Privacy Rights Clearinghouse
- What are your basic rights?
- What are your rights in the event that your medical information is breached?
- What are your rights regarding the sale of your medical information?
- What are your rights regarding marketing and your medical information
- How is PHI used for fundraising?
- Could your medical information be better protected than it is?
You may not have all the rights you would
like regarding your own medical information—for example, you may want more
control over who can access it. However, you do have some rights. California
Medical Privacy Fact Sheet C1: Medical
Privacy Basics for Californians  introduces
the federal regulations and California laws that apply to medical information. California
Medical Privacy Fact Sheet C2: Uses and
Disclosures of Medical Information—With and Without Consent ,
discusses the ways in which your medical information may be used with or
without your consent. This Fact Sheet addresses the rights you have over your
medical information, and helps you understand how you may exercise them to take
advantage of what the laws allow you.
Perhaps the most important rights you
have with regard to your medical information are the ability to access your own
records, to amend them, and to receive an accounting of who else has accessed
them. For the time being, the original federal HIPAA regulations govern these
rights, but they will soon be updated by new regulations based on changes made
in the 2009 Health
Information Technology for Economic and Clinical Health Act 
(HITECH Act). This Fact Sheet describes
both the current rules and the anticipated changes. It also discusses the California laws that
give you certain rights concerning your medical information.
a. You have the right to access your own medical records.
California law grants individuals broad general access to their medical records: “The Legislature finds and declares that every person having ultimate responsibility for decisions respecting his or her own health care also possesses a concomitant right of access to complete information respecting his or her condition and care provided.” (Cal. Health & Safety Code §123100) In California you may inspect your medical records within five business days of making a request, and receive copies within 15 business days. The maximum charge for copies is $.25 cents/page or $.50 cents/page if the copies are from microfilm. (Cal. Health & Safety Code §123110)
HIPAA also requires covered entities to provide you with a copy of your medical records (with some exceptions, such as psychotherapy notes) in whatever format you request, within 30 to 60 days of requesting them, for a “reasonable” copying charge, plus postage. Your request may be denied, but you can appeal the denial. (45 CFR § 164.524) Despite the regulation, one of the top five HIPAA complaints  to the Department of Health and Human Services (HHS) concerns the difficulty in obtaining copies of medical records.
The HITECH rule changes should reinforce individuals' rights to receive copies of their medical records in the form they request, and extend that right to records kept on paper, as well as electronically.
A good source of information on access to medical
records under HIPAA and California law is the Health Consumer Alliance FAQ “Medical Records Access and
Privacy in California .”
b. You have a right to request an amendment to your medical records.
If, after you request and review your medical records, you find they contain information about treatments or tests that you believe is incorrect or may not belong to you, HIPAA gives you the right to request an amendment to your records. (45 CFR § 164.526)
California’s Patient Access to Health Records Act (PAHRA) also gives you a right to amend your medical record, and clarifies the procedure for doing it. (Cal. Health & Safety Code §§123100-123149.5) You may submit a written amendment of up to 250 words regarding any item or statement in your records that you believe is incomplete or incorrect, and you may ask to have the amendment included in your record and be disclosed to any third party (such as another doctor or an insurer) that requests your record. The record holder does not have to remove the contested information but adds your amendment and the reason why it is being made.
The Information Protection Act (IPA) gives you the right to amend any personal information (including medical information) held by state agencies. (Cal. Civ. Code §§1798-1798.78) After it receives your request, the state agency has 30 days to either make the correction or deny the request and inform you of your right to a review of that decision. To learn more about your rights under the IPA, including how to request to inspect or amend your records, see the California Department of Health and Human Services (DHHS) publication, “Rights of Individuals Under the Information Practices Act.” 
c. You may request restrictions on disclosure of your medical information.
