Requesting Digital Access to Your Health Records and/or the ACBHD Provider Directory
Per federal and state of California requirements, a set of Application Programming Interfaces (APIs) has been made available for digital access to your medical records and the ACBHD Provider Directory. These include:
- Provider Directory API: An HL7 FHIR API for accessing an up-to-date list of available behavioral health providers in our system.
- Patient Access API: An HL7 FHIR API for accessing specific patient records maintained by ACBHD.
These are specific systems that require technical capability and knowledge of how a RESTful API works but are made freely available for those who have the knowledge and proficiency to use them.
Information for Members
You can still access the Provider Directory on the ACBHD website to search for behavioral health providers. You can also still request that a copy of your health records maintained by ACBHD be sent to you or a third party by using the instructions on the Health Records Request page of this website.
If you decide that you want to be able to see the ACBHD Provider Directory and/or your personal health records using your digital device (e.g. smart phone), you will first need to select a third-party application to connect to the system. Once connected, you will have access to your health records for service dates on or after January 1, 2016.
An activation code is required to view patient records digitally via the Patient Access API. To obtain an activation code, please contact the clinic where you received services and ask your provider for your activation code. This activation code will be used during registration.
The United States Core Data for Interoperability (USCDI) standards require that specific information be available for digital access. For mental health and substance use disorder services, these may include medications, assessments, consultation notes, discharge summary notes, progress notes, problems, and goals.
To read more about the USCDI standards, please click here.
For information regarding record restrictions and requests to amend or correct your records, click here.
Selecting a third-party application for digital access to health records
Not all third-party applications which can access your records are created equally. Some of them may request access to your private health information so they can use it for their own purposes, and some may not be careful with your private information and distribute it to secondary companies without your knowledge.
You should do some basic research on any application that you select to access your private health information. Consider the following questions:
- Does the application have a good rating?
- Does the application have a well-made website that looks legitimate?
- Does the application reference a clear privacy policy?
- Does the application come from a reputable company (Apple, Samsung, etc.)?
If you find that the answers to these questions are “no”, then it is probably not safe to use that application.
If you know of a third-party application that you would like to use, please notify HCSASupport@acgov.org.
Protecting your health records
How to Protect Your Health Records
Soon you will be able to view your health records using common technologies such as a computer, smart tablet or mobile device. This document provides you with some basic safeguards to protect your health information.
Protecting Your Personal Information:
- Never give out your personal information online or over the phone unless you contacted the company and are sure about the business or person’s identity.
- Never agree to anything without researching the facts.
- If someone contacts you about an account that needs to be confirmed, contact the company’s customer service directly to check if the e-mail or phone call is legitimate.
- Never share passwords, credentials
- Do not write sensitive information on a piece of paper or notepad that can be easily seen.
- Create strong passwords.
- Use unique usernames for your family members.
- Set up multi-factor authentication (MFA) to secure your accounts.
- Secure paper files shared with clinicians, health care providers
Creating Strong Passwords
- Choose a password that is at least 8 characters.
- Do not pick a word from the dictionary.
- Avoid repetition, common sequences of numbers and letters (such as keyboard rows), usernames, proper names, birth dates, addresses, parts of Social Security numbers, or anything others might know, discover, or guess.
- Include letters and numbers, and preferably symbols (such as !, @, #, $, %, &) in passwords. Use both capital and lowercase letters if you can.
- Avoid using the same password for multiple sites or purposes. Do not re-use old passwords.
- If you have reason to believe that someone else had access to your password, then change your password.
- Once you have a strong password, don’t share it with anyone and don’t write it down where it might be seen by others.
- Never send your password or any private account information over email.
- Change your passwords regularly, at least once a year.
Keeping your computer secure
- Update your computer operating system and browser software to the manufacturer’s current recommendations. You can usually get patches over the Web and alerts about new ones from the manufacturer.
- Run reliable anti-virus software often, especially when the software tells you there’s new virus protection. And don’t just keep getting patches, get new versions of the anti-virus software regularly.
- Use reliable anti-spyware tools. Spyware is software designed to gather information about you or allow someone to access your computer without your knowledge. Antispyware tools will alert you if someone tries to load spyware onto your computer.
- Don’t allow unfamiliar software to be loaded on your computer. If you share your PC with other people, including your children, tell them your rules on downloading and installing software.
- Use personal firewall software to protect your PC from outsiders getting in and information getting out.
Using public computers
- Be cautious about entering sensitive personal information or performing transactions on public computers.
- If you use public computers, make sure the computer center is reputable. If the PC isn’t properly secured, hardware and software can be changed to capture keystrokes and other data that could reveal your personal information, even if you’re using a secure website.
- Check to see that others aren’t looking over your shoulder as you enter your PIN or password or look at any personal information.
