Longstanding California state laws and new federal regulations give you rights to help keep your medical records private 1 . That means that you can set some limits on who sees personal information about your health. You can also set limits on what information they can see. And you can decide when they can see it. You can also review and ask for corrections to your medical records. This Consumer Information Sheet contains general descriptions of your basic rights.
Most doctors, hospitals, HMOs, and other healthcare organizations must give you a Notice of Privacy Practices. 2 This Notice tells you how personal information about your health will be used. It tells you who will see your information, what your rights are, and where to complain.
Generally, your doctor uses your health information to treat you and to refer you to specialists. Your doctor also uses your information to bill your insurance company . 3
Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can release your personal health information. This is true unless the release is for the purpose of treatment, payment, or healthcare operations. 4
In the case of sensitive information, like HIV test results or what you tell a psychiatrist, your written permission is required in most situations. 5
Your written permission is called an "authorization." It must state what information can be released, to whom, and for what purpose. It must be dated. You have the right to say no without fearing any kind of pressure or retaliation. You have the right to change your mind at any time and take back your written authorization. 6
You can stop your employer from receiving most health information about you. Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can give your employer health information about you. 9
You have the right to ask most healthcare providers for information on who has received your personal health information.
Most healthcare providers have to ask for your written authorization before they can use or sell your health information for marketing purposes.
You may ask to read the information about you in your medical records. Your doctor or health plan must respond to your written request within five working days of receiving it. If they deny your request, they must tell you why. For example, your doctor could refuse if he or she thinks showing you the information may cause harm to you or to someone else. 12
Most doctors, health plans, hospitals, and other healthcare providers must tell you their process for handling complaints. They must tell you the name of the person to whom you may complain. File your complaint with the doctor, plan or organization first.
If you are an enrollee of a health plan and you have a concern that your health plan violated any state law regarding the privacy or confidentiality of your medical records, you may contact the California Department of Managed Health Care's HMO Help Center at 1-888-HMO-2219 for assistance.
You also have the right to complain to the federal Office of Civil Rights about possible violations of federal health privacy law. 15
Office for Civil Rights, Region IX
U.S. Department of Health and Human Services
50 United Nations Plaza, Room 322
San Francisco, CA 94102
Voice Phone (415) 437-8310
Fax (415) 437-8329
TDD (415) 437-8311
California law also gives you the right to bring suit to recover damages in some cases of violation of state laws on health information privacy. 16
This Consumer Information Sheet was prepared with considerable assistance from the California Office of Health Information Integrity.
1 The federal authority on health information privacy arises from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164). California has several laws on health information privacy, including the Confidentiality of Medical Records Act (Civil Code § 56 et seq.), the Patient Access to Health Records Act (Health & Safety Code § 123110 et seq.), the Insurance Information and Privacy Protection Act (Insurance Code § 791 et seq.), and the Information Practices Act (Civil Code § 1798 et seq.). Citations for specific rights enumerated in this document are provided below. All the referenced laws may be found on the Privacy Laws page of the California Department of Justice’s Web site. Back to link 1
2 HIPAA regulates only healthcare providers that transmit personal health information electronically. For notice, see HIPAA, 45 CFR §164.520. Also on notice, see California Civil Code § 1798.17, which applies to state agencies. Back to link 2
3 For use and disclosure of health information for treatment, payment, or healthcare operations, see HIPAA, 45 CFR § 164.506, and California Civil Code § 56.10 subdivision (c)(a). Back to link 3
4 For disclosure limits, see HIPAA, 45 CFR § 164.502, and California Civil Code § 56.10. Back to link 4
5 For confidentiality of HIV test results, se California Health & Safety Code §§ 120975-121125. For confidentiality of psychiatric records, see California Civil Code § 56.104. Also see HIPAA, 45 CF § 164.50, 1 for definition of "psychotherapy notes," and 45 CFR § 164.508 subdivision (a)(2) for authorization requirements for use or disclosure of psychotherapy notes. Back to link 5
6 For authorization, see HIPAA, 45 CFR § 164.508, and California Civil Code § 56.11. Back to link 6
7 For limits on use and disclosure for treatment, payment or healthcare operations, see HIPAA, 45 CFR § 164.522 subdivision (a). Back to link 7
8 For confidential communications requirements, see HIPAA, 45 CFR § 164.522 subdivision (b). Back to link 8
9 For disclosure to employers, see HIPAA, 45 CFR § 164.512 subdivision (b)(1)(v), and California Civil Code § 56.20. Back to link 9
10 For accounting of disclosures, see HIPAA 45 CFR § 164.528, and California Civil Code §§ 1798.25 and 1798.28. Back to link 10
11 For marketing use, see HIPAA 45 CFR § 164.508 subdivision (a)(3), California Civil Code § 56.10 subdivision (d), California Health & Safety Code section 123148, and California Insurance Code §§ 791.13 subdivision (k) and 791.05. Back to link 11
12 For access to records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (a), and California Civil Code § 1798.32. Back to link 12
13 For copying records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (b), and California Civil Code § 1798.33. Back to link 13
14 For amending records, see HIPAA, 45 CFR § 164.526, California Health & Safety Code § 123111, and California Civil Code § 1798.35. Back to link 14
15 For complaints under HIPAA, see 45 CFR § 164.530 subdivision (d). HIPAA complaints must be filed with the Office of Civil Rights within 180 days of the date when the complainant knew or should have known of the violation (45 CFR § 160.306). Back to link 15
16 See California Civil Code § 56.35 on remedies for improper use or disclosure, California Health and Safety Code § 123120 on remedies for violation of access rights, and California Civil Code §§ 1798.45-1798.57 on remedies for violations by state agencies. Back to link 16
This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice on a particular case, you should consult an attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies are distributed free of charge.