Under HIPAA, you have at best a nominal right to restrict disclosure of your medical information. In other words, you can ask, but a covered entity has no obligation to comply with your request. (45 CFR § 164.522)
If approved, proposed changes to the regulation will give you the right to restrict disclosure of medical information for the purpose of payment or health care operations (unless disclosure is required by law) if the information relates solely to an item or service that you pay for yourself. Note that the proposed changes apply to payment or health care operations, and not to disclosures for treatment purposes. Several key aspects of this regulation are still undecided. Questions remain about how difficult the regulation may be to administer; whether the covered entity that has the record must inform other providers of your request; and which disclosures are “required by law.”
A provider or health plan must also accommodate a reasonable request concerning how you wish to receive confidential communications about your medical information. That is, that you wish to receive them at a certain address or phone number, or by a specific means, such as U.S. mail, email, or text. You may have to make the request in writing and include alternative choices, and agree to pay any unusual costs, such as courier service charges. (45 CFR § 164.522)
law is silent on a general right to request restrictions on disclosures of your
medical information. But in the case of sensitive information such as mental
health records, HIV test results, and substance abuse treatment, you may
withhold consent to disclosure if no exception applies. For example, results of
an HIV test may be disclosed without your consent to your health care providers
for the purposes of diagnosis, care, and treatment. (Cal. Health & Safety
Code § 120985)
Another exception imposes a duty on mental health professionals to warn potential victims of a danger posed by a violent patient. (Tarasoff v. Regents of the University of California, 17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 (Cal. 1976). Permission to disclose such information, although not the duty to do so, is codified in Cal. Civ. Code §56.10(c)(19).)
d. You have the right to know who has requested and received copies of your medical information.
California law does not address the right to request information about who has requested and received copies of your medical information—known as an accounting of disclosures. Instead, the HIPAA regulations allow for an accounting that goes back for a period of six years prior to the date of your request. However, the right is virtually meaningless since it excludes disclosures for treatment, payment, and health care operations—essentially the only reasons your information would be disclosed. (45 CFR §164.528)
The HITECH Act will remedy the omission
of treatment, payment, and health care operations from disclosures that must be
accounted for, but it’s not yet clear what the new rule will be. In addition, the
issue is contentious enough that this rule will be delayed even longer than the
rest of the new rules. It’s expected to shorten the accounting period to three
years for all accountings and to contain a list of specific disclosures that require
In 2002, California passed the first security breach notification law in the U.S. In 2008, the law was extended to cover medical records. (Cal. Civ. Code §§ 1798.82 and 1798.29) The HIPAA regulations were silent on breach notification, so prior to the passage of the HITECH Act, California law applied. Interim final breach notification regulations are now in effect (with final regulations expected during 2012), and have more or less caught up with California. Where California law remains stricter is noted below.
A breach is defined as unauthorized access to unencrypted or unsecured information. California law and HIPAA give you certain rights if your identifiable medical information is breached:
- Any covered entity that handles unsecured protected health information must notify you of a breach of that information.
- If a business associate of a covered entity has a data breach, it must notify the covered entity, which must in turn notify you.
- The covered entity must tell you
whether your medical information has been disclosed to outside third parties or
unauthorized insiders with access.
- Both California law and the HITECH changes to HIPAA (interim final regulations now in effect) require vendors of personal health records (PHRs) to notify customers of breaches of their medical information. (Cal. Civ. Code Section 56.06(a); HITECH Act, Pub. L. No. 111-5, 123 Stat. 226 (2009), 42 U.S.C. §17937)
HITECH also applies breach notification
requirements to “other non-covered entities,” such as those offering products
and services on a PHR vendor’s website. An example might be an online diabetes
or other disease management service available to PHR account holders through
the main PHR website. Such services often require consent to share personal
The new regulations call for notifying both affected individuals and the Federal Trade Commission (FTC) of any breach of unsecured identifiable medical information, whenever the information has been acquired without an individual’s consent. For more on the FTC rule, see “FTC Issues Final Breach Notification Rule for Electronic Health Information .”
- Under HIPAA, a covered entity must notify you of a breach without unreasonable delay, but no more than 60 days after the breach is discovered or the covered entity should have known about it.
