Privacy Rights Clearinghouse
- Individual medical information collected for public health purposes
- Medical information disclosed for research purposes
- California's health benefits exchange - will it collect individual medical information?
- Are there any privacy protections for medical marijuana purchases?
- Do standard medical privacy laws apply to urgent care centers?
- Do privacy protections exist when you share medical information to receive a special benefit, discount, or license?
It's common to think about your medical information only within the context of your own health care. However, medical information can circulate well beyond treatment while still falling within the protection of the law. Alternatively, there are many situations where health privacy or other privacy laws will not apply. This Fact Sheet covers some of the less obvious protected and unprotected uses of medical information.
The basic federal law that protects the privacy of medical information is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA applies to “covered entities” that directly handle Protected Health Information (PHI). It also applies to the “business associates” that covered entities contract with to handle PHI. Common examples of covered entities are hospitals, doctors and health insurers. A business associate might be an office management or data storage service. “Covered entity,” “business associate,” and PHI are defined at 45 CFR § 160.103 .
In California, the Confidentiality of Medical Information Act (CMIA) offers additional protections. For more information about how HIPAA and the CMIA work together, see PRC's Fact Sheet C1: Medical Privacy Basics for Californians .
Both HIPAA and California law attempt to balance individual privacy rights with the need to protect public health. (See 45 CFR § 164.512(b)(1)(i); Cal. Health & Safety Code § 120130). Public health authorities (such as the Centers for Disease Control and Prevention, the Food and Drug Administration, and your state and local health departments) and other government agencies (such as law enforcement) monitor disease and health safety issues and intervene on behalf of the public in certain situations. To carry out their functions, they need access to individual medical information.
a. Types of public health reporting
i. Mandatory reporting
There are times when covered entities are required by law to report health information. Federal and state government agencies need this information to monitor community health at local, state, and national levels. In addition, agencies use the information to monitor and measure the effectiveness, accessibility, and quality of available health services.
Under federal law, some examples of mandatory reporting include: births and deaths; child or elder abuse; and data required for public health surveillance, investigations, or interventions. (45 CFR § 164.512(b)(1)(i)). The California Department of Public Health website links to several lists of mandatory Reportable Diseases and Conditions  in the state.
If you are interested in the history of mandatory public health reporting, see Appendix A of the American Health Information Management Association (AHIMA) publication, "Mandatory Reporting—Balancing Patients' Rights with Public Health Interests ."
ii. Permitted (or "notifiable") reporting
There are times when covered entities may disclose information without your authorization to support public health surveillance. Officials request that healthcare providers report information so they may detect unusual occurrences of diseases, monitor trends, and evaluate the effectiveness of interventions.
The Centers for Disease Control (CDC) publishes the "Morbidity and Mortality Weekly Report (MMWR) " about health and behavioral trends and statistics. The CDC website has more information on the National Notifiable Diseases Surveillance System  and the current list of notifiable (permitted) diseases to be reported .
One example of public health reporting for health surveillance is disease registries that provide epidemiological data such as the National Cancer Institute's Surveillance, Epidemiology, and End Results (SEER) program . It collects cancer data from around the U.S. to:
- estimate regional cancer trends and mortality rates;
- identify unusual appearances of or changes in certain forms of cancer in population subgroups;
- produce current information on clinical presentation (what makes a cancer identifiable) and modifications in therapy and their effect on survival; and
- promote studies to identify when cancer control interventions, such as recommended screening practices like a colonoscopy, prostate exam, pap smear, or mammogram, may be effective.
A public health disclosure of individual health information may also occur when a health care provider is legally authorized to notify individuals at risk of contracting or spreading a disease or condition. For example, an individual who tests positive for HIV will be asked for names of others whom he or she might have exposed to the diseases. The provider will notify those individuals. (45 CFR § 164.512(b)(1)(iv)) Under California law a physician who reports a patient’s positive HIV test results to someone she believes is the patient’s sexual partner, or with whom she believes the patient has shared needles, may not be held liable for the disclosure. (Cal. Health & Safety Code § 121015)
b. Does the law protect your health information when it is used for public health purposes?
The answer is that it really depends on who your health care provider shares the information with. The notice of privacy practices you receive from your health care provider will inform you that the provider does not need to get your written permission to disclose your information for public health purposes.
