Your Right to Medical Privacy under Federal and California Law
This pub tells you about your right to keep your medical records private. It tells you about consenting to release your records. It tells you when someone can release your records without your consent. It tells you about your right to see your records. It tells you what to do if you think your records are wrong about something. It tells you what to do if someone releases your records without your consent.
1. Do I have a right of privacy for my health information?
Yes. In general, you must give consent before information about your health can be disclosed. However, there are a large number of exceptions.
2. How do I give consent to disclose my protected health information?
You can give consent by signing an authorization form. The privacy provisions of the federal Health Insurance Portability and Accountability Act (HIPAA) and California law require certain things to be in the authorization form.
To begin with, the form has to have the following information:
- The name or description of the person or entity providing the information. (This can be a specific name, such as “Dr. Jones,” or a broad description, such as “anyone” or “all medical care providers.”)
- The name or description of the person or entity receiving the information. (This can be a specific name, such as “Dr. Jones,” or a broad description, such as “anyone” or “all medical care providers.”)
- A description of the information you want disclosed. (This can be a specific description, such as “medical report dated June 5, 2010,” or a general description, such as “all progress notes,” or “all medical information.”
- A description of each purpose for the use or disclosure of the information. (This can be a specific reason, such as “for Dr. Jones to provide consultation,” or a general reason, such as “at my request.”
The key is that the form should be tailored to what you want to disclose, no more, and no less.
The authorization form must also give you notice of the following:
- Notice that the individual or entity subject to HIPAA may not condition treatment, payment, enrollment, or eligibility for benefits on whether or not you sign the authorization, unless an exception applies.
- Notice that the authorization is voluntary.
- Notice that you have the right to revoke the authorization in writing together with any exceptions to the right to revoke.
- Notice that you have a right to receive a copy of the authorization.
- Notice that information disclosed pursuant to the authorization may be subject to redisclosure by the recipient of the information and may no longer be protected under HIPAA. (Note: In California, the information cannot be redisclosed by the recipient of the information.)
Finally, the authorization form also has to have the following on it in order to be valid:
- An expiration date. (For example: “June 20, 1995,” or “one year from the date of this authorization.”)
- Your signature. Or the signature of your personal representative, such as:
- Your agent for health care if you have appointed an agent under a durable power of attorney for health care.
- Your guardian or conservator if the guardian or conservator is authorized to make health care decisions on your behalf.
- Your parent or guardian if you are a minor child and you do not have capacity to consent to medical treatment.
- Today’s date.
Psychotherapy notes require a separate disclosure. In all cases, it is best to use a separate disclosure form for each health care provider in order to protect confidentiality.
3. Who is covered by HIPAA?
Under federal law the following entities must follow HIPAA:
- Health care providers. Any person or organization who furnishes, bills, or is paid for health care in the normal course of business who transmits any health information electronically in connection with: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment or disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization.
- Health plans. Any individual or group plan (or combination) that provides, or pays for the cost, of medical care.
- Health care clearinghouses. Any entity that translates data content or format for another entity from non-standard to standard or vice versa.
See 45 C.F.R. §§ 160.102;164.103; 164.500;162.1101–162.1802
4. Can my health information be disclosed without my consent?
Yes. In some cases. The main ones are described below.
Disclosure required under state law.
Your protected health information can be disclosed if required by state law.
Here are two examples:
- State law requires that information and records obtained in the course of providing mental health services under the Lanterman-Petris-Short Act and certain state and local mental health and developmental disability programs be provided “to the courts, as necessary to the administration of justice.” Welfare and Institutions Code Section 5328(f).
- State law requires reporting of child abuse, elder abuse, and dependent adult abuse by certain health care and social service providers.
Disclosure required for treatment, payment, or health care operations.
In addition, HIPAA provides a very broad general exception to the consent to disclosure requirement. HIPAA allows disclosure without consent for the following three purposes:
- Health care operations.
This means that your doctor can consult with another doctor about your treatment. It also means that your health care providers can send medical reports about you to insurance companies if the reports are needed in order to pay the provider. Information about your health care can also be used by your medical provider for health care operations, such as for quality improvement or utilization review.
Disclosure to Prevent Harm
HIPAA does allow a covered entity to disclose public health information, including psychotherapy notes, when the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 C.F.R. § 164.512(j)(1)(i).
5. Are there any limits on disclosure for treatment, payment or health care operations?
Yes. Here are examples.
Information the health care provider agreed to keep confidential at your request.
This information may be disclosed without your consent only if you need emergency medical treatment.
Psychotherapy notes cannot be released without your consent except to other providers in your provider organization’s mental health training program who are providing treatment to you.
Psychotherapy notes are notes documenting or analyzing the contents of your conversation during a private, group, joint or family counseling session and that are separated from the rest of your medical record. This is a very limited category. Psychotherapy notes do not include any other records including medication records, hospital admission or discharge summaries, nursing notes, medical reports, or information necessary for billing an insurance company for services.