California law is far stricter: clinics, health facilities, home health agencies, and hospices have only five business days after discovering a breach of medical information to report it to all affected patients. (Cal. Health & Safety Code §1280.15(b)(2))
- California requires detailed breach notices. The notice must include a general description of the incident, type of information breached, date and time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California. In addition, the covered entity must send an electronic copy of the notice to the Attorney General if a single breach affects more than 500 Californians.
Federal regulations require breaches that affect 500 or more people living in the same immediate area to be reported to "prominent local media" and to the Department of Health and Human Services. HHS maintains a current list  of these breaches.
- Under California law, individuals have the right to sue either the entity or the person responsible for a breach of medical information. However, proof of actual monetary damage is required. (Cal. Civ. Code. § 1782(b)) An example of monetary damage could be that as a result of stress or humiliation resulting from the exposure of your information, you needed medical or psychological treatment or medication.
California law and HIPAA, an attorney general may also bring a lawsuit over a
data breach. Even without personal
damages, a court may impose civil damages of up to $1000 on a health care
provider for each individual whose information was breached, based only on
proof that a breach occurred. (Cal. Civ. Code § 56.36)
Personal health information is a valuable commodity. Many businesses are interested in collecting it to profile consumers for targeted marketing, and because of its worth, covered entities may also be motivated to sell personal health information.
California law is vague on the circumstances under which medical information may be sold. It prohibits covered entities from intentional unauthorized sales of medical information "for a purpose not necessary to provide health care services to the patient." (Cal. Civ. Code § 56.10(d) However, there is no guidance as to what "necessary" and "health care services" mean in this context. It is up to the covered entity to interpret, and this seems to leave the door open for sales.
Proposed changes to HIPAA require your authorization before a covered entity may receive any direct or indirect payment for your medical information. But, as always, there are exceptions. Under the current rule they include:
- permitted public health activities;
- certain kinds of research, but the price of the information must reflect the actual costs of preparing and transmitting the data (in other words, it cannot be sold for profit);
- your treatment as a patient—a potentially vast exception that needs further regulation, for example, what constitutes “treatment” and is there any limit to the products or services that are necessary for treatment;
- when a covered entity that has your medical information is sold, transferred, merged, or consolidated with another covered entity;
- when a covered entity pays a business associate for activities that the business associate conducts on its behalf—for example the business associate is a billing service that bills you on behalf of a health care provider; and
- what a covered entity charges for providing you with a copy of your medical information.
The new rules on the sale of your medical information will likely add exceptions for cost-based payments that cover the expense of preparing and transmitting the information for disclosures required by law or for any other permitted purpose.
Federal regulations on sales of PHI are not yet final, but you can find a readable summary of the proposed rules in an article titled, “OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules to Implement HITECH Act,” Part 3 “Restrictions on the sale of PHI .”
Ideally, the final regulations will
create a strong prohibition on actual sales of medical information while
permitting reasonable payments for legitimate uses, including public health and
research, patient care, and data collection for quality improvement
purposes. One regulatory shortcoming is
already clear: there is nothing in the rules about auditing sales of medical
information, nor is there any kind of enforcement or penalties for violations.
Selling your information for marketing purposes can be a factor in a covered entity's economic well-being. There is a great demand from health care products and services marketers for information that lets them target people as individually as possible. In the context of health care, this might mean targeting people by a disease or condition they may have.
California has somewhat stronger and less muddled protections than the federal HIPAA regulations. In California, a covered entity needs your written authorization to use medical information for marketing purposes, and must give you clear notice of how the information will be used and shared. (Cal. Civ. Code § 1798.91) Covered entities are generally prohibited from disclosing medical information for unauthorized marketing communications paid for by third parties. An example of this could be prescription-refill reminders when a pharmaceutical company pays your pharmacy to send them.
