Information Practices Act(IPA)

An agency that collects personal information, including electronically, must maintain the source(s) in accessible form to the data subject unless the source is the data subject or she or he has received a copy of the source document.

An agency that collects personal information, including electronically, must maintain the source(s) in accessible form to the data subject unless the source is the data subject that has received a copy.

Agencies shall maintain records with accuracy, relevance, timeliness, and completeness to the maximum extent possible when records are used to make a determination about the individual. When records are transferred outside of state government, the agency shall update, correct, withhold, or delete any inaccurate or untimely portion of the record.

Agencies must establish rules for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information. Agencies must instruct persons involved as to the established rules and the requirements of this chapter.

Each agency shall establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance with the IPA, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to security.

Each agency shall designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.

The Department of Justice shall review all personal information maintained by an agency to determine whether it should still be exempt from access.

Each agency shall retain the accounting made pursuant to Section 1798.25 for at least three years after the disclosure for which the accounting is made, or until the record is destroyed, whichever is shorter.

Each agency. . .shall inform any person or agency to whom a record containing personal information has been disclosed during the preceding three years of any correction of an error or notation of dispute if . . . an accounting is required under section 1798.25 (among other conditions)

This section defines "personal information" which includes medical information and health insurance information. Defines "medical information" as any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. The provision defines "health insurance information" as any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.