Your Medical Information and Your Rights (California Medical Privacy Series)

  1. What does this guide cover?
  2. Your right to receive a notice of privacy practices
  3. Your right to inspect and copy your medical records
  4. Your right to request an amendment to your medical records
  5. Your right to request restrictions on disclosure of your medical information
  6. Your right to find out who has received your medical information
  7. Your right to file a complaint
  8. Your right to bring a lawsuit
  9. Additional resources

1. What does this guide cover? 

This guide discusses your basic medical privacy rights in California, and provides information about how to exercise them.

2. Your right to receive a notice of privacy practices

Health care providers and health plans are required to develop and distribute a notice of privacy practices explaining how they may use and disclose protected health information.

Health care providers and health plans must make the notice available on any website they maintain and provide it to anyone who asks.  Providers typically post the notice at the office or provide a copy at your first visit.  Health plans provide the notice when you enroll in an insurance plan.

These notices can provide you with valuable information, including:

  • how the provider or plan may use and disclose your medical information;
  • your rights and how to exercise them;
  • how to complain to your health care provider or plan;
  • how to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (which enforces HIPAA); and
  • who to contact for further information about the privacy policy.

For more information about how your medical information may be used and disclosed, see PRC’s guide: How is Your Medical Information Used and Disclosed? (California Medical Privacy Series).

3.  Your right to inspect and copy your medical records

Both HIPAA and California law give you the right to inspect and copy your medical records (with some exceptions, such as psychotherapy notes).  See 45 CFR. § 164.524 and Cal. Health & Safety Code §123100.

  • If you want to inspect or copy your record, read your provider’s notice of privacy practices (you can find this at the office or on the provider’s website).  The notice will tell you how to make a request.
  • You have the right to inspect your medical records within five business days of making a written request to your health care provider. Cal. Health & Safety Code §123100
    • Your doctor may require you to verify your identity to inspect your records.  
  • If you ask for copies of your records, your health care provider must provide them within 15 business days of receiving your written request. 
  • If you submitted a written request and your doctor won’t give you a copy of your records within the required timeframe, you can file a complaint with the Medical Board of California

For more information about your right to access your medical information under HIPAA, see PRC’s HIPAA privacy guides and the U.S. Department of Health and Human Services website.

4. Your right to request an amendment to your medical records

HIPAA gives you the right to request an amendment to your medical records. See 45 CFR § 164.526.

  • Note that this is a right to request an amendment rather than a right to amend.

California’s Patient Access to Health Records Act gives you the right to submit a written addendum to your medical record.  Even if you are unable to amend your medical record or remove information you believe is incorrect, you may write a statement (up to 250 words per incomplete or incorrect item) explaining any item or statement in your records that you believe is incomplete or incorrect.  You may demand that the provider include your addendum in your record so that it is available any time the provider discloses the incomplete or incorrect information to a third party (such as another doctor or an insurer).  Cal. Health & Safety Code § 123111

California’s Information Practices Act gives you the right to request an amendment to any personal information (including medical information) held by state agencies. After it receives your request, the state agency has 30 days to either make the correction or deny the request and inform you of your right to a review of that decision.  Cal. Civ. Code §§1798.35-1798.37.

5. Your right to request restrictions on disclosure of your medical information

HIPAA gives you have the right to request restrictions on disclosure of your medical information, but in most cases a covered entity has no obligation to comply with your request. 

You can demand that a provider restrict disclosure of your protected health information to a health plan if:

  • the disclosure is only for the purpose of payment or health care operations, but not for treatment, and is not legally required otherwise; and
  • you—not your health plan—pay in full for the treatment involving the protected health information you want to restrict.
    45 CFR § 164.522(a)(1)(vi)

Health care providers and health plans must also accommodate a reasonable request concerning how you wish to receive confidential communications about your medical information. For example, you may request to receive communications at a certain address or phone number, or by a specific means, such as U.S. mail, email, or text. You may have to make the request in writing and include alternative choices, and agree to pay any unusual costs, such as courier service charges. 45 CFR § 164.522

For detailed information about your right to request restrictions under HIPAA, see World Privacy Forum’s guide, Right to Request Restrictions on Uses and Disclosures.

For more information on how your medical information may be used and disclosed, see PRC’s guide, How is Your Medical Information Used and Disclosed? (California Medical Privacy Series).

6. Your right to find out who has received your medical information

HIPAA gives you the right to request an accounting of disclosures. An accounting of disclosures is a record describing how your information is disclosed (what was disclosed, when it was disclosed, who received it, and the purpose of disclosure).   You may request an accounting of disclosures dating back six years prior to the date of your request. 45 CFR §164.528

  • Note that this right is limited since covered entities do not have to account for disclosures for treatment, payment, and health care operations. 

For detailed information about your right to an accounting of disclosures under HIPAA, see World Privacy Forum’s guide, Right to Receive an Accounting of Disclosures.

For more information on how your medical information may be used and disclosed, see PRC’s guide, How is Your Medical Information Used and Disclosed? (California Medical Privacy Series).

7.  Your right to file a complaint

Ask for your health care provider or health plan’s notice of privacy practices to obtain information about how to file a complaint with them.

For HIPAA violations, you may file a complaint with the U.S. Department of Health and Human Services (HHS).  HIPAA does not give you the right to sue (also called a private right of action), and you will not receive compensation if HHS brings an enforcement action.

If you have a problem with your health insurance plan, you may file a complaint with the California Department of Managed Care.

For certain privacy-related issues with health care providers, you may file a complaint with the Medical Board of California.  For more information, see the Medical Board website.

8. Your right to bring a lawsuit

If your medical information has been disclosed in violation of California’s Confidentiality of Medical Information Act (CMIA) you may be able to bring a lawsuit.  See Cal. Civ. Code §§56.35 and 56.36, and talk with your attorney for more information.

9. Additional resources

Your Patient Privacy Rights: A Consumer Guide to Health Information Privacy in California, California Office of the Attorney General.

For information about your rights under the HIPAA Privacy Rule and how to exercise them, see the U.S. Department of Health and Human Services resource HIPAA for Individuals.

Health Information and the Law is a project of the Milken Institute School of Health at George Washington University.

The Electronic Frontier Foundation (EFF) has information on medical records and privacy, including details on many of the exceptions to use and disclosure in California and federal regulations.

 

Originally funded in 2012 with cy pres award from Rodriguez et al. v. NDHealth et al.

Updated in 2017 with funding from the Rose Foundation for Communities and the Environment.