California Confidentiality of Medical Information Act
When questions arise around the confidentiality of patient records and other healthcare information, providers typically invoke HIPAA– the federal Health Insurance Portability and Accountability Act of 1996, which establishes standards for the privacy and security of protected health information. However, HIPAA regulations do not cover all aspects of patient confidentiality, and the rules only apply to “covered entities” who perform certain electronic transactions (although virtually all providers fall into this category).
Most importantly, to the extent that state law addresses the same issues as HIPAA, the more “controlling” or limiting law applies. It is therefore important for healthcare providers to be acquainted with the requirements of state confidentiality laws, in addition to HIPAA requirements, and to understand where state law may be more restrictive.
In California, the California Confidentiality of Medical Information Act (CMIA) defines who may release confidential medical information, and under what circumstances. The CMIA also prohibits the sharing, selling, or otherwise unlawful use of medical information. The full text of the CMIA can be found at California Civil Code §§56 et seq.
In general, the CMIA prohibits health care providers, health care service plans, contractors, and pharmaceutical companies from disclosing patient medical information without first receiving a valid written authorization signed by the patient or the patient’s legal representative.
Under the CMIA, medical information is defined as: “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”
Individually identifiable is defined as: medical information that “. . .includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”
Valid authorization required
The CMIA imposes requirements on the written authorization used for disclosure of medical information:
- authorization must be either handwritten by the individual who signs the document (the patient or their representative), or printed in a minimum of 14-point type
- authorization language must be clearly separated from any other language on the same page
- patient’s signature must “serve no other purpose than to execute the authorization”
- authorization form must be signed and dated.
The authorization must specifically include the following:
- the specific uses and limitations on the types of medical information to be disclosed
- the name or functions of the health care provider, health care service plan pharmaceutical company, or contractor that is being allowed to disclose the information pursuant to the authorization
- the names or functions of those persons or entities authorized to receive the information
- the specific uses and limitations on use of the information by the authorized recipients
- the expiration date of the authorization
- notice that the signer is entitled to a copy of the form
Only the following individuals are allowed to sign the authorization:
- the patient
- the patient’s legal representative, if the patient is a minor or incompetent (unless the minor could give legal consent to the care and treatment which is the subject of the information, in which case the minor must give written authorization)
- the patient’s spouse or other financially responsible person, but only for the purpose of processing an application for dependent health care coverage and the patient will become an enrolled spouse or dependent
- the beneficiary or personal representative of a deceased patient
Importantly, there are exceptions to the general rule requiring written patient consent; these situations are described below.
Mandatory disclosure of information
Under the CMIA, medical information must be released when compelled:
- by court order
- by a board, commission or administrative agency for purposes of adjudication
- by a party to a legal action before a court, arbitration, or administrative agency, by subpoena or discovery request
- by a board, commission or administrative agency pursuant to an investigative subpoena
- by an arbitrator or arbitration panel, when arbitration is lawfully requested by either party
- by lawful search warrant
- at the “request” of the coroner (see below)
- when otherwise specifically required by law
The patient or patient’s representative must also be given access to inspect or get copies of medical records upon payment of reasonable clerical costs and certain other conditions.
Additionally, the CMIA requires provision of confidential medical information to a medical examiner, forensic pathologist, or coroner, “when requested in the course of an investigation… for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant deaths, suspicious deaths, unknown deaths, or criminal deaths, or upon notification of, or investigation of, imminent deaths that may involve organ or tissue donation pursuant to [Health & Safety Code §7151.15], or when otherwise authorized by the decedent’s representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation or who is the prospective donor and shall be disclosed to the coroner without delay upon request.”
Discretionary disclosure of information
There is a lengthy list of persons and/or entities to which, and circumstances in which, medical information may be disclosed at the discretion of the provider without a patient’s written authorization.
Before releasing any medical information without a patient’s authorization, providers should confirm who is requesting the information, and for what purpose the information is being requested. Discretionary disclosure is only allowable in the specific situations outlined in the applicable code section.
1) Other health care providers, health care service plans, contractors, or other health care professionals/ facilities for purpose of diagnosis and treatment of the patient. This includes radio or other transmission between emergency personnel “in an emergency situation.”
