Unlawful Disclosure of Medical Information
Like other private information, medical information is expected to remain exclusive between the patient and their healthcare providers (must not be confused with medical malpractice). Health records are information with high value to the patients, and because of that, these should stay undisclosed unless the patients or anyone who represents them consents to it being told to others. Doing so without their permission would be considered unauthorized disclosure, and such acts are seen as a breach of the contract of confidentiality. To avoid such situations, the state of California, in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), enacted the Confidentiality of Medical Information Act (CMIA).
Like other private information, medical information is expected to remain exclusive between the patient and their healthcare providers. Health records are information with high value to the patients, and because of that, these should stay undisclosed unless the patients or anyone who represents them consents to it being told to others. Doing so without their permission would be considered unauthorized disclosure, and such acts are seen as a breach of the contract of confidentiality.
Health Information Portability and Accountability Act
The HIPAA is a federal law requiring the protection of sensitive health information from being disclosed without consent from the patient. The scope of this act includes the following entities:
- Healthcare providers;
- Health plans:
- Health professionals: or
- Business associates.
Confidentiality of Medical Information Act
To supplement the HIPAA, California enacted the Confidentiality of Medical Information Act (CMIA). It is a state law that protects medical information and records under the scope of HIPAA. The contents and conditions of the CMIA are stated in California's Civil Code CC 56.10.
A provider of healthcare, healthcare service plan, or contractor shall not disclose medical information regarding a patient of the provider of healthcare or an enrollee or subscriber of a healthcare service plan without first obtaining authorization from the patient unless under lawful exemptions.
- A provider of healthcare, a healthcare service plan, or a contractor shall disclose medical information if any of the following compels the disclosure:
- By a court under an order of that court;
- By a board, commission, or administrative agency for purposes of adjudication under its lawful authority;
- By a party to a proceeding before a court or administrative agency under a subpoena, subpoena duces tecum, notice to appear served under any provision authorizing discovery in a proceeding before a court or administrative agency;
- By a board, commission, or administrative agency under an investigative subpoena;
- By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, under a subpoena duces tecum;
- By a search warrant lawfully issued to a governmental law enforcement agency;
- By the patient or the patient's representative; or
- By a medical examiner, forensic pathologist, or coroner, when requested in the course of an investigation by a medical examiner, forensic pathologist, or coroner's office to identify the decedent or locate next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant deaths, suspicious deaths, unknown deaths, or criminal deaths, or upon notification of, or investigation of, imminent deaths that may involve organ or tissue donation under Health and Safety Code HSC 7151.15, or when otherwise authorized by the decedent's representative.
A provider of healthcare or a healthcare service plan may disclose medical information:
- to providers of healthcare, healthcare service plans, contractors, or other healthcare professionals or facilities for purposes of diagnosis or treatment of the patient;
- to an insurer, employer, healthcare service plan, hospital service plan, employee benefit plan, governmental authority, contractor, or other person or entity responsible for paying for healthcare services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and amount to be made;
- to a person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of healthcare or healthcare service plans;
- to organized committees and agents of professional societies or of medical staffs of licensed hospitals, licensed healthcare service plans, professional standards review organizations, independent medical review organizations and their selected reviewers, utilization and quality control peer review organizations; or
- to a medical examiner, forensic pathologist, or county coroner in the course of an investigation.
Penalties for Violating the CMIA
Any individual may bring an action against any person or entity that has negligently released confidential information or records for either or both nominal damages of $1,000 and the number of actual damages, if any, sustained by the patient. It shall not be necessary to prove that the plaintiff suffered or was threatened with actual damages to recover nominal damages.
Any person or entity who knowingly and willfully obtains, discloses, or uses medical information in violation of CMIA shall be liable for an administrative fine not to exceed $2,500 per violation.
To know more about this act and more information regarding privacy information privacy rights, you should reach out to our California-based lawyers. They can not only give you more knowledge about data and information privacy laws; they can also help you exercise it.
Send us a message! We'll get back to you ASAP