Section 130306.  

(a) The office shall perform the following functions:

(1) Standardizing the HIPAA implementation process used in all state entities, which includes the following:

(A) Developing a master plan and overall state strategy for HIPAA implementation that includes timeframes within which specified activities will be completed.

(B) Specifying tools, such as protocols for assessment and reporting, and any other tools as determined by the director for HIPAA implementation.

(C) Developing uniform policies on privacy, security, and other matters related to HIPAA that shall be adopted and implemented by all state entities. In developing these policies, the office shall consult with representatives from the private sector, state government, and other public entities affected by HIPAA.

(D) Providing an ongoing evaluation of HIPAA implementation in California and refining the plans, tools, and policies as required to effect implementation.

(E) Developing standards for the office to use in determining the extent of HIPAA compliance.

(2) Representing the State of California in HIPAA discussions with the federal Department of Health and Human Services and at the Workgroup for Electronic Data Interchange and other national and regional groups developing standards for HIPAA implementation, including those authorized by the federal Department of Health and Human Services to receive comments related to HIPAA. In preparing comments for submission to these entities, the office shall work in coordination with private and public entities to which the comments relate. The office may review and approve all comments related to HIPAA that state entities or representatives from the University of California, to the extent authorized by its Regents, propose for submission to the federal Department of Health and Human Services or any other body or organization.

(3) Monitoring the HIPAA implementation activities of state entities and requiring these entities to report on their implementation activities at times specified by the director using a format prescribed by the director. The office shall seek the cooperation of counties in monitoring HIPAA implementation in programs that are administered by county government.

(4) Providing state entities with technical assistance as the director deems necessary and appropriate to advance the state's implementation of HIPAA as required by the schedule adopted by the federal Department of Health and Human Services. This assistance shall also include sharing information obtained by the office relating to HIPAA.

(5) Providing the Department of Finance with recommendations on HIPAA implementation expenditures, including proposals submitted by state entities and a recommendation on the amount to be appropriated for allocation by the Department of Finance to entities implementing HIPAA.

(6) Conducting a periodic assessment at least once every three years to determine whether staff positions established in the office and in other state entities to perform HIPAA compliance activities continue to be necessary or whether additional staff positions are required to complete these activities.

(7) Reviewing and approving contracts relating to HIPAA to which a state entity is a party prior to the contract's effective date.

(8) Reviewing and approving all HIPAA legislation proposed by state entities, other than state control agencies, prior to the proposal's review by any other entity and reviewing all analyses and positions, other than those prepared by state control agencies, on HIPAA related legislation being considered by either Congress or the Legislature.

(9) Ensuring state departments claim federal funding for those activities that qualify under federal funding criteria.

(10) Establishing a Web site that is accessible to the public to provide information in a consistent and accessible format concerning state HIPAA implementation activities, timeframes for completing those activities, HIPAA implementation requirements that have been met, and the promulgation of federal regulations pertaining to HIPAA implementation. The office shall update this Web site quarterly.

(b) In performing these functions, the office shall coordinate its activities with the State Office of Privacy Protection.