2) Entities responsible for the payment of health care services, such as: an insurer, employer, health care service plan, hospital service plan, employee benefit plan, and governmental authority. Information released is limited to the extent necessary to determine payment. If the patient is unable to consent and no other arrangements for payment have been made, information may be disclosed to a governmental authority to the extent necessary to determine eligibility for payment, and to other health care providers or health care service plan to assist them in obtaining payment.
3) Any person or entity that provides billing, claims management, medical data processing or other administrative services for health care providers, health care service plans, or entities listed in (2) above. However, information so disclosed shall not be further disclosed by the recipient in a way that would violate this part.
4) To “organized committees and agents of professional societies or of medical staffs of licensed hospitals, licensed health care service plans, professional standards review organizations, independent medical review organizations and their selected reviewers, utilization and quality control peer review organizations . . ., contractors, or persons or organizations insuring, responsible for, or defending professional liability that a provider may incur,” if those entities are engaged in “reviewing the competence or qualifications of health care professionals or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges.”
5) A “private or public body responsible for licensing or accrediting” a health care provider or health care service plan may “review” medical information in the possession of a health care provider or health care service plan. However, disclosure is limited to “review” of information; no patient-identified information may be removed from the premises and further disclosure is prohibited.
6) To a medical examiner, forensic pathologist, or the county coroner in course of an investigation for “all purposes” not already included in the “mandatory disclosure” provisions. County coroner in course of an investigation related to “all purposes not included in paragraph (8) of subdivision (b).”
7) To “public agencies, clinical investigators, including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions for bona fide research purposes.” However, this information may not be further disclosed by the recipient in any way that would disclose the patient’s identity.
8) If a health care provider or health care service plan has “created medical information as a result of employment-related health care services to an employee, [which was] conducted at the specific prior written request and expense of the employer,” information may be disclosed to the employee’s employer. However, only “that part” of the information that (A) is relevant in a lawsuit, arbitration, grievance, or other claim or challenge to which the employer and employee are parties and in which the patient has placed in issue his or her medical history, mental or physical condition, or treatment; provided that the information may only be used for that proceeding, or (B) describes functional limitations of the patient that may entitle the patient to leave from work for medical reasons or limit the patient’s fitness to perform his or her present employment, provided that no statement of medical cause is included in the information disclosed.
9) Absent notification in writing of an agreement to the contrary, to a “sponsor, insurer, or administrator of a group or individual insured or uninsured plan or policy that the patient seeks coverage by or benefits from,” if the information was “created by” the health care provider or health care service plan as a result of services “conducted at the prior written request and expense” of the sponsor, insurer or administrator for the purpose of evaluating an application for coverage or benefits.
10) For the purpose of administering a health care service plan, information may be disclosed by a health care provider to a health care service plan, or among health care providers.
11) Medical information may be disclosed to an “insurance institution, agent or support organization” under the Insurance Information and Privacy Protection Act [Insurance Code §791, et. seq.], if the insurance institution, agent or support organization has “complied with all of the requirements for obtaining the information” in that Act.
12) Information “relevant to the patient’s condition, care, and treatment” may be provided to a probate court investigator “in the course of an investigation” to determine the need for a conservatorship, and to a probate court investigator, probation officer, or domestic relations investigator who is “engaged in determining” the need for an initial or continuation of a guardianship.
13) To an organ procurement organization or tissue bank “processing the tissue of a decedent for transplantation,” but only information related to the decedent donor for the purpose of aiding the transplant may be disclosed.
14) Medical information may also be disclosed “when otherwise specifically authorized by law,” including but not limited to voluntary reporting to the Food and Drug Administration to report adverse events related to drug products or medical devices, and reports of suspected child abuse or neglect.
15) “Basic information” may be disclosed to a state or federally recognized disaster relief organization for responding to disaster welfare inquiries. (Basic information includes the patient’s name, city of residence, age, sex, and general condition.)
16) For the purposes of “encoding, encrypting, or otherwise anonymizing data,” information may be disclosed to a “third party.” The third party must ensure no further disclosure or unauthorized manipulation of data that reveals individually identifiable information.
17) For purposes of “disease management programs and services” as defined by Health & Safety Code §1399.901, information may be disclosed to a “disease management organization” or to an entity contracting with a health care service plan to monitor or administer a chronic disease management program, if certain requirements are met.