Mental health/developmental disability service and treatment information.
Information and records obtained in the course of providing mental health services under the Lanterman-Petris-Short (LPS) Act and various state and local programs cannot be disclosed outside the provider’s facility without your consent unless the information is disclosed for emergency medical treatment or is disclosed to a provider with medical or psychological responsibility for you. However, if you are admitted to a mental health facility under Section 5150 of the LPS Act because you are considered a danger to yourself or others, some confidential information may be disclosed in the process of determining whether you are prohibited from owning or posessing firearms. Within 24 hours of admitting you to a mental health facility as a danger to yourself or others, the facility is required to submit a report to the Department of Justice (DOJ) stating, at minimum, your name and the legal reason for your admission to the facility. This report must be kept confidential by the DOJ, except that it will be used in court proceedings to determine your eligibility to own or possess firearms.
Substance use information.
Drug and alcohol use information may not be released to a provider outside the provider’s organization without your consent except for emergency medical treatment. In addition, if the provider receives federal funding, drug and alcohol use information may not be released to a provider outside the provider’s organization without your consent except for emergency medical treatment, and except to a central registry, detoxification or treatment program less than 200 miles away, for the purpose of preventing you from enrolling in multiple programs.
HIV test information.
HIV test information cannot be disclosed except to your health care provider for purposes of treatment, and except to the county as part of the infectious disease reporting system.
6. Who can I request that my health information be disclosed to?
Almost anyone. This includes health care providers, your agent for health care if you have appointed one under a durable power of attorney, an attorney or other authorized representative who you have asked for help, or a friend or family member. You can also review and get copies of your own health information.
You or your authorized representative must make a written request to inspect or receive copies of your records. H&SC §123110(a), (b). A request for copies must specify the records to be copied. H&SC §123110(b).
The health care provider must allow access to the records during regular business hours within five (5) working days after receiving the written request. H&SC §123110(a). If you or your authorized representative makes a request for copies of all or part of a file, the health care provider must transmit the copies within fifteen (15) days after receiving the written request. H&SC §123110(b).
Before giving copies of records to the requester, a provider may require the requester to pay: copying costs, not to exceed twenty-five cents ($.25) per page or fifty cents ($.50) per page for records that are copied from microfilm, and any additional reasonable clerical costs incurred in making the records available. H&SC §123110(b)
Additionally, the health care provider may charge a "reasonable fee" based on actual time and cost for preparation of a summary pursuant to a patient's request for access to his or her records. H&SC §123130(f).
However, a provider cannot charge for copies of records needed to support an appeal for public benefit programs, which include Social Security Disability Insurance (SSDI), Supplemental Security Income (SSI) and Medi-Cal benefits, if a request for the records and proof of the appeal is given to the provider in writing. H&SC §123110(d)(1). Records must be provided within 30 days of the written request. H&SC §123110(f). Only one copy of relevant portions of the records must be provided free of charge. H&SC §123110 (d)(2). A provider does not have to provide records free of charge if the patient is represented by a private attorney (attorney other than a nonprofit legal services entity). H&SC §123110(d)(3). If the appeal is successful, the provider may bill the patient for the records at the rates specified above. H&SC §123110(e).
7. Are there any limits on my right to inspect or copy my own health records?
Yes, there are some limits. Generally, you can be denied access only if access is likely to endanger someone’s life or physical safety.
Under HIPAA privacy regulations, if the provider refuses to allow access to the records, the provider must provide a written denial. The written denial must contain the following information:
- the basis for the denial;
- the right to review by a licensed health care professional designated by the provider (including a description of how to exercise the right to review);
- the right to file a complaint with the provider, and the right to file a complaint with the Department of Health and Human Services Office for Civil Rights.
California law provides that a provider does not have to allow access to information given “in confidence” to the provider by someone other than another health care provider or the patient. Federal HIPAA privacy regulations provide that this information can only be withheld if disclosure would be “reasonably likely to reveal the source of the information.” 45 C.F.R. § 164.524(a)(2)(v).
8. If my records contain information that is not accurate can I ask the provider to correct the records?
Yes. First, you must ask the provider to amend your records. The provider can require that your request be in writing and that it include the reason for the requested amendment, but the provider must notify you of these requirements before you make the request. There is no time limit on requesting an amendment. You can ask for an amendment for as long as your records exist.
The provider must act on your request within 60 days. The provider can have a 30 day extension if the provider gives you a written statement of the reasons for the delay and the date by which action will be completed.