If the public health authority that receives your information is also a covered entity, the HIPAA Privacy Rule will apply. (45 CFR § 164) If it is not a covered entity, the public health authority's data practices will be subject to whichever laws, regulations, and policies apply to it. For example, if the Food and Drug Administration (FDA) receives information on salmonella cases from health care providers, the laws and regulations governing the FDA's privacy and security practices will apply rather than HIPAA. (21 CFR, Part 21)
Unless specific rules and regulations govern the privacy practices of a public health authority receiving your information, the only privacy protection built into public health reporting is the "minimum necessary" standard. In other words, covered entities are supposed to limit the information they disclose to public health authorities to the minimum amount necessary to accomplish the public health purpose.
Health care providers may develop their own policies and procedures for the minimum necessary information required for a specific purpose. Examples of mandatory disclosures where the "minimum necessary" may apply are:
- births and deaths (reported to state vital statistics agencies);
- gunshot wound treatment (reported to law enforcement);
- suspected child and elder abuse (reported to law enforcement and social welfare agencies);
- industrial accidents (reported to CalOSHA); and
- certain poisonings, abortions, cancer cases, and communicable diseases.
(45 CFR § 164.514(d)(3)(i))
When a public health authority requests information—for example to monitor a disease outbreak or investigate a food or product safety issue—it determines the minimum necessary information it needs. (45 CFR § 164.514(d)(3)(iii)(A))
c. Public health reporting and health
information exchange (HIE)
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires health care providers to begin implementing electronic health record systems (EHRs) and start meeting public health reporting requirements electronically. (42 U.S.C. § 139 w-4(o)(1)(A)(i)) This information may include laboratory, immunization, and syndromic surveillance reports. These are real-time reports about disease outbreaks that monitor the need for public health intervention.
Electronic health information exchange (HIE) makes it easy to collect large amounts of data. As it becomes easier and more efficient to collect and share health information, public health organizations will likely have unprecedented access to population health data. With this access, the organizations may have the opportunity to use data in new ways.
With HIE, public health organizations may also be able to enhance their existing data uses, such as:
- addressing disparities in population health and in health care delivery—for example, between urban and rural health care delivery, or differences by race, ethnic group or income level;
- improving care for chronic diseases like cardiovascular disease, asthma, and diabetes;
- improving public health surveillance in ways such as better monitoring of flu epidemics and verifying whether vaccines are working;
- improving monitoring of priority public health issues such as cancer screening (for example, measuring the impact of mammograms, colonoscopies, and prostate exams on disease rates)
- expanding disease registries to produce better statistical information (for example, for screening and managing chronic diseases like diabetes and AIDS);
- communicating public health alerts.
As electronic reporting generates more data, public health organizations and private researchers may start asking for more access to the information. For instance, public health agencies may want to expand the lists of mandatory and permitted reportable information and expand access to this information.
If, or when, this happens, the question
arises as to whether these agencies must publish notices of any proposed changes
in the Federal Register  and solicit
public comment. Because the reporting regulations are already codified,
modifying them should require public notice and comment. (45 CFR § 164.512) Unfortunately,
the Federal Register is not the most
consumer-friendly document or website, so you may want to periodically ask your
health care provider if and how her reporting requirements have changed.
HIPAA and the CMIA both address how medical information may be shared and used for research purposes. However, different laws will apply when research is conducted on human subjects because of the ethical concerns it raises.
HIPAA requires researchers to obtain authorization to use your identifiable medical information for research purposes. You must give your signed permission stating that the researcher may use your information, but only for a specific project described in the agreement and only until the project's stated expiration date.
Researchers may obtain a single authorization for both "conditioned" research (where treatment in a clinical trial is conditioned on receiving your authorization) and "unconditioned" research (research not related to treatment). Authorizations may be for a specific study, or encompass a range of future research projects if the authorization you are asked to sign adequately describes such research.
You may have additional protections when researchers use your identifiable information, but it will depend on specific regulations governing the agency responsible for the data. For example, the Agency for Healthcare Research and Quality (AHRQ) funds and oversees a great deal of health research by public and private organizations. AHRQ, its contractors, and its grantees may only use identifiable data for the specific purpose to which you have consented. (42 U.S.C. § 299c-3(c))
Your medical information may be used for research without your consent in the following situations:
- The medical information has been de-identified according to HIPAA standards. This means that 18 specific identifiers  have been removed—including name, Social Security number, photos, and unique characteristics. When information has been de-identified according to this standard, there are no limits on how it may be used and disclosed. (45 CFR § 164.514) However, there is nobody certifying or monitoring whether the standard has been met.
