On this page, you will find a list of state and federal health laws. The list is not comprehensive, but provides a good overview of the protections provided patients in California. For specifics on various California healthcare laws, refer to the CHILI Tool. It is designed to help you locate the law you are seeking in an easy-to-use manner.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
42 CFR Part 2 applies to AOD programs that are federally conducted, regulated or assisted in any way, directly or indirectly. Regulations apply to recipients of AOD and their patient identifiable information and prohibit most disclosures of information without patient consent.
Under Title II of GINA, it is illegal to discriminate against employees or applicants because of genetic information. Title II of GINA prohibits the use of genetic information in making employment decisions, restricts employers and other entities covered by Title II (employment agencies, labor organizations and joint labor-management training and apprenticeship programs - referred to as "covered entities") from requesting, requiring or purchasing genetic information, and strictly limits the disclosure of genetic information.
California Constitution Article 1 Declaration of Rights:
The California Constitution provides all Californians with a guaranteed right to privacy.
Confidentiality of Medical Information Act – Civil Code § 56.10-56.16:
This law protects the privacy of medical information by limiting disclosures of providers of health care, health care service plans, and contractors.
Civil Penalties for Unauthorized Access, Use, or Disclosure of Medical Information – Civil Code § 56.36:
This law was amended to further define administrative fines or civil penalties for any person or entity including licensed health care professionals who knowingly and willfully obtains, discloses, or uses medical information in violation of the Confidentiality of Medical Information Act.
Health Facilities Data Breach – Health & Safety Code § 1280.15:
This law requires certain health facilities to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information. It sets fines and notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health.
Establishment of CA OHII to Ensure Enforcement of Confidentiality of Medical Information – Health & Safety Code § 130201:
This law establishes within the California Health and Human Services Agency the Office of Health Information Integrity to ensure the enforcement of state law mandating the confidentiality of medical information. The law requires every provider to establish and implement safeguards to protect the privacy of patients’ medical information.
Medical Information, Collection for Direct Marketing Purposes - Civil Code § 1798.91:
This law prohibits a business from seeking to obtain medical information from an individual for direct marketing purposes without, (1) clearly disclosing how the information will be used and shared, and (2) getting the individual’s consent.
Patient Access to Health Records - Health & Safety Code § 123100 :
With minor limitations, this law gives patients the right to see and copy information maintained by health care providers relating to the patients' health conditions. The law also gives patients the right to submit amendments to their records, if the patients believe that the records are inaccurate or incomplete.
Breach Notification – Civil Code § 1798.29 & 1798.82:
This law requires companies that collect personal information to notify each person in their database should there be a security breach involving personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account.
This section defines "personal information" which includes medical information and health insurance information. It defines "medical information" as any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. The provision defines "health insurance information" as any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
Disclosures of Alcohol and drug information - Health & Safety § 123125:
This chapter does not require a health care provider to permit access to alcohol and drug abuse records that is prohibited by federal and other laws. Records subject to those laws are subject to this chapter to the extent that disclosure is permitted. This chapter does not require a health care provider to allow access of records of communicable disease carriers that is prohibited by law to protect confidentiality.
Lab Results STD – Health & Safety Code §120705:
All laboratory reports for prenatal syphilis tests are confidential and not available for public inspection
Disclosures of lab for prenatal care: determination of rhesus (Rh) blood type – Health & Safety Code §125105:
A blood specimen obtained as per 125080, shall be submitted to a laboratory to determine rhesus blood type and the results shall be reported to physician, surgeon, or other person providing prenatal care or attending the woman at the time of delivery, and to the woman tested. A blood specimen as per 125080 shall also be submitted to a laboratory to determine the presence of hepatitis B surface antigen and HIV virus. Both results shall be reported to the physician, surgeon, or other person who ordered the test and who shall inform the woman tested. The blood specimen and test results obtained per Health & Safety Code 125085 shall be confidential and not disclosed, unless otherwise provided by law; no person shall be compelled to provide test results pursuant to 125080 or 125085
Consent by patient for lab results via internet or other electronic means must be consistent with CMIA – Health & Safety Code §123148:
If the patient requests, a health care provider shall provide the results of the laboratory test to the patient in written or oral form. Consent must be obtained to deliver results via electronic means. Electronic delivery or results shall be consistent with applicable federal law or state law. HIV antibody test, hepatitis infection tests, abusing the use of drugs, and tests related to routinely processed tissues revealing malignant results may not be conveyed by electronic means. Test results and health information may not be used for commercial purpose without patient consent.
Lab test results of prisoners – Penal Code §7530:
HIV/AIDS/hepatitis test results for inmate are to be sent to the medical officer ordering them; the laboratory is responsible for ensuring the confidentiality of test results.
