Skip to Main Content

25-1048m Patient Privacy Matters: Key Requirements for Providers

Date: 10/14/25

How to safely share and communicate protected health information

To protect patient privacy, Health Net, on behalf of CalViva Health, requires all participating physicians and other providers to maintain a written policy that follows a HIPAA-compliant privacy policy. This policy must be stored either electronically or in print and must include tools and procedures that:

  • Prevent loss, damage, or tampering of medical records.
  • Block unauthorized access or use.
  • Ensure verbal conversations about patient information remain private.

Providers must use patient health data – such as medical conditions, treatments, and prescriptions – only for care and other permitted purposes under HIPAA’s Privacy Rule.

Safeguarding sensitive health information

Certain types of care are considered sensitive services, including:

  • Mental and behavioral health.
  • Sexual and reproductive health.
  • Sexually transmitted infections.
  • Substance use disorders.
  • Gender-affirming care.
  • Intimate partner violence.

These services are protected under California law and may be accessed by patients who meet the legal age of consent, as outlined in:

  • Family Code §§ 6924–6930
  • Health and Safety Code §§ 121020 and 124260

Key privacy rules providers must follow

  • No parental or main subscriber approval required: Patients can access sensitive services and submit claims without additional consent.
  • No unauthorized disclosures: Sensitive health information must not be shared without the patient’s explicit permission.
  • Clear communication options: Patients must be informed—at enrollment and annually—about how to request confidential communications.
  • Timely responses required:
    • Within 7 business days for electronic or phone requests.
    • Within 14 business days for mailed requests.
  • Direct communication only: All messages related to sensitive services must be sent to the patient’s chosen contact method (i.e., address, email, or phone number). If none is specified, use the contact information on file.

What counts as confidential communication?

  • Billing statements and payment collections notices.
  • Adverse benefit determination notices.
  • Explanation of Benefits notices.
  • Requests for additional claim information.
  • Contested claim notices.
  • Provider name, service descriptions, and visit details.
  • Any written, oral, or electronic communication containing protected health information.

Electronic Medical Records (EMR) access

When the Plan requests access to EMRs, the physician or other provider must grant access to support case management, risk adjustment, and quality reporting. No additional fees may be charged for this access.

Additional information

Providers are encouraged to access the provider portal for real-time information, including eligibility verification, claims status, prior authorization status, plan summaries, and more.

If you have questions regarding the information contained in this update, contact CalViva Health at
888-893-1569. Behavioral Health providers can call at 844-966-0298.

 

This information applies to Physicians, Participating Physician Groups (PPGs), Hospitals, Ancillary Providers, Community Supports (CS) Providers, Enhanced Care Management (ECM) Providers, and Behavioral Health Providers.

This information applies to Medi-Cal in Fresno, Kings and Madera counties.



Last Updated: 10/08/2025