- It is a limited data set, meaning that most identifiers are removed. However, the data set may still include dates of admission or discharge from a hospital; dates of medical treatment; date of birth and death; age (including 90 or older, which would limit the population pool from which the data could be re-identified); and a five-digit ZIP code, along with state, county, city, or precinct, but not your actual street address. The researcher and your health care provider—but not you—must also have a written agreement that covers all permitted uses of the data. (45 CFR § 164.514)
- The Institutional Review Board (IRB) (an independent ethics board) or Privacy Board has determined that the project presents minimal risk to privacy, that procedures are in place to protect identifiable information, and that the research could not be done without identifiable information. (45 CFR § 164.512(i)(1)(i)
See the HHS publication "Research " for more information on how the HIPAA Privacy Rule applies to research.
California's Confidentiality of Medical Information Act (CMIA) allows disclosure of individual medical information for bona fide research purposes to public agencies, clinical investigators (including those conducting epidemiologic studies), health care research organizations, and accredited public or private nonprofit educational or health care institutions. The CMIA prohibits disclosure beyond the purpose of the research in any way that would reveal the identity of a subject. (Cal. Civ. Code § 56.10(c)(7))
c. Research on human subjects
Research that is conducted on human subjects is another matter. Separate federal regulations govern biomedical and behavioral research ethics. These include "The Common Rule" and the Food and Drug Administration's (FDA) regulations on protecting human subjects. (The Common Rule, 45 CFR § 46(A); the FDA regulations are at 21 CFR §§ 50, 56)
Research on human subjects requires authorization and informed consent. In other words, you must sign an agreement and have the information you need to understand the research project. In particular, you must understand the risks and benefits of the project.
An informed consent agreement must tell you:
- the purpose of the research;
- the procedures involved;
- alternatives to participation (for example, is there a non-experimental drug or treatment available for the condition being studied?);
- all foreseeable risks and discomforts, including physical injury, and possible psychological, social, or economic harm, discomfort, or inconvenience;
- possible benefits of the research to you and society;
- how long you are expected to participate;
- a contact for answers to questions and in case of a research-related injury or emergency;
- that participation is voluntary and there are no consequences or possible loss of any benefits you are entitled to receive if you do not participate;
- your right to confidentiality; and
- your right to withdraw at any time without consequences.
An IRB, also known as an independent ethics board, may waive one or more of these requirements if it would make the project impractical or impossible to do. An IRB may also waive a requirement if it does not apply to a particular project.
The California Attorney General's Office has an "Experimental Research Subject's Bill of Rights " that replicates the federal informed consent requirements. (See also Cal. Health & Safety Code § 24172)
If you ever consider participating in a medical study or clinical trial, you may want to read more about how your information may be used and any rights you have. HHS has a publication on the Common Rule as it applies to research titled "Federal Policy for the Protection of Human Subjects ('Common Rule') ."
The National Institutes of Health (NIH) compares the HIPAA research requirements to the HHS and FDA regulations for the protection of human subjects: "How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule ? " The University of Southern California also has a very readable pamphlet titled "Informed Consent in Human Subjects Research ."
The Affordable Care Act (ACA) is also known as the Patient Protection and Affordable Care Act (PPACA) or, more familiarly, "Obamacare." A key component of the Affordable Care Act (ACA) mandates that all adults purchase health insurance (either from a state-operated exchange or from a private insurer outside the exchange) or pay a tax penalty for failing to do so. Children may be covered under their parents' policies until age 26.
State-run insurance exchanges will facilitate this initiative, and are scheduled to begin operating in 2014. Not all states will have an exchange, but California will. A health insurance exchange is not a “covered entity” and is not covered by HIPAA or the CMIA. However, the exchange will collect considerable personal information, including your name, address, Social Security number, financial information, immigration status, and incarceration status. Your SSN, which is also your tax ID number, will be used to determine if you are already the beneficiary of another government-funded health plan (such as Medicare, Medicaid, or Veterans Affairs) or if your income qualifies you for a government subsidy to help pay for your insurance.