HIV data used in investigations, reports – Health & Safety Code §120820:
Personal data contained in California Acquired Immune Deficiency Syndrome Program investigations, reports, and information relating to such must be kept confidential and protected pursuant to 100330. If patient-identifying information is subpoenaed, the department must seek a protective order. The court may still order production of information, but limit it to assure confidentiality.
Mandated Blood Testing and Confidentiality to Protect Public Health –Health & Safety Code § 120975-121020:
This law protects the privacy of individuals who are the subject of blood testing for antibodies to the probable causative agent of acquired immune deficiency syndrome (AIDS). No person shall be compelled to provide information in any civil, criminal, administrative, legislative or other proceedings that would reveal the identity of any individual who is the subject of an HIV blood test. Exceptions are provided in Health & Safety Code 1603.1, 1603.3 and 121022.
Disclosures by State or Local Public Health agencies of records relating to HIV or AIDS – Health & Safety Code §121025:
HIV or AIDS related public health records containing personally identifying information, developed or acquired by public health agencies shall be confidential and not disclosed except as otherwise provided by law for public health purposes or with written authorization from the person who is the subject of the record or their guardian or conservator.
Disclosures of medical information regarding the HIV, hepatitis B, or hepatitis C status of the source patient. – Health & Safety Code § 121065:
Test results for AIDS, AIDS-related conditions, and other communicable diseases shall be sent to the designated recipients with a confidentiality disclaimer: "Medical information regarding the HIV, hepatitis B, or hepatitis C status of the source patient shall be kept confidential and may not be further disclosed, except as otherwise authorized by law.” The exposed individual shall also be informed of the penalties for disclosure for which he or she would be personally liable.
HIV-related tests requested by insurers – Insurance Code § 799.03:
No life or disability income insurer shall test for HIV without obtaining applicant's informed consent, and providing counseling and privacy protection. In the event of a positive test, the insurer shall notify the applicant's designated physician.
Confidentiality of AIDS testing for convicted persons – Penal Code § 1202.6:
Upon conviction for prostitution, a court shall order defendant to undergo HIV testing and a report shall made available to the court and State Department of Health Services. At the sentencing hearing, the court shall furnish a copy of the test results to the defendant. Reports of the test results shall be confidential, although Department of Health Services shall furnish copies of any report to a district attorney upon request.
Confidentiality of State Department of Mental Health committed mentally abnormal sex offenders – WIC § 4135:
The supervision, care, and treatment records of persons committed to the State Department of Mental Health as a mentally abnormal sex offender shall not be inspected by any person not employed by the department unless the court through an order permits examination of such records
County/state mental health prepetition screening information – WIC LPS § 5202:
Before filing a petition, the person or agency designated by the county shall request the person or agency designated by the county and approved by the State Department of Mental Health to provide pre-petition screening to determine whether there is probable cause to believe the allegations that the person is, as a result of mental disorder, a danger to others, or to himself or herself, or gravely disabled, and that the person will not voluntarily receive evaluation or crisis intervention.
Information and records for services rendered by State hospitals/community mental health clinics – WIC LPS § 5328:
Information disclosed for the purpose of coordinating health care services and medical treatment, mental health services, or services for developmental disabilities, for a minor, shall not be admitted into evidence in any criminal or delinquency proceeding against the minor. However, identical evidence may be admissible in a criminal proceeding if that evidence is derived from other lawful means and is permitted by law.
Access to mental health information by patients’ rights advocate – WIC LPS § 5541:
Patients' rights advocates must obtain authorization from the client or the guardian ad litem to access, copy, or use the client's confidential records and information. The client or guardian may revoke such authorization at any time
Access to information related to mental health of minors –Health & Safety 123115:
A representative of a minor can be denied access to the minor's patient records where: 1) the patient records pertain to health care of a type for which the minor is lawfully authorized to consent to; or 2) the health care provider determines that granting access may have a detrimental effect on her professional relationship with the minor, the minor’s physical safety or the minor's psychological well-being.
Minor consent – Health & Safety Code 123110:
Except as per 123115 and 123120, patients, minor patients authorized to consent to medical treatment, and any patient representatives shall be entitled to inspect patient records upon written request and payment of clerical costs. Such persons shall also be entitled to copies of patient records. Health care providers are prohibited from withholding patient records because of unpaid bills.
Minor’s consent for medical or dental care – Family Code § 6922(a):
A minor may consent to the minor's medical care or dental care if the minor is 15 years of age or older, the minor is living separate and apart from the minor's parents, the minor is managing the minor's own financial affairs. A physician and surgeon or dentist may advise the minor's parent of the treatment given or needed if they have reason to know the whereabouts of the parent.
