Skip to: Content | Footer | Accessibility
 Search
Wednesday, May 16, 2012
     
     

 

What information is confidential, what can I safely talk about and expect confidentiality?

Generally, any information, in electronic or in physical form, that could individually identify you (such as name, address, email address, telephone number, or social security number) in connection with your medical information is confidential and may not be disclosed without your authorization unless allowed by law.  This could include information held by your physician, your pharmacy, your psychologist or therapist, hospitals or other health facilities, and companies that maintain your medical information for billing, treatment, research or other purposes.  There are some exceptions to when your medical information may be disclosed without your authorization, such as for diagnosis and treatment purposes, billing purposes, due to a court order, or other specified purposes (see #4 below).

Examples of medical information that must be held confidential:

  • Medical charts or records
  • Notes by physicians, nurse, medics, or mental health specialists
  • Laboratory results
  • Pharmacy information and prescription histories
  • Research Study information

back to top

 

 

Who must protect the confidentiality of my medical information?

There are three primary groups that must protect the confidentiality your medical information:

Health Providers: Any licensed or certified health care professional including the following:

  • Chiropractors
  • Dentist
  • Physicians
  • Osteopaths
  • Podiatrists
  • Nurses
  • Vocational Nurses
  • Psychologists
  • Social Workers
  • Acupuncturists
  • Midwives
  • Psychoanalysts
  • Opticians
  • Therapists
  • Dieticians
  • Physician Assistants
  • Psychiatric Technicians
  • Pharmacists
  • Naturopathic Doctors
  • Physical Therapists

Health Facilities: Any facility or organization that provides direct medical care, health services or treatment, diagnostic or therapeutic services, preventive or rehabilitation services, and convalescence care. These facilities or organizations may include the following:

  • Primary care clinics
    • Community clinics
    • Free clinics
  • Specialty clinics
    • Surgical clinics
    • Chronic Dialysis clinics
    • Rehabilitation clinics
    • Alternative Birth centers
  • General acute care hospitals
    • Emergency centers
  • Acute psychiatric hospitals
  • Skilled nursing facilities
  • Intermediate care facilities
  • Special hospitals
  • Congregate living health facilities
  • Correctional treatment centers
  • Home health agencies
  • Hospices
  • Mobile health care units

Other groups that must protect the confidentiality of your confidential medical information may include:

  • Entities that arrange for the provision of health care services or pay for or reimburse for those services
  • Contractors
  • Pharmaceutical Companies
  • Businesses organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of an individual.
  • Employers
  • Individuals

back to top

 

 

What are the requirements for these individuals and entities in order to disclose my medical information?

Unless there is some specific exception, you must provide written authorization before anyone can use your medical information. The authorization form must be in no smaller than 14 point font or handwritten by you and it must include all of the following:

  1. Be signed and dated either by you or your representative, spouse, beneficiary, or the financially responsible party.
  2. State the specific uses and limitations on the types of medical information to be disclosed.
  3. The name of the party that may disclose medical information.
  4. The name of the party authorized to receive the medical information.
  5. State the specific uses and limitations on the use of the medical information by the receiving party.
  6. Date when the requesting party may no longer disclose your medical information.
  7. It must advise you of your right to receive a copy of the authorization form.

In addition, if the requesting party wishes to use your medical information for marketing, they must obtain a separate authorization. An authorization “for any purpose” or an authorization for the release of psychotherapy notes may not be combined with any other authorization. Additionally, once your medical information has been disclosed, the receiving party may not further disclose your medical information without first obtaining a new written authorization from you.

back to top

 

 

When can my medical information be disclosed without my written authorization?

Common circumstances that may allow the disclosure of your medical information without your written authorization include:

  • For the purposes of treatment, diagnosis or payment services
  • To determine eligibility for benefits or services
  • If required by a court order
  • If required for a lawsuit, arbitration, grievance, or administrative agency for determining a claim
  • When requested in the course of an investigation by the coroner’s office
  • For public health purposes or disaster relief efforts

Generally under these circumstances and others, the disclosure may only include the amount of information needed, depending on the purpose of the disclosure.
For complete information on circumstances that may allow the disclosure of your information with a written authorization, please refer to California Civil Code section 56.10.

back to top

 

 

What are the penalties if my medical information is wrongfully used, disclosed or accessed?

