Privacy Rights Clearinghouse
- Useful medical privacy terms and definitions
- How do HIPAA and state laws work together to protect medical information?
- Which California laws protect medical information
- What kinds of information do your medical records contain?
Are you confident that your medical records are private and secure? Do you ever wonder who can see them besides your doctors? How much do you actually know about your own rights concerning your medical records?
The California Medical Privacy Fact Sheet Series focuses on California law and explains how your medical information may be used and disclosed both with, and without, your consent or knowledge. It discusses the strengths and weaknesses of laws and regulations that protect medical privacy. This Fact Sheet Series also addresses the controls you have over your personal health information, as well as the responsibilities of those who collect it. In addition, it provides links to resources where you can find more information about your medical privacy rights and how you can protect them.
The California Medical Privacy Fact Sheet Series addresses two concerns:
- the sensitivity of your personal health information; and
- preventing improper use of it.
There are state and federal laws that exist specifically for the purpose of protecting the privacy and security of medical records. How effective they are is open to question. You should also be aware of situations where identifiable health information about you falls outside of current regulations. In certain situations, your medical records may not be as well protected as you think they are—or would like them to be.
If you familiarize yourself with the following terms, you will better understand the information in this guide and the whole California Medical Privacy Fact Sheet series.
- Confidentiality of Medical Information Act (CMIA) is in the California Civil Code and regulates the privacy of medical information. (Cal. Civ. Code §§ 56-56.37) See the California Office of Health Information Integrity (CalOHII) website  for a list of both who and what the CMIA covers.
- "Medical information" is the term the CMIA uses for individually identifiable health information about a patient's medical history, mental or physical condition, or treatment.
To be individually identifiable, information must include an element that identifies a person, such as name, address, email address, telephone number, or Social Security number, or that can be combined with other publicly available information to reveal a person's identity.
- "Contractor" is the CMIA's term for an entity that receives medical information or protected health information (the HIPAA term) but is not a health care provider or health care service plan.
A contractor can be:
-a medical group;
-independent practice association (IPA), a group of doctors that contracts with an Health Maintenance Organization (HMO);
-pharmacy benefits manager (PBM); or
-a medical services organization --for example, a business that provides practice management services, like billing, payroll, employee benefits management, and general administrative services, usually to individual physicians or small group practices.
- The Health Information Portability and Accountability Act (HIPAA) is a federal law passed in 1996 to make health insurance "portable" between jobs. HIPAA applies to health care providers, health plans, and health care clearinghouses.
failed to write a follow-up law to protect the privacy and security of health
information, so the U.S. Department of Health and Human Services (HHS) issued
the HIPAA Privacy Rule in October 2002 (summarized here )
and the Security rule in 2003 (summarized here ). The Privacy Rule protects paper and
electronic records; the Security Rule covers only electronic records.
The Privacy and Security rules will be updated shortly (possibly as soon as the summer of 2012) when final regulations that incorporate changes made by the HITECH Act are released. HITECH stands for the Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009. Links to various sections of the proposed final rules and additional information about them can be found here .
- "Protected health information" (PHI) is the term HIPAA uses for individually identifiable health information that is transmitted or maintained in any form (paper or electronic).
- A "covered entity" must comply with HIPAA. Covered entities include: health care providers, health plans, and health care clearinghouses. Covered entities provide health care and/or receive, access, or generate PHI.
Health care providers include hospitals, doctors, other caregivers, and health care researchers.
A health plan is an individual or group plan that either provides or pays the cost of medical care.
A health care clearinghouse standardizes health information (for example, a billing service that processes data from one format into a standardized billing format).
- A "business associate" is the HIPAA term for an outside third party that performs services for a covered entity that involve the use or disclosure of protected health information (PHI). Examples include practice management services, data processing, and pharmacy benefits managers. Business associates must comply with HIPAA.
- The term "personal health information" is often used outside the context of HIPAA or the CMIA to mean protected health information (PHI) or medical information. Although it is not legally defined in California or federal law, it captures the meaning of both terms.
are often used interchangeably, which is a source of consumer confusion. To simplify, a California health care
provider or other covered entity that wants to obtain your medical information
needs your authorization first. That is,
your agreement to release the information, handwritten or in 14-point type,
signed by you or by someone authorized to sign for you (such as the parent of a
minor, a spouse, or a legal representative).
(Cal. Civ. Code § 56.11)
This sounds like a reasonable privacy protection until you learn that your consent for the use of your medical information is assumed for treatment, payment, and health care operations, and is not required for a long list of legal and administrative purposes. These purposes include law enforcement and public health. You will find more detailed information about consent and authorization in California Medical Privacy Fact Sheet C2: Uses and Disclosures of Medical Information—With and Without Consent .
