Your Patient Privacy Rights: A Consumer Guide to Health Information Privacy in California
Longstanding California state laws and new federal regulations give you rights to help keep your medical records private1. That means that you can set some limits on who sees personal information about your health. You can also set limits on what information they can see. And you can decide when they can see it. You can also review and ask for corrections to your medical records. This Consumer Information Sheet contains general descriptions of your basic rights.
Your right to be told how your doctor will use your personal health information
Most doctors, hospitals, HMOs, and other healthcare organizations must give you a Notice of Privacy Practices.2 This Notice tells you how personal information about your health will be used. It tells you who will see your information, what your rights are, and where to complain.
Generally, your doctor uses your health information to treat you and to refer you to specialists. Your doctor also uses your information to bill your insurance company .3
Your right to set limits on who gets to see your personal health information
Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can release your personal health information. This is true unless the release is for the purpose of treatment, payment, or healthcare operations.4
In the case of sensitive information, like HIV test results or what you tell a psychiatrist, your written permission is required in most situations.5
- Giving your permission
Your written permission is called an "authorization." It must state what information can be released, to whom, and for what purpose. It must be dated. You have the right to say no without fearing any kind of pressure or retaliation. You have the right to change your mind at any time and take back your written authorization.6
You can also ask your doctor or health plan to limit how they use or release your information for treatment, payment, or healthcare operations. But they are not required to agree to your request.7
- Contacting you
You also have the right to ask your doctor or health plan to contact you only in certain ways or at certain locations. For example, you can ask your doctor to send reminder notices to you at a certain address. Or you can ask to be called only at home rather than at work.8
- What your employer can see
You can stop your employer from receiving most health information about you. Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can give your employer health information about you.9
You have the right to say no without fearing any pressure or retaliation from your employer. There are some situations in which your employer can receive information about your health. For example, your employer can receive certain information as the sponsor of an employee health plan. Another example is when you are required to pass a drug test for your job.
Your right to be told to whom your personal health information has been given
You have the right to ask most healthcare providers for information on who has received your personal health information.
- Accounting of disclosures
This is called an "accounting of disclosures." It must include the date of the disclosure, the name of the person who received the information, what information was disclosed, and the purpose of the disclosure. It must be given to you within 60 days of the receipt of your request. There are some exceptions for disclosure for treatment, payment, or healthcare operations.10
Your right to stop unwanted mail about new drugs or medical services
Most healthcare providers have to ask for your written authorization before they can use or sell your health information for marketing purposes.
- Giving your permission
The authorization form they ask you to sign must tell you if they will receive payment for sharing your information. For example, your doctor cannot sell your health information to a drug manufacturing company so that the company can mail you a letter encouraging you to buy a certain drug instead of the one you are using. There are exceptions related to your treatment. For example, your health plan is allowed to send you information about new healthcare services it offers.11
Your right to see and ask to correct information about you in your medical records
You may ask to read the information about you in your medical records. Your doctor or health plan must respond to your written request within five working days of receiving it. If they deny your request, they must tell you why. For example, your doctor could refuse if he or she thinks showing you the information may cause harm to you or to someone else.12
- Copying your records
You may make copies of your personal health information in your medical records. Your doctor or health plan may charge you a reasonable fee for making these copies.
- Asking for changes
You may ask your doctor or health plan to change information about you in your medical records if it is not correct or complete. Your doctor or health plan may deny your request. If this happens, you may add a statement to your file explaining the information.14
Your right to file a complaint
Most doctors, health plans, hospitals, and other healthcare providers must tell you their process for handling complaints. They must tell you the name of the person to whom you may complain. File your complaint with the doctor, plan or organization first.
If you are an enrollee of a health plan and you have a concern that your health plan violated any state law regarding the privacy or confidentiality of your medical records, you may contact the California Department of Managed Health Care's HMO Help Center at 1-888-HMO-2219 for assistance.