18) To a local health department as permitted by state and federal law for the purpose of preventing or controlling disease, injury, or disability, including the reporting of disease, injury, vital events (such as birth or death), or legally authorized public health surveillance, investigations, or interventions.
19) A psychotherapist may disclose information “consistent with applicable law and standards of ethical conduct” if he or she believes in good faith that the disclosure is “necessary to prevent or lessen a serious and imminent threat to the health or safety of a reasonably foreseeable victim or victims” and the disclosure is made to a “person or persons reasonably able to prevent or lessen the threat, including the target of the threat.”
20) To a county social worker, a probation officer, or any other person who is legally authorized to have custody or care of a minor for the purpose of coordinating health care services and medical treatment provided to the minor. This includes medical information concerning the diagnosis and treatment of a mental health condition of a minor when reasonably necessary for the purpose of assisting in coordinating the treatment and care of the minor; it does not include psychotherapy notes.
21) Information may be disclosed to an employee welfare benefit plan for billing, claims management, medical data processing, or other administrative services related to persons receiving medical care under the plan, if certain conditions are met.
22) Information relevant to an incident of elder or dependent adult abuse may be given to an investigator from an adult protective services agency, a local law enforcement agency, the office of the district attorney, the office of the public guardian, the probate court, the Bureau of Medi-Cal Fraud, or an investigator of the Department of Consumer Affairs, Division of Investigation who is investigating a known or suspected case of elder or dependent adult abuse.
23) A health care provider may also use or disclose medical information to a public or private entity authorized by law to assist in disaster relief efforts.
Disclosure to friends, relatives and personal representatives
Providers may disclose to a family member, other relative, domestic partner, or a close personal friend of the patient, or to any other person identified by the patient, the medical information directly relevant to that person’s involvement with the patient’s care. A provider may also disclose the patient’s location, general condition, or death to notify or assist in the notification, identification or location of a family member, personal representative of the patient, domestic partner, or another person responsible for the care of the patient.
If the patient is available and has the capacity to make health care decisions, the information above may be disclosed only if: the patient agrees, or the patient is provided with an opportunity to object and does not object, or the provider “reasonably infers from the circumstances, based on the exercise of professional judgment,” that the patient would not object to the disclosure.
If the patient is not available or incapacitated, or if an “emergency circumstance” exists, the provider “may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient, and if so disclose that information relevant to that person’s involvement in the patient’s medical care. Professional judgment and experience with common practice may also be used to make reasonable inferences of the patient’s best interests, to allow a person to pick up prescriptions, medical supplies, x-rays or other forms of medical information.
A psychotherapist may only disclose information under the above circumstances if the patient agrees, or if the patient has not expressed an objection when provided with the opportunity to object to the disclosure.
Patient inspection, addenda to records
Health & Safety Code §123110 provides that any adult, minor authorized by law to consent to treatment, or patient representative may inspect the patient’s medical records upon presentation of a written request and payment of reasonable clerical costs. Physical inspection of the records must be allowed within five working days after receipt of the written request. Copies of records may be obtained by written request and payment of certain costs, and the records must be transmitted within 15 working days after receiving the written request.
Health & Safety Code §123111 allows any “adult patient” to “provide to the health care provider a written addendum with respect to any item or statement in his or her records that the patient believes to be incomplete or incorrect.” The addendum is limited to 250 words per alleged incomplete or incorrect item in the patient’s record, and it must clearly indicate in writing that the patient wants the addendum to be part of the medical chart.
The physician must “attach the addendum to the patient’s records” and must include it whenever the health care provider “makes a disclosure of the allegedly incomplete or incorrect portion of the patient’s records to any third party.” Health care providers are protected from liability under this code section for any “defamatory or otherwise unlawful language” written in the addendum and subsequently included in the medical record.
Storing and destroying records
The CMIA requires that providers who “create, maintain, preserve, store, ‘abandon’ destroy, or dispose of” medical information do so in a manner that preserves the information’s confidentiality, or they will be subjected to the penalties for wrongful disclosure. Furthermore, an electronic medical record system must protect and preserve the integrity of electronic information, and “automatically record and preserve any change or deletion of any electronically stored medical information.” The record of any change or deletion must include the identity of the person who accessed and changed the information, the date and time the information was accessed, and the change that was made.
Health care service plans must assure confidentiality
California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information. Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.