Federal and state laws that govern health care privacy work together, which is why it is important to learn about both. This Fact Sheet Series highlights California laws, but also takes federal law and regulations into account on issues that California either has not addressed, or where the federal law or regulations provide stronger protections.
HIPAA is a federal law comprised of a
set of privacy and security regulations that offer baseline protections. This means that if a state law is more
protective, the state law applies. In California this is often the case. For example, California has stronger
requirements for notifying individuals about health information security
California also gives you more control over the release of information that is considered "sensitive" by requiring a separate signed authorization for them. One example of sensitive information is the records for the treatment of HIV and sexually transmitted diseases. Both California and federal law require authorization to release psychotherapy notes and records of substance abuse treatment.
In addition, we are entering the era of
universal electronic health information exchange (HIE), and California
currently requires covered entities to obtain your opt-in consent to share
information electronically. The
alternative would be assuming that you consent and then requiring you to
opt-out of electronic record sharing.
For now, California's HIE opt-in requirement applies only to federally
funded HIE demonstration projects.
These are projects currently underway around California, administered by the California Office of Health Information Integrity (CalOHII). Demonstration projects test HIE privacy and security policies and practices, test new technologies that support HIE, and problems that small practices may have with implementing HIE. CalOHII's website has a brief explanation of the demonstration projects . For more information on HIE see California Medical Privacy Fact Sheet C6: Health Information Exchange: Is Your Privacy Protected? 
a. The Confidentiality of Medical Information Act (CMIA)
The principal California law addressing the privacy and security of medical information is the CMIA. (Cal. Civ. Code §§ 56-56.37) The CMIA applies to health care providers, health care service plans, and individuals as well as businesses that contract with them for work that involves access to medical information. The primary purpose of the CMIA is to protect an individual's health information, in either electronic or paper format, from unauthorized disclosures to third parties.
b. Other California laws that protect the privacy and security of medical information
California has a number of other laws that protect the privacy of medical information and grant individuals certain rights with regard to that information. Because the CMIA and HIPAA both have many exceptions that allow for disclosure and use of personal health information without consent, much of your medical information's protection comes from other privacy protective laws.
These laws include:
- The Information Practices Act (IPA) limits the collection, maintenance, and distribution of personal information by state agencies. It gives you the right to review your personal information—including medical information—in state agency records. You may also find out who has accessed the information and request that inaccurate or irrelevant information be changed. (Cal. Civ. Code. §§ 1798-1798.78)
- The Patient Access to Health Records Act (PAHRA) gives patients the right to see and copy their medical records (with some exceptions) that are maintained by health care providers. (Cal. Health & Safety Code §§ 123100-123149.1) Patients may also request changes to records they believe are inaccurate or incomplete. (Cal. Health & Safety Code § 123111)
- The Insurance Information and Privacy Protection Act (IPPA) protects against disclosure of personal information, including medical records, collected in connection with insurance applications and the process of resolving claims. You are entitled to a notice of privacy practices from your insurer that tells you with whom your information may be shared and your rights to restrict sharing. (Cal. Ins. Code §§ 791-791.28)
of genetic information (genetic test results) requires
your written authorization. (Cal. Civ.
Code § 56.17; Cal Ins. Code § 10140.1)
Also, you cannot be denied insurance on the basis of a genetic test.
(Cal. Ins. Code § 10140(c)) Both the
Civil Code and the Insurance Code impose fines for negligent disclosure ($1,000)
and willful disclosure ($5,000). Willful or negligent disclosure that causes
“economic, bodily, or emotional harm” can result in a prison term of up to a
year and/or a fine of up to $10,000. (Cal. Ins. Code §10149.1(c) &
California law also prohibits employers from requiring employees or job applicants to submit to genetic testing unless the request is based on a bona fide occupational qualification. (Cal. Gov’t Code § 12940) An example of an occupational qualification would be employment in a workplace where exposure to toxic substances or radiation is monitored.
Several recent amendments to the California Fair Employment and Housing Act (FEHA) and the Unruh Civil Rights Act extend existing prohibitions against discrimination based on genetic information. Genetic information is defined as an individual’s genetic tests, tests of family members, and the presence of a disease or disorder in an individual’s family members. The addition of genetic information to the FEHA means that it may not be used to discriminate against you in employment, housing, business services, emergency medical services, licensing qualifications, life insurance coverage, mortgage lending, and participation in state-funded or state-administered programs.