You also have the right to complain to the federal Office of Civil Rights about possible violations of federal health privacy law.15
Office for Civil Rights, Region IX
U.S. Department of Health and Human Services
50 United Nations Plaza, Room 322
San Francisco, CA 94102
Voice Phone (415) 437-8310
Fax (415) 437-8329
TDD (415) 437-8311
You may have remedies under California law
California law also gives you the right to bring suit to recover damages in some cases of violation of state laws on health information privacy.16
Additional Resources on Health Information Privacy
- Health Privacy Project
- Privacy Rights Clearinghouse, "Fact Sheet 8A: HIPAA Basics: Medical Privacy"
- Office for Civil Rights, U.S. Department of Health and Human Services
- California Privacy and Security Advisory Board (on Health Information Exchange), information available at California Office of Health Information Integrity
This Consumer Information Sheet was prepared with considerable assistance from the California Office of Health Information Integrity.
1 The federal authority on health information privacy arises from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164). California has several laws on health information privacy, including the Confidentiality of Medical Records Act (Civil Code § 56 et seq.), the Patient Access to Health Records Act (Health & Safety Code § 123110 et seq.), the Insurance Information and Privacy Protection Act (Insurance Code § 791 et seq.), and the Information Practices Act (Civil Code § 1798 et seq.). Citations for specific rights enumerated in this document are provided below. All the referenced laws may be found on the Privacy Laws page of the California Department of Justice’s Web site. Back to link 1
2HIPAA regulates only healthcare providers that transmit personal health information electronically. For notice, see HIPAA, 45 CFR §164.520. Also on notice, see California Civil Code § 1798.17, which applies to state agencies. Back to link 2
3For use and disclosure of health information for treatment, payment, or healthcare operations, see HIPAA, 45 CFR § 164.506, and California Civil Code § 56.10 subdivision (c)(a). Back to link 3
4 For disclosure limits, see HIPAA, 45 CFR § 164.502, and California Civil Code § 56.10. Back to link 4
5For confidentiality of HIV test results, se California Health & Safety Code §§ 120975-121125. For confidentiality of psychiatric records, see California Civil Code § 56.104. Also see HIPAA, 45 CF § 164.50, 1 for definition of "psychotherapy notes," and 45 CFR § 164.508 subdivision (a)(2) for authorization requirements for use or disclosure of psychotherapy notes. Back to link 5
6 For authorization, see HIPAA, 45 CFR § 164.508, and California Civil Code § 56.11. Back to link 6
7 For limits on use and disclosure for treatment, payment or healthcare operations, see HIPAA, 45 CFR § 164.522 subdivision (a). Back to link 7
8 For confidential communications requirements, see HIPAA, 45 CFR § 164.522 subdivision (b). Back to link 8
9 For disclosure to employers, see HIPAA, 45 CFR § 164.512 subdivision (b)(1)(v), and California Civil Code § 56.20. Back to link 9
10 For accounting of disclosures, see HIPAA 45 CFR § 164.528, and California Civil Code §§ 1798.25 and 1798.28. Back to link 10
11 For marketing use, see HIPAA 45 CFR § 164.508 subdivision (a)(3), California Civil Code § 56.10 subdivision (d), California Health & Safety Code section 123148, and California Insurance Code §§ 791.13 subdivision (k) and 791.05. Back to link 11
12 For access to records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (a), and California Civil Code § 1798.32. Back to link 12
13 For copying records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (b), and California Civil Code § 1798.33. Back to link 13
14 For amending records, see HIPAA, 45 CFR § 164.526, California Health & Safety Code § 123111, and California Civil Code § 1798.35. Back to link 14
15 For complaints under HIPAA, see 45 CFR § 164.530 subdivision (d). HIPAA complaints must be filed with the Office of Civil Rights within 180 days of the date when the complainant knew or should have known of the violation (45 CFR § 160.306). Back to link 15
16 See California Civil Code § 56.35 on remedies for improper use or disclosure, California Health and Safety Code § 123120 on remedies for violation of access rights, and California Civil Code §§ 1798.45-1798.57 on remedies for violations by state agencies. Back to link 16