625 HIPAA Privacy Training

California CMIA

Medical Information

Under the California Confidentiality of Medical Information Act (CMIA), "medical information" refers to any individually identifiable data, whether electronic or physical, held by healthcare providers, health plans, pharmaceutical companies, or contractors, concerning a patient's medical history, mental or physical condition, or treatment. Information is considered "individually identifiable" if it contains personal details sufficient to identify the individual, such as name, address, email, telephone number, Social Security number, or other identifying data.

Authorization Requirements

Additional requirements for valid authorizations must:

• Be handwritten by the individual or printed in at least 14-point type.
• Clearly separate authorization language from other content on the same page.
• Be signed and dated by the patient or their legal representative.
• Specify the uses and limitations on the types of medical information to be disclosed.
• Identify the entities authorized to disclose and receive the information.
• State the expiration date of the authorization.
• Inform the signer of their right to receive a copy of the authorization.

Mandatory Safeguards for Medical Information

​To comply with the California Confidentiality of Medical Information Act (CMIA), healthcare entities must implement comprehensive safeguards to protect medical information from unauthorized access, use, or disclosure. These safeguards encompass physical, technical, and administrative measures:

1. Physical Safeguards:
   • Secure Storage: Store physical medical records in locked facilities accessible only to authorized personnel.
   • Controlled Access: Restrict entry to areas where medical information is stored or processed, using measures such as identification badges or security personnel.​
2. Technical Safeguards:
   • Data Encryption: Encrypt electronic medical information during storage and transmission to prevent unauthorized access.
   • Access Controls: Implement robust authentication mechanisms, such as unique user IDs and passwords, to ensure that only authorized individuals can access medical information.
   • Audit Trails: Maintain logs of access and modifications to electronic medical records to monitor and review unauthorized activities.
3. Administrative Safeguards:
   • Policies and Procedures: Develop and enforce policies that govern the handling, disclosure, and disposal of medical information.
   • Employee Training: Provide regular training to staff on privacy policies, data protection practices, and their responsibilities under the CMIA.
   • Incident Response Plans: Establish protocols for responding to data breaches or unauthorized disclosures, including notifying affected individuals and authorities as required by law.

Prohibited Disclosures Without Authorization

Under CMIA, healthcare providers, health care service plans, or contractors are prohibited from disclosing medical information without first obtaining a valid authorization, except as specified by law.

Patient Rights and Provider Obligations

The California Confidentiality of Medical Information Act (CMIA), grants patients specific rights regarding their medical information, and healthcare providers have corresponding obligations to ensure the confidentiality and proper handling of this data.

Patient Rights

1. Access to Medical Records:
   • Patients have the right to inspect and obtain copies of their medical records maintained by healthcare providers. Providers must respond to such requests within five working days.
2. Request for Amendments:
   • If patients identify inaccuracies or incomplete information in their medical records, they can request amendments. Healthcare providers are required to review these requests and either make the necessary changes or provide a written denial explaining the reasons.
3. Authorization for Disclosure:
   • Patients must provide written authorization before their medical information can be disclosed to third parties, except in specific situations outlined by law. This ensures that patients control who has access to their sensitive health data.
4. Confidential Communications:
   • Patients can request that healthcare providers communicate with them through specific channels or at particular locations to maintain privacy. For example, a patient may ask to receive communications at their workplace instead of their home.
5. Accounting of Disclosures:
   • Patients have the right to receive an accounting of certain disclosures of their medical information made by the healthcare provider, ensuring transparency about who has accessed their data.

Provider Obligations

1. Obtain Valid Authorizations:
   • Before disclosing medical information, providers must secure a valid written authorization from the patient, except in circumstances permitted by law. This authorization should clearly state the information to be disclosed, the purpose of the disclosure, and the recipients.
2. Implement Safeguards:
   • Providers are required to establish appropriate administrative, technical, and physical safeguards to protect the privacy of medical information. This includes measures like secure storage systems, encryption, and access controls to prevent unauthorized access or breaches.
3. Employee Training:
   • Healthcare providers must ensure that their staff are trained on privacy policies and procedures related to medical information, fostering a culture of confidentiality and compliance within the organization.
4. Respond to Patient Requests:
   • Providers are obligated to respond to patient requests regarding access, amendments, or disclosures of their medical information in a timely and compliant manner, respecting the rights granted under the CMIA.

Knowledge Check Choose the best answer for the question.