Federal and State Health Laws

Note: CDII includes the following information in order to provide current, accurate, and authoritative general information regarding laws related to the privacy and security of health information. The content on this website does not constitute legal advice or legal opinions. Please consult an attorney if you need legal advice.

Federal

Health Insurance Portability and Accountability Act (HIPAA) – HIPAA establishes national standards for the administration and protection of individuals’ health information (e.g., medical or health records, personal health information). These rules apply to organizations called “covered entities” (which are healthcare providers, health plans and healthcare clearinghouses that conduct healthcare transactions electronically) or “business associates” (conducting health care transactions on behalf of a covered entity). HIPAA is comprised of the following components:

• HIPAA Privacy Rule – The Privacy Rule requires appropriate safeguards to protect the privacy of patient-identifying health information, and sets limits and conditions on the uses and disclosures of such information without patient authorization. General exceptions allow for treatment, payment, and healthcare operations. The Privacy Rule also gives patients’ rights over their health information, including the rights to access and request corrections.
• HIPAA Security Rule – The Security Rule protects individuals’ electronic protected health information that is created, received, used, or maintained by a cover entity or its business associate(s). The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of the electronic protected health information.
• Administrative Rules – These rules reduce paperwork and streamline business processes across the healthcare system. Specifically, the rules include:
  • Transactions
  • Code Sets
  • Unique Identifiers (such as health plan identifier or HPID, employer identification or EIN, national provider identifier or NPI)
  • Breach Notification Rule
  • Enforcement Rule
  • Final Omnibus Rule of 2013

Confidentiality of Substance Use Disorder (SUD) Patient Records — 42 C.F.R. Part 2 applies to federal assisted SUD treatment programs that meet the definition of a program within the regulation. These regulations apply to information that would identify a patient as having a SUD and allow very limited disclosures of information without a patient authorization.

Genetic Information Nondiscrimination Act (GINA) — GINA protects individuals against discrimination based on their genetic information in health coverage and in employment.

State

General Privacy Protections

• California Constitution, Article 1 – Declaration of Rights
  Section 1 provides all Californians with a guaranteed right to privacy.
• Information Practices Act (IPA) – Civil Code §§ 1798 – 1798.78
  This law expands on the constitutional guarantee of privacy by providing limits on the collection, management and disclosure of personal information by state agencies.
• Confidentiality of Medical Information Act (CMIA)
• Disclosure of Medical Information – Civil Code §§ 56.10 – 56.16
  This law protects the privacy of an individuals’ medical information (in electronic or paper format) from unauthorized disclosure by limiting disclosures by providers of health care, health plans, and contractors.
• Civil Penalties for Unauthorized Access, Use, or Disclosure of Medical Information – Civil Code § 56.36
  CMIA was amended to further define administrative fines or civil penalties for any person or entity including licensed health care professionals who knowingly and willfully obtains, discloses, or uses medical information in violation of the CMIA.
• Confidentiality of SUD Records – Health and Safety Code § 11845.5
  This law protects information and records maintained by entities, that are licensed by the California Department of Health Care Services, in connection with SUD diagnosis and treatment which is confidential and specially protected. Information and records may be disclosed only as provided in this code section. CMIA does not regulate these SUD information and records.
• Physical Safeguards – Health and Safety Code § 1280.18
  This law requires health providers to establish and implement administrative, technical, and physical safeguards to protect the privacy of patient’s medical information. Each health provider shall reasonably safeguard confidential health information from any unauthorized access, use, or disclosure.