The Confidentiality of Medical Information Act (CMIA) does permit unauthorized marketing communications in certain situations:
- when the communication is not compensated either monetarily or with other economic benefits such as gifts;
- when the communication is made to health plan members about plan benefits or services, or about the availability of more cost-effective prescription drugs;
- when a communication is specifically
tailored to an individual to advise or educate about treatment options. If the communicator receives any form of
payment, it must clearly disclose this to the individual in the communication. In addition, the communicator must notify of
the source of the payment, and it must give the individual the ability to opt
out of future communications.
(Cal. Civ. Code §§ 56.05(f), 56.10)
When you think about the personal information a marketer needs to tailor a message specifically to you, the last exception is troubling, even though you must be told of your right to opt out.
Just as California law struggles to balance individual privacy and control of medical information against the need for valid communication with patients, the HIPAA regulations try to maintain a similar equilibrium. HIPAA defines a marketing communication as "a message about a product or service that encourages you to buy or use" it. 45 CFR § 164.501. As with California law, prior written authorization is required.
However, the exceptions in HIPAA are broader than under California law. They do not consider the following to be "marketing" and therefore allow unauthorized paid communications for: 1) a covered entity pitching its own health care products or services; 2) treatment purposes; and 3) case management or care coordination, or to recommend alternative treatments, therapies, health care providers, or settings of care. (45 CFR §164.501)
The reasoning behind the above HIPAA exceptions is that they are treatment or health care operations. However, terms like "treatment", "case management", and "care coordination" lack clear definitions. This means you may receive unauthorized communications that look like marketing to you but fit into one of the exceptions.
Also, while HIPAA does not allow covered entities to sell medical information to third parties for marketing purposes, the same third parties can pay a covered entity to send marketing communications on their behalf, as long as they conform to one of the exceptions above. For example, a Medicare + Choice or other managed care organization could not sell your information directly to a health and fitness club, but it could offer you a free or discount membership at a such a club, in a communication the club pays for, without your authorization.
HITECH attempts to narrow HIPAA's loopholes by calling any communication paid for by a third party marketing, even if it would otherwise qualify as an exception. But then, HITECH seems to toss the third-party payment restriction out the window by creating three new exceptions for paid marketing communications (42 U.S.C. §17936):
- messages that describe a drug or biologic (a product made from biological rather than chemical processes, such as a vaccine, gene therapy, or blood for a transfusion) that you have previously been prescribed, so long as the amount of the payment is "reasonable";
- you have previously authorized marketing communications; or
- a business associate of the covered entity makes the communication under its business associate agreement.
You should carefully read and make sure
you understand any authorizations you are asked to sign. You should also exercise your rights under
California law to opt out of "specifically tailored" marketing
communications if you do not want to receive them. Make sure you know whether
you are giving your consent or your authorization.
Consent means that you have received, read, and signed (or not) a notice about the uses and disclosures of your protected health information for treatment, payment, and health care operations. An authorization is your signed and dated permission to use and disclose your medical information. If you are providing an authorization, find out whether it is limited in scope and duration or very generalized and open-ended. Do you have the right to opt out of the agreement if you change your mind?
Remember, too, that there are other ways for marketers to obtain medical information pertaining to you, if not your entire record. Unfortunately, these are generally beyond the reach of state and federal privacy protections. Selling or renting specialized consumer profiles is a big business, and includes lists that categorize people by disease or diagnosis. Since your health care providers are legally prohibited from selling or giving personal health information to list brokers, you may well be the source yourself.
It is almost impossible not to create a personally identifiable profile of yourself as a consumer in the digital world where personal information is a commodity. You may have a profile based on medical information you have given up just by being curious or buying something you need or want, or by sharing data from mobile applications that monitor health and fitness. For more information, see California Medical Privacy Fact Sheet C2: Uses and Disclosures of Medical Information—With and Without Consent .
There is no one convenient way to remain
anonymous and unprofiled short of giving up both credit cards and the Internet.
Therefore, it is best to be cautious about what information you give out and to
whom. If you read or ask about the
have a better idea of whether you want to proceed.
California law is silent on the use of
medical information for fundraising by health care providers, which generally
means hospitals, so HIPAA applies. HIPAA considers fundraising to be a health
care operation. A covered entity may use
your demographic information and medical appointment dates—but not treatment
information—to fundraise without your authorization.