The ACA’s privacy and security framework for the exchanges limits data collection “to the information strictly necessary to authenticate identity, determine eligibility, and determine the amount of the credit or reduction.” It limits the use of information collected to the purposes necessary to operate the exchange, and restricts the collection, use, and disclosure of SSNs. (ACA, Pub. L. 111-148, § 1411)
In addition, the Department of Health and Human Services (HHS) has released regulations (at 45 CFR § 155.260) for implementing ACA § 1411 that mandate:
- privacy and security standards consistent with Fair Information Practices applied to data the exchanges collect, including that it be used only for the purpose it was collected;
- financial penalties for knowing or willful disclosure of information for purposes other than those necessary for the operation of the exchange;
- implementation of operational, technical, administrative, and physical safeguards to protect the privacy and security of the information;
- personal information shared with other federal or state agencies for purposes of eligibility determination must meet the federal and state privacy and security requirements for those agencies (for example, the IRS, Medi-Cal, the Healthy Families Program, Access for Infants and Mothers); and
- other standards based on Fair Information Practices, including providing individuals with the rights to access and correct their data, openness and transparency about an exchange’s operations, limits on collection and use of data, and requirements to maintain complete and accurate data.
California's Health Benefits Exchange , called Covered California, is already well into the planning stage and is expected to begin operations on schedule in January 2014. Its goal is to have a website where individuals can easily compare the benefits and costs of different commercial health insurance plans and enroll in the one they choose.
Because the ACA eliminates pre-existing medical conditions as a disqualifying factor for health insurance, you should not have to authorize disclosure of your medical records when you apply. Insurers participating in Covered California will underwrite individual health plans based on an applicant’s age, family size, ZIP code, and tobacco use.
Covered California or the insurer will also collect other personally identifying information and status information noted above to help determine eligibility for benefits and subsidies to help pay for your insurance. For example, you may already be receiving benefits under Medicaid or Medicare, or because you are incarcerated; you may be ineligible to apply if you are not a legal immigrant; or you may be eligible to a full or partial subsidy based on your income.
Since the health benefits exchange is a state agency, California's Information Practices Act (IPA) will regulate its use of personal information. (Cal. Civ. Code §§ 1798-1798.78)
- requires that personal information be collected directly from the individual whenever possible;
- limits collection of data to an agency's legitimate uses or purposes for the data; and
- prohibits disclosure of individually identifiable data without consent, unless the disclosure falls under one of 21 exceptions. (Cal. Civ. Code §§ 1798.24(c)—1978.24a and b ).
The federal Privacy Act of 1974  will also apply to the exchange’s collection and disclosure of personal information.
In addition, the ACA Patient’s Bill of Rights  helps consumers understand how they will benefit from the changes the ACA brings to the universe of health insurance. Provisions include:
- no underwriting based on pre-existing medical conditions,
- no policy rescissions or lifetime caps on benefits, and
- state review of premium increases.
To learn more about the status of the
California health benefits exchange, see the Center for Democracy and
Technology report, "Privacy
and Security Protections for Personal Information in California's Health
Benefit Exchange ." Keep in mind that this is an
early study of an evolving project.
The sale of marijuana for medical purposes is legal in California. It remains illegal under federal law for any purpose, and the Department of Justice has been vigorously enforcing federal law.
Medical marijuana was legalized in California in 1996 by Proposition 215, the Compassionate Use Act. (Cal. Health & Safety Code § 11362.5) The Department of Public Health Medical Marijuana Program's website  provides extensive information about all aspects of the program, including links to advocacy groups. According to its FAQ , all patient information that is collected when you apply for a medical marijuana ID card is covered under HIPAA and cannot be released without either your written consent or a court-issued subpoena. In view of the continuing fact that the sale and use of marijuana is illegal under all federal laws, however, the application of HIPAA to such information would undoubtedly be challenged by federal authorities in any proceedings or litigation involving medical marijuana.
The state Medical Marijuana Application database does not contain personal information such as name, address, or Social Security number. It has only a digital photograph of the cardholder, the expiration date of the ID card, the county where the card was issued, and a unique number that enables a seller to validate the card. These are also the only data on the cards themselves.
