Your Patient Privacy Rights: A Consumer Guide to Health Information Privacy in California

Longstanding California state laws and new federal regulations give you rights to help keep your medical records private1. That means that you can set some limits on who sees personal information about your health. You can also set limits on what information they can see. And you can decide when they can see it. You can also review and ask for corrections to your medical records. This Consumer Information Sheet contains general descriptions of your basic rights.

Your right to be told how your doctor will use your personal health information

Most doctors, hospitals, HMOs, and other healthcare organizations must give you a Notice of Privacy Practices.2 This Notice tells you how personal information about your health will be used. It tells you who will see your information, what your rights are, and where to complain.

Generally, your doctor uses your health information to treat you and to refer you to specialists. Your doctor also uses your information to bill your insurance company .3

Your right to set limits on who gets to see your personal health information

Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can release your personal health information. This is true unless the release is for the purpose of treatment, payment, or healthcare operations.4

In the case of sensitive information, like HIV test results or what you tell a psychiatrist, your written permission is required in most situations.5

  • Giving your permission

    Your written permission is called an "authorization." It must state what information can be released, to whom, and for what purpose. It must be dated. You have the right to say no without fearing any kind of pressure or retaliation. You have the right to change your mind at any time and take back your written authorization.6

    You can also ask your doctor or health plan to limit how they use or release your information for treatment, payment, or healthcare operations. But they are not required to agree to your request.7
  • Contacting you

    You also have the right to ask your doctor or health plan to contact you only in certain ways or at certain locations. For example, you can ask your doctor to send reminder notices to you at a certain address. Or you can ask to be called only at home rather than at work.8
  • What your employer can see

    You can stop your employer from receiving most health information about you. Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can give your employer health information about you.9

    You have the right to say no without fearing any pressure or retaliation from your employer. There are some situations in which your employer can receive information about your health. For example, your employer can receive certain information as the sponsor of an employee health plan. Another example is when you are required to pass a drug test for your job.

Your right to be told to whom your personal health information has been given

You have the right to ask most healthcare providers for information on who has received your personal health information.

  • Accounting of disclosures

    This is called an "accounting of disclosures." It must include the date of the disclosure, the name of the person who received the information, what information was disclosed, and the purpose of the disclosure. It must be given to you within 60 days of the receipt of your request. There are some exceptions for disclosure for treatment, payment, or healthcare operations.10

Your right to stop unwanted mail about new drugs or medical services

Most healthcare providers have to ask for your written authorization before they can use or sell your health information for marketing purposes.

  • Giving your permission

    The authorization form they ask you to sign must tell you if they will receive payment for sharing your information. For example, your doctor cannot sell your health information to a drug manufacturing company so that the company can mail you a letter encouraging you to buy a certain drug instead of the one you are using. There are exceptions related to your treatment. For example, your health plan is allowed to send you information about new healthcare services it offers.11

Your right to see and ask to correct information about you in your medical records

You may ask to read the information about you in your medical records. Your doctor or health plan must respond to your written request within five working days of receiving it. If they deny your request, they must tell you why. For example, your doctor could refuse if he or she thinks showing you the information may cause harm to you or to someone else.12

  • Copying your records

    You may make copies of your personal health information in your medical records. Your doctor or health plan may charge you a reasonable fee for making these copies.13
  • Asking for changes

    You may ask your doctor or health plan to change information about you in your medical records if it is not correct or complete. Your doctor or health plan may deny your request. If this happens, you may add a statement to your file explaining the information.14

Your right to file a complaint

Most doctors, health plans, hospitals, and other healthcare providers must tell you their process for handling complaints. They must tell you the name of the person to whom you may complain. File your complaint with the doctor, plan or organization first.

If you are an enrollee of a health plan and you have a concern that your health plan violated any state law regarding the privacy or confidentiality of your medical records, you may contact the California Department of Managed Health Care's HMO Help Center at 1-888-HMO-2219 for assistance.

