1. What information is confidential, what can I safely talk about and expect confidentiality?
Generally, any information, in electronic or in physical form, that could individually identify you (such as name, address, email address, telephone number, or social security number) in connection with your medical information is confidential and may not be disclosed without your authorization unless allowed by law. This could include information held by your physician, your pharmacy, your psychologist or therapist, hospitals or other health facilities, and companies that maintain your medical information for billing, treatment, research or other purposes. There are some exceptions to when your medical information may be disclosed without your authorization, such as for diagnosis and treatment purposes, billing purposes, due to a court order, or other specified purposes (see #4 below).
Examples of medical information that must be held confidential:
- Medical charts or records
- Notes by physicians, nurse, medics, or mental health specialists
- Laboratory results
- Pharmacy information and prescription histories
- Research Study information
back to top
2. Who must protect the confidentiality of my medical information?
There are three primary groups that must protect the confidentiality your medical information:
Health Providers: Any licensed or certified health care professional including the following:
- Chiropractors
- Dentist
- Physicians
- Osteopaths
- Podiatrists
- Nurses
- Vocational Nurses
- Psychologists
- Social Workers
- Acupuncturists
- Midwives
- Psychoanalysts
- Opticians
- Therapists
- Dieticians
- Physician Assistants
- Psychiatric Technicians
- Pharmacists
- Naturopathic Doctors
- Physical Therapists
Any facility or organization that provides direct medical care, health services or treatment, diagnostic or therapeutic services, preventive or rehabilitation services, and convalescence care. These facilities or organizations may include the following:
- Primary care clinics
- Community clinics
- Free clinics
- Specialty clinics
- Surgical clinics
- Chronic Dialysis clinics
- Rehabilitation clinics
- Alternative Birth centers
- General acute care hospitals
- Acute psychiatric hospitals
- Skilled nursing facilities
- Intermediate care facilities
- Special hospitals
- Congregate living health facilities
- Correctional treatment centers
- Home health agencies
- Hospices
- Mobile health care units
Health care service plans:
These are entities that arrange for the provision of health care services or pay for or reimburse for those activities. This includes health care insurers.
Other groups that must protect the confidentiality of your confidential medical information may include:
- Contractors (any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager or a medical service organization and that is not a health care service plan or health care provider)
- Pharmaceutical Companies
- Businesses organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of an individual.
back to top
3. What are the requirements for these individuals and entities in order to disclose my medical information?
Unless there is some specific exception, you must provide written authorization before anyone can use your medical information. The authorization form must be in no smaller than 14 point font or handwritten by you and it must include all of the following:
- Be signed and dated either by you or your representative, spouse, beneficiary, or the financially responsible party.
- State the specific uses and limitations on the types of medical information to be disclosed.
- The name of the party that may disclose medical information.
- The name of the party authorized to receive the medical information.
- State the specific uses and limitations on the use of the medical information by the receiving party.
- Date when the requesting party may no longer disclose your medical information.
- It must advise you of your right to receive a copy of the authorization form.
In addition, if the requesting party wishes to use your medical information for marketing, they must obtain a separate authorization. An authorization “for any purpose” or an authorization for the release of psychotherapy notes may not be combined with any other authorization. Additionally, once your medical information has been disclosed, the receiving party may not further disclose your medical information without first obtaining a new written authorization from you.
back to top
4. When can my medical information be disclosed without my written authorization?
Common circumstances that may allow the disclosure of your medical information without your written authorization include:
- For the purposes of treatment, diagnosis or payment services
- To determine eligibility for benefits or services
- If required by a court order
- If required for a lawsuit, arbitration, grievance, or administrative agency for determining a claim
- When requested in the course of an investigation by the coroner’s office
- For public health purposes or disaster relief efforts
Generally under these circumstances and others, the disclosure may only include the amount of information needed, to satisfy the purpose of the disclosure.
For complete information on circumstances that may allow the disclosure of your information with a written authorization, please refer to California Civil Code section 56.10.
back to top
5. What are the penalties if my medical information is wrongfully used, disclosed or accessed?
If your medical information is wrongfully accessed, used or disclosed, the circumstances of that accession, use or disclosure will dictate what penalties are provided. The distinctions are based on who is trying to seek the penalty, who the accession, use or disclosure is made by and whether the accession, use or disclosure was for financial gain. If the accession, use or disclosure is for financial gain, the penalties are greater. There is a private cause of action for you to recover monetary compensation for violations of your medical information privacy under certain circumstances. Any administrative penalties that are brought by state and local authorities will be paid to the agency bringing action.
