Welf. & Inst. Code 5778(b)(5)(B) (1994; amended by A.B.1780, 2008)
The Department of Mental Health may contract with an independent, nongovernmental entity to conduct client record reviews. The entity must comply with all federal and state privacy laws, including the federal Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act, and Section 1798.81.5 of the Civil Code [businesses that own or license personal information about Californians must provide reasonable security for that information]. The entity shall be subject to existing penalties for violation of these laws. The entity cannot use, sell, or disclose client records for a purpose other than the one for which the record was given. “Client record” means a medical record, chart, or similar file.