If your medical information is wrongfully disclosed, the circumstances of that disclosure will dictate what penalties are provided. The distinctions are based on who is trying to seek the penalty, who the disclosure is made by and whether the disclosure was for financial gain. If the disclosure is for financial gain, the penalties are greater. There is a private cause of action for you to recover monetary compensation for violations of your medical information privacy. Any administrative penalties that are brought by state and local authorities will be paid to the agency bringing action.


Private cause of action for violations

You may be entitled to:

  • Nominal damages of $1000, regardless if you suffered actual harm;
  • The amount of your actual damages, monetary or emotional;
  • Punitive damages up to $3000;
  • Attorneys fees up to $1000; and
  • Court costs, such as the cost of filing in court.

Administrative fine or civil penalty for any person or entity that unlawfully discloses medical information due to negligence

  • Up to $2,500 per violation
  • This amount is irrespective of the amount of damages suffered by a patient or patients

Administrative fine or civil penalty for licensed health care professional or provider who unlawfully uses, discloses or accesses medical information

Knowing and Willful Disclosure

  • First violation: Up to $2500 per violation.
  • Second violation: Up to $10,000 per violation.
  • Third and subsequent violation: Up to $25,000 per violation.
  • They are guilty of a misdemeanor for each of the above violations.

Knowing and Willful Disclosure for the Purpose of Financial Gain

  • First violation: Up to $5000 per violation.
  • Second violation: Up to $25,000 per violation.
  • Third and subsequent violation: Up to $250,000 per violation.
  • They also must return any proceeds made from the disclosure.
  • They are guilty of a misdemeanor for each of the above violations.

Administrative fine or civil penalty for any person or entity, other than a licensed health care professional or provider who unlawfully uses, discloses or accesses medical information

Knowing and Willful Disclosure

  • They are subject to an administrative fine or civil penalty not to exceed $25,000 per violation.
  • They are guilty of a misdemeanor.

Knowing and Willful Disclosure for the Purpose of Financial Gain

  • They are subject to an administrative fine or civil penalty not to exceed $250,000 per violation.
  • They must return any proceeds made from the disclosure.
  • They are guilty of a misdemeanor.

back to top

 

 

How do these rights and penalties compare to federal law?

The Health Insurance Portability and Accounting Act (HIPAA) establishes standards, requirements, and implementation specifications for entities that transmit health information in electronic form in connection with a covered transaction. The provisions of HIPAA apply in addition to state law requirements in many cases. However, not all providers of health care under the CMIA are “covered entities” subject to HIPAA requirements.

back to top

 

Who can I contact if I believe my medical information privacy rights have been violated?

If you believe your medical information has been wrongfully used, disclosed or accessed, please refer to the information below to determine the appropriate authority to contact.

Reporting Incidents Involving Medical Facilities

The Department of Public Health Licensing and Certification Division is responsible for investigating reports of any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information involving any facility licensed under Division 2 pursuant to Sections 1204, 1250, 1725, or 1745 of the Health and Safety Code. Such facilities may include the following:

  • Primary care clinics
    • Community clinics
    • Free clinics
  • Specialty clinics
    • Surgical clinics
    • Chronic Dialysis clinics
    • Rehabilitation clinics
    • Alternative Birth centers
  • General acute care hospitals
    • Emergency centers
  • Acute psychiatric hospitals
  • Skilled nursing facilities
  • Intermediate care facilities
  • Special hospitals
  • Congregate living health facilities
  • Correctional treatment centers
  • Home health agencies
  • Hospices
  • Mobile health care units

If you wish to report a medical information privacy or security incident as described above, please contact the appropriate Department of Public Health Licensing and Certification District Office. To find your nearest District Office, please visit http://www.cdph.ca.gov/certlic/facilities/Pages/LCDistrictOffices.aspx

When contacting the District Office please be prepared to identify a primary contact person familiar with the incident and provide his or her contact information. 


Reporting Incidents Involving Any Other Medical Provider, Business, Entity or Person
 

If you wish to report a medical privacy or security violation incident pertaining to any other type of medical provider, business, entity or person you will need to file a complaint with the District Attorney of the county in which the incident occurred. If more than one county is involved, you will need to file a complaint with the District Attorney in each county involved.
 
Please note that the California Office of Health Information Integrity (CalOHII) cannot address violation incidents not referred to CalOHII directly from the California Department of Public Health.

back to top