- Don’t check the box to “remember your passwords” or use the other auto-fill features of your browser. Using those features defeats your password’s security
HIPAA-Covered Entities and How to Submit a Complaint About a HIPAA Privacy Breach
This document provides an overview of which types of organizations or individuals are and are not likely to be HIPAA-covered entities, the oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), and how to submit a complaint to OCR and FTC.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted and sets forth a comprehensive set of standards for protecting sensitive patient health information. The HIPAA applies to all entities that fall within the definition of a “Covered Entity”. If “Covered entity” engages a “Business Associate” to help carry out its healthcare activities and functions, it is subject to HIPAA Act.
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103 in below table.
| Covered Entity | Business Associate | Entity not subject to HIPAA |
|---|---|---|
| A health plan, healthcare provider who transmits any health information | A person or entity performs certain functions that involve protected health information on behalf of, or provides services to, a covered entity | A person or entity is not handling Protected Health Information per HIPAA guidelines and Rules |
| Health Care Providers such as:
Doctors |
Third-party administrator that assists a health plan with claims processing
Consultant that performs utilization reviews for a hospital |
Employers (in their capacity as employers)
Life insurance companies Workers’ compensation carriers Auto insurance companies (when not providing health benefits) |
| Health Plans such as:
Health insurance companies |
Health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider | Schools and school districts (when not providing healthcare services)
Law enforcement agencies State agencies not involved in healthcare administration or services Family and friends of the patient (unless acting as a personal representative) Fitness and health clubs Marketing companies (when not working on behalf of a covered entity) Researchers (when not obtaining PHI from a covered entity) |
| Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. | Independent medical transcriptionist that provides transcription services to a physician | Attorneys (when not working on behalf of a covered entity)
Cosmetic service providers (when not processing healthcare transactions) Alternative medicine practitioners (when not processing healthcare transactions) Pharmacies selling over-the-counter products without PHI |
Oversight Responsibilities
| Office for Civil Rights (OCR) | Federal Trade Commission (FTC) |
|---|---|
|
|
| To file a complaint to OCR, visit OCR online portal | To file a complaint to FTC, visit ReportFraud.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. |
Information for Developers
Digital Access Steps: Provider Directory API
The Provider API is an HL7 FHIR-based API allowing app developers to pull Provider and Organization data for consumption by patients or their representatives. The following FHIR resources are available within the Patient Access API:
- Organization
- Provider
The Provider Directory API is publicly available but does require registration.
For more detailed instructions on how to use the API, please visit https://accares.acgov.org/docs. If you are an app developer and wish to interface with the ACBHD Provider Directory API, please contact HCSASupport@acgov.org for more information.
Digital Access Steps: Patient Access API
The Patient Access API is an HL7 FHIR-based API allowing app developers to pull patient data into an application for consumption by patients or their representatives. The following FHIR resources are available within the Patient Access API:
- Patient
- Medication Request
- Explanation of Benefits
- Encounter
- Condition
- Document Reference
For more detailed instructions on how to use the API, please visit https://accares.acgov.org/docs. If you are an app developer and wish to interface with our patient access API, please contact HCSASupport@acgov.org.
حفاظت از سوابق سلامت شما (Farsi)
نهادهای HIPAA نحوهی ارسال شکایت در رابطه با نقض حریم خصوصی HIPAA (FARSI)
保护您的健康记录- (Simplified Chinese)
HIPAA 实体 如何提交有关 HIPAA 隐私泄露的投诉
保護您的健康紀錄- (Traditional Chinese)
HIPAA 實體 如何提交關於 HIPAA 隱私洩漏的投訴
Protección de sus registros de salud- (Spanish)
Entidades HIPAA Cómo presentar una queja sobre una violación de la privacidad según la HIPAA
Bảo vệ hồ sơ sức khỏe của quý vị- (Vietnamese)
Các Đơn Vị theo Đạo Luật về Trách Nhiệm Giải Trình và Cung Cấp Thông Tin Bảo Hiểm Y Tế (Health Insurance Portability and Accountability Act, HIPAA) Hướng Dẫn Cách Gửi Than Phiền Về Vi Phạm Quyền Riêng Tư theo HIPAA
Pagprotekta sa iyong mga tala ng kalusugan- (Tagalog)
Mga Entidad ng HIPAA Paano Magsumite ng Reklamo Tungkol sa Paglabag sa Privacy ng HIPAA
건강 기록 보호하기- (Korean)
HIPAA 대상 HIPAA 개인정보 침해에 대한 민원 제출 방법
حماية سجلاتك الصحية (Arabic)
كيانات HIPAA كيفية تقديم شكوى بشأن انتهاك خصوصية قانون HIPAA