Minor consent for care to prevent or treat pregnancy, except sterilization – Family Code § 6925:
A minor may consent to medical care related to the prevention or treatment of pregnancy. However, a minor cannot be sterilized without the consent of the minor's parent or guardian, or except under certain circumstances, receive an abortion without the consent of a parent or guardian.
A minor who is 12 years of age or older may consent to mental health treatment or counseling on an outpatient basis, or to residential shelter services – Family Code § 6924:
The mental health treatment or counseling of a minor authorized by this law shall include involvement of the minor's parent or guardian unless, in the opinion of the professional person who is treating or counseling the minor, the involvement would be inappropriate. The professional person shall state in the client record whether and when the person attempted to contact the minor's parent or guardian, and whether the attempt to contact was successful or unsuccessful, or the reason why it would be inappropriate to contact the minor's parent or guardian.
Minor’s consent for medical treatment related to rape – Family Code 6927:
A minor who is 12 years of age or older and who is alleged to have been raped may consent to medical care related to the diagnosis or treatment of the condition and the collection of medical evidence with regard to the alleged rape.
Consent for diagnosis and treatment by minor’s with drug or alcohol-related problems – Family Code §6929:
When a parent or legal guardian has sought the medical care and counseling for a drug- or alcohol-related problem of a minor child, the physician shall disclose medical information concerning the care to the minor's parent or legal guardian upon his or her request, even if the minor child does not consent to disclosure, without liability for the disclosure.
Minor’s consent for HIV test – Health and Safety Code § 121020:
When the subject of an HIV test is not competent to give consent for the test to be performed, written consent for the test may be obtained from the subject's parents, guardians, conservators, or other person lawfully authorized to make health care decisions for the subject. For purposes of this paragraph, a minor shall be deemed not competent to give consent if he or she is under 12 years of age.
Victims of child physical abuse or neglect – Penal Code § 11171:
A physician and surgeon or dentist or their agents by their direction may take skeletal X-rays of the child with the consent of the child's parents or guardian for the purposes of diagnosing the case as one of possible child abuse or neglect and to determine the extent of the abuse or neglect. Neither psychotherapist-patient nor physician-patient privilege applies to the information reported in any court proceeding or administrative hearing.
Authorization of access to information regarding persons with disabilities to protection and advocacy agencies. – WIC 4903:
The protection and advocacy agency shall have access to the medical and other records of the following persons with disabilities: 1) any person who is a client of or requested assistance from the agency if the agency has received authorization for such access from the person or person's designated agent or other legal representative, although the person may subsequently deny such access; 2) any person that cannot be located and who is unable to authorize access due to mental or physical condition, who does not have a legal representative, and the agency has received a complaint.
Persons with disabilities - Confidential information and records; disclosure; consent – WIC § 4514:
All information and records acquired in the course of providing intake, assessment, and services to persons with developmental disabilities shall be confidential. Information and records are to be disclosed only as provided in this section
Local public social services agencies providing services to older persons may share information for coordination of multidisciplinary team activities – WIC § 9401:
Agencies providing services to older adults through a multidisciplinary team may provide information about older adult clients only to other county agency multidisciplinary team members providing services to same individuals to coordinate treatment between agencies. The county patients' rights advocate shall report any negative consequences of the implementation of this exception to confidentiality requirements to the local mental health director.
Papers and records pertaining to artificial insemination are subject to inspection only upon an order of the court for good cause shown – Family Code 7613:
Where a wife is inseminated artificially with semen donated by a man other than her husband, the physician and surgeon must retain the husband's consent form as part of the medical record. The record must be kept confidential and in a sealed file. However, the physician and surgeon's failure to do so does not affect the father and child relationship. All papers and records pertaining to the insemination, whether part of the permanent record of a court or of a file held by the supervising physician and surgeon or elsewhere, are subject to inspection only through a court order.
Use, disclosure and access controls for birth defects monitoring program and its contractors, researchers – Health & Safety Code § 103850:
Birth defects data created pursuant to the Birth Defect Monitoring Program must be kept confidential. All information collected for birth defects monitoring program shall be confidential and used only for the purposes stated. Access to such confidential information shall be limited to authorized program staff and persons with valid scientific interest who agree in writing to maintain confidentiality
Use, disclosure, and consent to disclose information related to hereditary diseases/congenital defects – Health & Safety Code § 124980:
All testing results and personal information generated from hereditary disorders programs shall be made available to an individual over 18 years of age, or to the individual's parent or guardian (subsection (i); all testing results and personal information from hereditary disorders programs obtained from any individual shall be confidential except for information that the individual/parent/guardian consents to be released, provided that the individual is fully informed of the scope of the information requested, the risks/benefits/purposes for the release, and the identity of to whom the inform.