A covered entity may also share this information with a business associate or a related foundation (for example, many hospitals have related but separately incorporated nonprofit foundations that fundraise on their behalf.) (45 CFR § 164.514(f)) A fundraising communication must allow you to opt out, but the fundraiser has to use only "reasonable efforts" to honor your request. You may not be denied health care or insurance coverage if you choose to opt out of receiving fundraising communications.
Since fundraising is often contracted to
third parties outside of the healthcare system—that is, to business associates—it
would help if the requirements that limit the types of data used for
fundraising were better enforced to prevent improper use of medical
information. In that way you might be reassured that you were not being
targeted by a fundraising campaign for a new oncology wing because the
fundraiser has information that you have been treated for cancer.
California laws and HIPAA help bring greater transparency, privacy and security protection, and enforcement to the complex flows of medical information that characterize the modern healthcare industry. However, more is needed.
For example, while HIPAA requires business associates to destroy or return "as nearly as feasible" all protected health information they create or receive from covered entities when the business associate agreement ends, this requirement is not audited for compliance. And, although states have different record-retention requirements and other laws concerning returning data files or destroying data, there should be limits on the length of time that contractors and business associates may retain medical information for any purpose not directly related to treatment.
Health care providers typically assert that they take patient privacy very seriously. However, numbers tell a different story. Since all data breaches involving 500 or more records started being reported to the U.S. Department of Health and Human Services in February 2012, almost 31,000 breaches have occurred , involving at least 8 million individual records.
According to a Price
Waterhouse Coopers survey  of 600 hospital executives
released in September 2011, 66 percent of the total reported healthcare
breaches in the two years preceding the survey were due to the theft of
portable media (primarily of laptops, storage devices, backup drives, and
mobile devices), and 40 percent of providers surveyed reported an incident of improper
internal use of health information by employees with access to it.
A December 2011 survey by the Ponemon Institute  (requires giving personal information to download) finds an increase in medical data breaches since 2010, with a rise in errors by business associates and growing use of unsecured mobile devices (such as laptops, tablets, and smartphones). This trend already has its own acronym—BYOD, or bring your own device. Another privacy and security problem on the horizon for medical information (along with every other kind of information) is cloud storage, which presents issues of who controls the data and what they may do with it, as well as how secure it is.
Clearly, those who control and maintain healthcare records have a long way to go with such basic privacy and security-enhancing practices as accounting for mobile devices, employee education, facility security, real-time system auditing, and encryption, for a start.
California Information Practices Act: to learn more about the IPA and how to request information, see the California Department of Social Services pamphlet, “Rights of Individuals under the Information Practices Act,” at http://www.dss.cahwnet.gov/pdf/ipaattachment1.pdf .
California Patient Access to Health Records Act: to learn more about PAHRA and how to request information, including a complaint form if you have problems with your request, see the Medical Board of California’s website. www.mbc.ca.gov/consumer/access_records.html 
For a detailed, practical, and easy to read guide to getting and amending your medical records in California: “Your Medical Rights in California,” by Joy Pritts, Georgetown University Health Policy Institute. http://ihcrp.georgetown.edu/privacy/stateguides/ca/caguide5.html 
For more on the FTC Breach Notification Rule, see “FTC Issues Final Breach Notification Rule for Electronic Health Information.” http://www.ftc.gov/opa/2009/08/hbn.shtm 
For information about your rights under HIPAA and how to exercise them:
U.S. Department of Health and Human
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C., 20201
Phone: (866) 627-7748
Web: http://www.hhs.gov/policies/#laws 
Department of Health and Human Services, Breaches Affecting 500 or More Individuals, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 
The World Privacy Forum has a very readable “Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy.” www.worldprivacyforum.org/hipaa/index.html 
The Center for Democracy and Technology provides extensive information about medical privacy, with many practical tips on how to exercise your legal rights concerning your medical information: http://cdt.org/issue/health-privacy .