Registration for a medical marijuana ID is done at the county level, and most counties will retain the ID card application paperwork. These records are sealed for privacy and may only be obtained by subpoena.
The state ID card program itself is voluntary, although having one may aid an individual arrested for purchase or possession. As long as a licensed physician recommends marijuana, the Compassionate Use Act makes a medical defense available to patients facing some marijuana charges.
Of course, if you purchase medical marijuana with a credit card, you cannot completely restrict that transaction information from being shared. However, this may no longer present a privacy problem because Visa and Mastercard both stopped allowing medical marijuana purchases . See Privacy Rights Clearinghouse's Fact Sheet C8: Medical Information Covered by Laws Other than HIPAA, Section 2: Financial records containing medical information .
Urgent care centers are private health care businesses that function as a cross between a walk-in clinic and an emergency room for problems that are not life threatening. For example, someone who arrives at an urgent care center with a rash or a broken wrist would be treated; someone with a gunshot or knife wound would be sent to an emergency room.
Urgent care centers are staffed by licensed physicians, nurses, nurse practitioners, and physician's assistants. Lack of access to primary care and long waits for appointments have contributed to the rapid growth in urgent care centers as a complement to standard health services. However, urgent care centers cannot do everything a primary facility such as a hospital can do in terms of treatment.
Urgent care centers are health care providers, so they are considered to be "covered entities" under HIPAA. They are governed by the usual laws regulating medical practices and premises, including HIPAA and the CMIA. The only, and unlikely, situation in which an urgent care center might not be a covered entity is if it does not transmit any medical or billing information electronically . Otherwise, your treatment records at an urgent care center have the same privacy protections as they have at any other regulated health care facility. The Urgent Care Association of America's (UCAOA) notice of privacy practices  is HIPAA compliant.
More information on urgent care practice is on the UCAOA's website .
Many public agencies offer discounts and special benefits to disabled individuals. These might include transit passes, hunting and fishing licenses, and state park admission passes, among many others. To qualify, an applicant generally must fill out an application that summarizes (sometimes from a checklist, sometimes in writing) the impairment that entitles him or her to a discount or service, and he or she must have a licensed health or behavioral practitioner sign to certify the claim.
Some California benefits, for example to receive a disabled parking placard , require additional descriptive information about the qualifying disability from a health care practitioner as part of the application.
a. Information you provide to a California state agency
As long as the information is provided to a state agency, it is protected by California's Information Practices Act (IPA). (Cal. Civ. Code § 1798 et. seq.) This act protects personal privacy by limiting how much information an agency can collect, maintain, and distribute. It gives you the right to review your personal information in state agency records, request changes to inaccurate or irrelevant information, and obtain an accounting of who has accessed the information. The Department of Social Services has a pamphlet  explaining the IPA.
b. Information you provide to a local government agency
c. Information you provide to a private business or nonprofit
If you apply to a private business or
nonprofit for a benefit or discount based on a disability, the privacy of any
medical information it collects from you depends on the policy of the company
or organization, unless other laws apply.
If you must give up medical information to obtain a benefit or discount,
it is always a good idea to ask what privacy protections apply to the
information, if any.
Privacy protections for identifiable medical information vary considerably depending on who is collecting it and for what purposes. The best practice for consumers is to be mindful of the context in which you are providing information. It’s best to ask whether HIPAA, the CMIA, or any other state or federal information protection laws cover your data if the circumstance is outside of traditional healthcare.
Federal laws and resources
For More Information on HIPAA:
U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: (866) 627-7748
Website: www.hhs.gov 
To file a complaint about a HIPAA violation
Regional offices of the HHS Office for Civil Rights
See www.healthcare.gov/law  for information about the Affordable Care Act.
The full text of the Privacy Act of 1974 is available here: http://www.justice.gov/opcl/privstat.htm .
for Disease Control and Prevention
Fact Sheet 8a: HIPAA Basics: Medical
Privacy in the Electronic Age
Fact Sheet 8b: Medical Privacy FAQ
California laws and resources
To find the full text of California laws, visit www.leginfo.ca.gov .
California Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code §§ 56-56.37)
California Information Practices Act (Cal. Civ. Code §§ 1798 -1798.78)
California Compassionate Use Act (Cal. Health & Safety Code § 11362.5)
Department of Public Health: Reportable Diseases and Conditions
Health Benefits Exchange