A Consumer Guide to Health Information Privacy in California
Longstanding California state laws and new federal regulations give you rights to help keep your medical records private.
That means that you can set some limits on who sees personal information about your health. You can also set limits on what information they can see. And you can decide when they can see it. You can also review and ask for corrections to your medical records.
This Consumer Information Sheet contains general descriptions of your basic rights.
Your right to be told how your doctor will use your personal health information
Most doctors, hospitals, HMOs, and other healthcare organizations must give you a Notice of Privacy Practices.
This Notice tells you how personal information about your health will be used. It tells you who will see your information, what your rights are, and where to complain.
Generally, your doctor uses your health information to treat you and to refer you to specialists. Your doctor also uses your information to bill your insurance company.
Your right to set limits on who gets to see your personal health information
Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can release your personal health information.
This is true unless the release is for the purpose of treatment, payment, or healthcare operations.
In the case of sensitive information, like HIV test results or what you tell a psychiatrist, your written permission is required in most situations.
Giving your permission
Your written permission is called an "authorization." It must state what information can be released, to whom, and for what purpose. It must be dated.
You have the right to say no without fearing any kind of pressure or retaliation. You have the right to change your mind at any time and take back your written authorization.
You can also ask your doctor or health plan to limit how they use or release your information for treatment, payment, or healthcare operations. But they are not required to agree to your request.
You also have the right to ask your doctor or health plan to contact you only in certain ways or at certain locations. For example, you can ask your doctor to send reminder notices to you at a certain address. Or you can ask to be called only at home rather than at work.
What your employer can see
You can stop your employer from receiving most health information about you. Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can give your employer health information about you.
You have the right to say no without fearing any pressure or retaliation from your employer. There are some situations in which your employer can receive information about your health. For example, your employer can receive certain information as the sponsor of an employee health plan. Another example is when you are required to pass a drug test for your job.
Your right to be told to whom your personal health information has been given
You have the right to ask most healthcare providers for information on who has received your personal health information.
Accounting of disclosures
This is called an "accounting of disclosures." It must include the date of the disclosure, the name of the person who received the information, what information was disclosed, and the purpose of the disclosure. It must be given to you within 60 days of the receipt of your request. There are some exceptions for disclosure for treatment, payment, or healthcare operations.
Your right to stop unwanted mail about new drugs or medical services
Most healthcare providers have to ask for your written authorization before they can use or sell your health information for marketing purposes.
Giving your permission
The authorization form they ask you to sign must tell you if they will receive payment for sharing your information. For example, your doctor cannot sell your health information to a drug manufacturing company so that the company can mail you a letter encouraging you to buy a certain drug instead of the one you are using.
There are exceptions related to your treatment. For example, your health plan is allowed to send you information about new healthcare services it offers.
Your right to see and ask to correct information about you in your medical records
You may ask to read the information about you in your medical records. Your doctor or health plan must respond to your written request within five working days of receiving it.
If they deny your request, they must tell you why. For example, your doctor could refuse if he or she thinks showing you the information may cause harm to you or to someone else.
Copying your records
You may make copies of your personal health information in your medical records. Your doctor or health plan may charge you a reasonable fee for making these copies.
Asking for changes
You may ask your doctor or health plan to change information about you in your medical records if it is not correct or complete. Your doctor or health plan may deny your request. If this happens, you may add a statement to your file explaining the information.
Your right to file a complaint
Most doctors, health plans, hospitals, and other healthcare providers must tell you their process for handling complaints. They must tell you the name of the person to whom you may complain. We recommend that you file your complaint with the doctor, plan or organization first.
If you are an enrollee of a health plan and you have a concern that your health plan violated any state law regarding the privacy or confidentiality of your medical records, you may contact the California Department of Managed Health Care's HMO Help Center at 1-888-HMO-2219 for assistance.
You also have the right to complain to the federal Office of Civil Rights about possible violations of federal health privacy law.
Office for Civil Rights, Region IX
U.S. Department of Health and Human Services
50 United Nations Plaza, Room 322
San Francisco, CA 94102
Voice Phone (415) 437-8310
Fax (415) 437-8329
TDD (415) 437-8311
If you need help in finding the proper place to file a complaint, or if you have questions health information privacy issues, contact the California Office of Privacy Protection at (866) 785-9663 or email to firstname.lastname@example.org
You may have remedies under California law
California law also gives you the right to bring suit to recover damages in some cases of violation of state laws on health information privacy.
Additional Resources on Health Information Privacy
- Health Privacy Project Georgetown University www.healthprivacy.org
- Privacy Rights Clearinghouse
Fact Sheet 8A: HIPAA Basics: Medical Privacy
- Office for Civil Rights U.S. Department of Health and Human Services
- California Office of HIPAA Implementation www.ohi.ca.gov