Its inclusion in the Unruh Civil Rights Act means that genetic information may not be used to discriminate against you in accommodations, advantages, facilities, privileges, or services provided by business establishments. (FEHA, Cal. Gov’t Code §§ 12921, 12940(a), (b), and (c); Unruh Civil Rights Act, Cal. Civ. Code § 51)
The federal Genetic Information Nondiscrimination Act (GINA) prohibits employers and most health insurers from requesting or requiring employees to provide genetic information. GINA also prohibits them from denying employment or health benefits based on genetic information. (42 U.S.C. 2000ff et. seq. (2008)) In addition, as health information, genetic information is covered under HIPAA privacy regulations. (45 C.F.R. 160.103, 164.501)
- The Security Breach Notification Law applies not only to state agencies, but also to private businesses that maintain unencrypted, computerized personal information, including medical information. (Cal. Civ. Code §§ 1798.29, 1798.82, 1798.84) Businesses must notify any California resident of a breach of that information. The benefits of the breach law arise only after your personal information has been compromised, but individuals do have the right to sue (rather than leaving it up to the Attorney General's office) for harm they suffer as a result of the breach. (Cal. Civ. Code § 1798.45) The CMIA also allows statutory damages of $1,000 for a negligent breach of medical information without the need to prove actual harm. (Cal. Civ. Code § 56.36(b)(1))
data breach protection for medical information applies to clinics, health facilities, home
health agencies, and hospices. (Cal.
Health & Safety Code § 1280.15) They must take affirmative steps to prevent
unlawful or unauthorized access to,
or use or disclosure of, a patient's medical information.
Unauthorized access is the "inappropriate review or unauthorized access or viewing of patient medical information without direct need for diagnosis, treatment or other lawful use." (Cal. Heath & Safety Code § 130201(e))
Laws to protect the privacy of medical information were strengthened in response to staff snooping in celebrities’ records. In addition, clinics, health facilities, home health agencies, and hospices must notify patients of a breach and report it to the California Department of Public Health. Fines of up to $25,000 apply for failure to prevent unauthorized disclosure of the information. For more information, see the UCLA Health System Office of Compliance and Privacy advisory notice  to faculty, staff, and students about maintaining the confidentiality of patient records and liability for failure to do so.
For more information, CalOHII has a comprehensive list  of state laws concerning the privacy of medical information. It’s called CHILI, the California Health Information Law Identification search tool.
A typical medical record includes:
- Your full name and unique identifiers, such as your Social Security number (of which only the last five digits should be shown) and your provider account or other identifying number;
- Basic demographic data such as gender, race or ethnicity, address, phone numbers, email;
- Your personal medical record, including: a history of known medical conditions, prescription allergies, drug/alcohol/smoking habits, and other information. In addition your record will include health care providers' records of your visits, diagnoses, treatments, diagnostic test results, prescriptions, and referrals to other doctors.
- Information about immediate family members, particularly parents and siblings, and a view of their medical histories that you provide on an intake form.
This information currently exists, for the most part, at the location of each individual health care provider you see, in either paper or electronic form. In the coming years, more and more of this information will be electronic and available for electronic exchange among your health care providers. The goal of electronic health information exchange (HIE) is to create a complete lifetime medical record for everyone. This will not be done by gathering all of your records together in one place or electronic file, but rather by making your records electronically accessible to all permissible health care personnel, wherever those records may be.
For more information on HIE, see California Medical Privacy Fact Sheet C6: Health Information Exchange: Is Your Privacy Protected? 
State Law and Agencies:
To find the full text of California laws, visit www.leginfo.ca.gov .
State of California Office of Health Information
1600 9th Street, Room 460
Sacramento, CA 95814
Phone: (916) 651-6907
Email: OHIComments@ohi.ca.gov 
Website: www.ohii.ca.gov/calohi/ 
Office of the Attorney General
California Department of Justice
Attn: Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244
Phone: (800) 952-5225
Website: www.oag.ca.gov 
For More Information on HIPAA:
U.S. Department of
Health and Human Services
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: (866) 627-7748
Website: www.hhs.gov 
PRC Fact Sheet 8: Medical Records Privacy
PRC Fact Sheet 8a: HIPAA Basics: Medical Privacy in
the Electronic Age
PRC Fact Sheet 8b: Medical Privacy FAQ
World Privacy Forum's Patient's Guide to HIPAA: How
to Use the Law to Guard your Health Privacy
Center for Democracy and Technology: Health Privacy