Patients’ Right to Access

• Patient Access to Health Records – Health and Safety Code § 123100 and § 123111
  With minor limitations, this law gives patients the right to see and copy information maintained by health care providers relating to the patients’ health conditions. The law also gives patients the right to submit amendments to their records, if the patients believe that the records are inaccurate or incomplete.
• Consent by Patient for Lab Results via Internet or other Electronic Means – Health and Safety Code § 123148
  If the patient requests, a health care provider shall provide the results of the laboratory test to the patient in written or oral form. Consent must be obtained (consistent with CMIA) to deliver results via electronic means. Electronic delivery or results shall be consistent with applicable federal law or state law. HIV antibody test, hepatitis infection
  tests, abusing the use of drugs, and tests related to routinely processed tissues revealing malignant results may not be conveyed by electronic means, unless the specific requirements of subdivision (f) of Health and Safety Code section 123148 are met. Test results and health information may not be used for commercial purpose without patient consent.

Uses and Disclosures – The information is in this section is a small subset of the state laws related to uses and disclosures of health information. For more information about specific uses and disclosures, refer to the Statewide Health Information Policy Manual (SHIPM) or State Health Information Guidance (SHIG).

• Lanterman-Petris-Short Act (LPS) – Welfare and Institutions Code § 5328 et seq.
  Information and records obtained in the course of providing services to involuntarily and some voluntary recipients of services are confidential and specifically protected under LPS. Patient information obtained by the county or city mental health departments, state hospitals, regional centers (under the California Department of Developmental Services), or other public or
  private entities (such as community mental health clinics) are also protected under LPS. In general, information and records may be disclosed as provides in LPS. The CMIA regulates most of what is not regulated by LPS. If a facility is not regulated by LPS, it is likely regulated by CMIA.
• Access to Mental Health Information by Patients’ Rights Advocate – Welfare and Institutions Code § 5541
  Patients’ rights advocates must obtain written authorization from the client or the guardian ad litem to access, copy, or use the client’s confidential records and information. The client or guardian may revoke such authorization at any time.
• Medical Information, Collection for Direct Marketing Purposes – Civil Code § 1798.91 Businesses are prohibited from seeking to obtain medical information from an individual for direct marketing purposes without, (1) clearly disclosing how the information will be used and shared, and (2) getting the individual’s consent.
• Persons with Developmental Disabilities, Confidential Information and Records; Disclosure; Consent – Welfare and Institutions Code § 4514
  All information and records acquired in the course of providing intake, assessment, and services to persons with developmental disabilities shall be confidential. Information and records are to be disclosed only as provided in this section.
• Mandated Blood Testing and Confidentiality to Protect Public Health – Health and Safety Code §§ 120975 – 121020
  This law protects the privacy of individuals who are the subject of blood testing for human immunodeficiency virus (HIV). No person shall be compelled to provide information in any state, county, city, or other local civil, criminal, administrative, legislative or other proceedings that would reveal the identity of any individual who is the subject of
  an HIV blood test. Exceptions are provided in Health and Safety Code § 1603.1, § 1603.3, and § 121022.
• Disclosures by State or Local Public Health Agencies of Records relating to HIV or AIDS – Health and Safety Code § 121025
  HIV or acquired immunodeficiency syndrome (AIDS) related public health records containing personally identifying information, developed or acquired by public health agencies shall be confidential and not disclosed except as otherwise provided by law for public health purposes or with written authorization from the person who is the subject of
  the record or their guardian or conservator.
• Confidentiality of Committed Mentally Abnormal Sex Offenders – Welfare and Institutions Code § 4135
  The supervision, care, and treatment records of persons committed to the State Department of State Hospitals as a mentally abnormal sex offender shall not be inspected by any person not employed by the department unless the court through an order permits examination of such records.

Breach

• Breach Notification – Civil Code § 1798.29 and § 1798.82
  State agencies and businesses that collect personal information are required to notify each person in their database should there be a security breach involving personal information. Personal information includes: Social Security number, driver’s license number, account number, credit or debit card number, or security code or password for accessing their financial account as well as medical information and health insurance information.
  • “Medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • “Health insurance information” mean any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
• Health Facilities Data Breach – Health and Safety Code § 1280.15
  Certain health facilities are required to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information. It sets fines and notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health.