign the record;
    3. When not in use, medical records shall be stored in either locked files or in a locked room;
    4. Access to keys to medical files and/or record room shall be limited to those university employees authorized by the health facility’s director to have such access; and
    5. To ensure that medical records are filed, stored, and utilized in a manner that provides maximum confidentiality, each health care facility shall review biennially its record management procedures.

    Electronic data back-up of medical information should be maintained in off-site locations.


    No health care facility employee or agent shall use, disclose or knowingly permit the use or disclosure of medical information without the patient having first signed an authorization unless the disclosure is specifically compelled by any of the following:

    • Court Order
    • Subpoena
    • Search Warrant
    • The Patient or the Patient’s Representative
    • Coroner Request
    • Other Circumstances Required by Law

    The University Information Security Officer shall be consulted by the Health Care Provider prior to the release of medical information not requiring the patient’s authorization.


    Any person or entity that wishes to obtain medical information other than a person or entity authorized to receive medical information, shall obtain a valid authorization for the release of information.  An authorization for the release of medical information by a provider of health care shall be valid if it is:

    1. Handwritten by the person who signs it or is in a typeface no smaller than 14-point type.
    2. Is clearly separate from any other language present on the same page and is executed by a signature which serves no other purpose than to execute the authorization.
    3. Is signed and dated by one of the following:
      1. The patient
      2. The legal representative of the patient, if the patient is a minor or an incompetent
      3. The beneficiary or personal representative of a deceased patient
      4. The spouse of the patient or the person financially responsible for the patient under specific conditions

    Records shall be maintained in accordance with the CSU Record Retention Schedules. Disposition of records shall comply with the CSULB Media Sanitation Standard.


    This document is a guide and does not purport to be a complete or comprehensive articulation of the governing laws and policies, nor is it intended to be a substitute for legal advice.


Information Security Office


Approved by President Alexander

Signature President Alexander

August 2007

Appendix A – Definitions

Aut​horization: Means permission granted in accordance with Section 56.11 or 56.21 of the CA Civil Code for the disclosure of medical information.

Authorized Recipient: Means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20 of the CA Civil Code.

Disclose: Means to release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.

Medical Information: Means any individually identifiable information, in any form or media, whether electronic, paper, or oral, in possession of or derived from a provider of health care regarding a patient’s medical history, mental or physical condition or treatment, or past, present, or future payment for the provision of health care to the individual.

Patient: Means any natural person, whether or not still living, who received medical care services from a provider of health care and to whom medical information pertains.

Provider of Health Care: Means an individual or entity providing medical or health services.