What are my rights to privacy regarding my medical information under both HIPAA and California's Confidentiality of Medical Information Act (CMIA)?

Under California law, you have strong rights to control who sees your medical information, often exceeding the protections offered by the federal HIPAA law. Your healthcare providers and health plans generally cannot disclose your information without your specific, written consent. Here is how to understand and protect your rights: Step 1: Control Disclosures Through Authorization Your medical information cannot be shared for most purposes without your valid, written authorization. Under California's Confidentiality of Medical Information Act (CMIA), a valid authorization form must be specific, stating who is releasing the information, who will receive it, what specific information will be shared, the purpose of the disclosure, and an expiration date. Step 2: Know the Exceptions Be aware that your authorization is not required in certain situations. Per California Civil Code Section 56.10, providers can share your information without your consent for purposes of treatment, payment, healthcare operations, or in response to a court order or subpoena. Law enforcement may also access information in limited, specific circumstances. Step 3: Access and Review Your Own Records You have the right to inspect your medical records within 5 business days of making a written request to your provider. You can also get a copy of your records, usually within 15 days. If you find an error, you have the right to submit a written addendum to your file. Step 4: File a Complaint if Your Privacy is Violated If you believe a provider or health plan has improperly disclosed your information, first file a written complaint directly with their privacy officer. You can also file a complaint with the California Attorney General's Office or the U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA violations). Important considerations: California's CMIA is generally stricter than HIPAA. When a state law provides greater privacy protection, it overrides the federal law. The CMIA allows you to sue for damages if your privacy is violated, as outlined in California Civil Code Section 56.35. Note: These privacy rights apply to healthcare providers and health plans. They do not apply to information you voluntarily share on social media, with certain mobile health apps, or in other non-medical contexts. This is general information and does not constitute legal advice. For complex situations, such as pursuing a lawsuit for a privacy breach, consult with a qualified California attorney.