You also have the right to complain to the federal Office of Civil Rights about possible violations of federal health privacy law.15

Office for Civil Rights, Region IX
U.S. Department of Health and Human Services
50 United Nations Plaza, Room 322
San Francisco, CA 94102
Voice Phone (415) 437-8310
Fax (415) 437-8329
TDD (415) 437-8311

You may have remedies under California law

California law also gives you the right to bring suit to recover damages in some cases of violation of state laws on health information privacy.16

Additional Resources on Health Information Privacy

This Consumer Information Sheet was prepared with considerable assistance from the California Office of Health Information Integrity.

Notes

1 The federal authority on health information privacy arises from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164). California has several laws on health information privacy, including the Confidentiality of Medical Records Act (Civil Code § 56 et seq.), the Patient Access to Health Records Act (Health & Safety Code § 123110 et seq.), the Insurance Information and Privacy Protection Act (Insurance Code § 791 et seq.), and the Information Practices Act (Civil Code § 1798 et seq.). Citations for specific rights enumerated in this document are provided below. All the referenced laws may be found on the Privacy Laws page of the California Department of Justice’s Web site. Back to link 1

2HIPAA regulates only healthcare providers that transmit personal health information electronically. For notice, see HIPAA, 45 CFR §164.520. Also on notice, see California Civil Code § 1798.17, which applies to state agencies. Back to link 2

3For use and disclosure of health information for treatment, payment, or healthcare operations, see HIPAA, 45 CFR § 164.506, and California Civil Code § 56.10 subdivision (c)(a). Back to link 3

4 For disclosure limits, see HIPAA, 45 CFR § 164.502, and California Civil Code § 56.10. Back to link 4

5For confidentiality of HIV test results, se California Health & Safety Code §§ 120975-121125. For confidentiality of psychiatric records, see California Civil Code § 56.104. Also see HIPAA, 45 CF § 164.50, 1 for definition of "psychotherapy notes," and 45 CFR § 164.508 subdivision (a)(2) for authorization requirements for use or disclosure of psychotherapy notes. Back to link 5

6 For authorization, see HIPAA, 45 CFR § 164.508, and California Civil Code § 56.11. Back to link 6

7 For limits on use and disclosure for treatment, payment or healthcare operations, see HIPAA, 45 CFR § 164.522 subdivision (a). Back to link 7

8 For confidential communications requirements, see HIPAA, 45 CFR § 164.522 subdivision (b). Back to link 8

9 For disclosure to employers, see HIPAA, 45 CFR § 164.512 subdivision (b)(1)(v), and California Civil Code § 56.20. Back to link 9

10 For accounting of disclosures, see HIPAA 45 CFR § 164.528, and California Civil Code §§ 1798.25 and 1798.28. Back to link 10

11 For marketing use, see HIPAA 45 CFR § 164.508 subdivision (a)(3), California Civil Code § 56.10 subdivision (d), California Health & Safety Code section 123148, and California Insurance Code §§ 791.13 subdivision (k) and 791.05. Back to link 11

12 For access to records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (a), and California Civil Code § 1798.32. Back to link 12

13 For copying records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (b), and California Civil Code § 1798.33. Back to link 13

14 For amending records, see HIPAA, 45 CFR § 164.526, California Health & Safety Code § 123111, and California Civil Code § 1798.35. Back to link 14

15 For complaints under HIPAA, see 45 CFR § 164.530 subdivision (d). HIPAA complaints must be filed with the Office of Civil Rights within 180 days of the date when the complainant knew or should have known of the violation (45 CFR § 160.306). Back to link 15

16 See California Civil Code § 56.35 on remedies for improper use or disclosure, California Health and Safety Code § 123120 on remedies for violation of access rights, and California Civil Code §§ 1798.45-1798.57 on remedies for violations by state agencies. Back to link 16

This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice on a particular case, you should consult an attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies are distributed free of charge.