Private cause of action for violations
You may be entitled to:
- Nominal damages of $1000, regardless of whether or not you suffered actual harm if your confidential medical information or records were negligently released;
- The amount of your actual damages, if any, sustained by you;
Administrative fine or civil penalty for any person or entity that unlawfully discloses medical information due to negligence
- Up to $2,500 per violation
- This amount is irrespective of the amount of damages suffered by a patient or patients
Administrative fine or civil penalty for licensed health care professional or provider who unlawfully uses, discloses or accesses medical information
Knowing and Willful Disclosure
- First violation: Up to $2500 per violation.
- Second violation: Up to $10,000 per violation.
- Third and subsequent violation: Up to $25,000 per violation.
Knowing and Willful Disclosure for the Purpose of Financial Gain
- First violation: Up to $5000 per violation.
- Second violation: Up to $25,000 per violation.
- Third and subsequent violation: Up to $250,000 per violation.
- They also must return any proceeds made from the disclosure.
Administrative fine or civil penalty for any person or entity, other than a licensed health care professional or provider who unlawfully uses, discloses or accesses medical information
Knowing and Willful Disclosure
- They are subject to an administrative fine or civil penalty not to exceed $25,000 per violation.
Knowing and Willful Disclosure for the Purpose of Financial Gain
- They are subject to an administrative fine or civil penalty not to exceed $250,000 per violation.
- They must return any proceeds made from the disclosure.
In addition, any violation of the CMIA that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
back to top
6. How do these rights and penalties compare to federal law?
The Health Insurance Portability and Accounting Act (HIPAA) establishes standards, requirements, and implementation specifications for entities that transmit health information in electronic form in connection with a covered transaction. The provisions of HIPAA apply in addition to state law requirements in many cases. However, not all providers of health care under the CMIA are “covered entities” subject to HIPAA requirements.
back to top
7. Who can I contact if I believe my medical information privacy rights have been violated?
If you believe your medical information has been wrongfully used, disclosed or accessed, please refer to the information below to determine the appropriate authority to contact.
Reporting Incidents Involving Medical Facilities
The Department of Public Health Licensing and Certification Division is responsible for investigating reports of any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information involving any facility licensed under Division 2 pursuant to Sections 1204, 1250, 1725, or 1745 of the Health and Safety Code. Such facilities may include the following:
- Primary care clinics
- Community clinics
- Free clinics
- Specialty clinics
- Surgical clinics
- Chronic Dialysis clinics
- Rehabilitation clinics
- Alternative Birth centers
- General acute care hospitals
- Acute psychiatric hospitals
- Skilled nursing facilities
- Intermediate care facilities
- Special hospitals
- Congregate living health facilities
- Correctional treatment centers
- Home health agencies
- Hospices
- Mobile health care units
If you wish to report a medical information privacy or security incident as described above, please contact the appropriate Department of Public Health Licensing and Certification District Office. To find your nearest District Office, please visit http://www.cdph.ca.gov/certlic/facilities/Pages/LCDistrictOffices.aspx
When contacting the District Office please be prepared to identify a primary contact person familiar with the incident and provide his or her contact information.
Federal Office of Civil Rights (OCR)
Violation of the privacy of individually identifiable health information may also be a violation of HIPAA, the federal law that protects the privacy of such information. HIPAA is enforced by the federal government. To file a complaint for possible HIPAA violation, please contact:
Office for Civil Rights, U.S. Department of Health & Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Reporting Link
Phone:(415) 437-8310
Fax: (415) 437-8329
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
Reporting Incidents Involving Any Other Medical Provider, Business, Entity or Person
If you wish to report a medical privacy or security violation incident pertaining to any other type of medical provider, business, entity or person you will need to file a complaint with the District Attorney of the county in which the incident occurred. If more than one county is involved, you will need to file a complaint with the District Attorney in each county involved.
Please note that the California Office of Health Information Integrity (CalOHII) cannot address violation incidents not referred to CalOHII directly from the California Department of Public Health.
back to top