If the provider agrees to amend your records, the provider must, at a minimum, identify the record to be amended and either append the amendment to that record or provide a link to the amendment. The provider must also notify you that the amendment has been made, and obtain your consent to inform others who have received the records in question. The provider must provide the amendment to people you identify for the provider who received the records in question, and to people the provider knows have the information and who could rely on the information to your detriment. 45 C.F.R. § 164.526(c)(3). Providers receiving the amendment must also amend the records in that provider’s possession.
The provider can deny your request for amendment if the provider believes the record is accurate and complete. The provider can also deny your request for amendment if the provider did not create the record in question (unless the creator of the record is no longer available to act on a request for amendment); or the provider does not have the record in question; or you do not have a right of access to the record.
If the provider denies your request for amendment of the records, the provider must give you the denial in writing. The written denial must contain the following:
- The basis for the denial (e.g., the provider believes that the records are accurate and complete).
- Notification of your right to submit a statement disagreeing with the denial, and how to submit the statement.
- Notification that if you do not submit a statement disagreeing with the denial, you can request that the provider submit your request for amendment and the provider’s denial together with any future disclosures of the records.
- A description of how you can file a complaint with the provider or with the Department of Health and Human Services Office for Civil Rights (OCR).
The provider may “reasonably limit the length” of a statement of disagreement, but must allow you to include up to 250 words. The provider may prepare a written rebuttal to your statement of disagreement, but the provider must give you a copy. If the provider discloses your medical records, the provider must include your statement of disagreement in the disclosure.
In addition, notwithstanding HIPAA requirements, California law allows you to provide your health care provider a written addendum with respect to any item or statement in your records that you believe to be incomplete or incorrect. The addendum must be limited to 250 words per alleged incomplete or incorrect item in your patient's record and must clearly indicate in writing that you want the addendum to be made a part of your record.
9. What can I do if my rights are violated?
You can file a complaint with the medical services provider. A provider must have a complaint process under HIPAA for denial of access, or refusal to amend records. You may also file a complaint with the licensing entity for your provider. Information about licensing of health providers is available at https://www.cdph.ca.gov/programs/chcq/lcp/calhealthfind/Pages/Home.aspx and http://www.mbc.ca.gov/Licensees/. Complaint information is also available at https://www.cdph.ca.gov/Programs/CHCQ/LCP/CalHealthFind/Pages/ComplaintInvestigationProcess.aspx and http://www.mbc.ca.gov/Consumers/Complaints/ respectively.
Complaints for violations of federal HIPAA privacy regulations can be filed with the federal Department of Health and Human Services Office for Civil Rights (OCR). The address is:
Office for Civil Rights
U.S. Department of Health & Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Customer Response Center: (800) 368-1019
(800) 537-7697 TDD
(202) 619-3818 FAX
OCR can provide you with a form for filing a complaint. The complaint form is available on the internet at https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html. Complaints must be filed in writing within 180 days of the date you knew or should have known of the violation. The complaint must name the provider that is the subject of the complaint and describe the acts or omissions that violate the regulations. OCR can impose civil and criminal fines, but cannot award money damages to an individual. Additional HIPAA information can be found at http://www.hhs.gov/ocr/hipaa/. If you need help filing the complaint or have questions about the complaint form, call 1-800-368-1019, TDD 1-800-537-7697.
A provider may not retaliate against you for exercising your rights under HIPAA.
A health care provider who willfully violates the California Health and Safety Code requirements may be subject to penalties, including but not limited to a $100 fine and licensure suspension or revocation. In addition, a patient, or a patient’s representative may sue for access to the records. The prevailing party is entitled to costs and reasonable attorneys’ fees.
You may also sue for actual damages if a licensed provider who went out of business abandoned your records. Providers who go out of business must keep records for a minimum of 7 years and at least until an individual turns age 19. Violations of the California statute and the federal HIPAA privacy regulations might also give rise to a negligence action against a provider for money damages because the statute and regulations establish a duty of care on the part of medical service providers. You should consult an attorney for advice on obtaining damages as soon you realize a violation may have occurred to protect your rights. If you wait too long, you may be barred from obtaining damages.
10. Where can I get more information?
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has a very good website: http://www.hhs.gov/ocr/privacy/index.html.
The State of California, Office of Health Information Integrity (OHHI) has a good website: http://www.ohii.ca.gov/calohi/PrivacySecurity.aspx.
Useful information can be found on the health privacy website of the Center for Democracy and Technology: https://www.cdt.org/issue/health-privacy.
DRC has a useful publication on health care privacy and access: https://www.disabilityrightsca.org/publications/confidentiality-of-mental-health-records-information
The California Mental Health Services Authority (CalMHSA) is an organization of county governments working to improve mental health outcomes for individuals, families and communities. Prevention and Early Intervention programs implemented by CalMHSA are funded by counties through the voter-approved Mental Health Services Act (Prop 63). Prop. 63 provides the funding and framework needed to expand mental health services to previously underserved populations and all of California’s diverse communities.
Click links below for a downloadable version.