California Confidentiality of Medical Information Act

California Civil Code, sections 56 - 56.37

56. This part may be cited as the Confidentiality of Medical Information Act.

56.05. For purposes of this part:

  1. "Authorization" means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.
  2. "Authorized recipient" means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.
  3. "Contractor" means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. "Contractor" shall not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
  4. "Health care service plan" means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
  5. "Licensed health care professional" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.
  6. "Medical information" means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, or contractor regarding a patient's medical history, mental or physical condition, or treatment. " Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity.
  7. "Patient" means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.
  8. "Provider of health care" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. "Provider of health care" shall not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.

56.06.

  1. Any corporation organized for the primary purpose of maintaining medical information in order to make the information available to the patient or to a provider of health care at the request of the patient or a provider of health care, for purposes of diagnosis or treatment of the patient, shall be deemed to be a provider of health care subject to the requirements of this part. However, nothing in this section shall be construed to make a corporation specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
  2. Any corporation described in subdivision (a) shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the corporation.
  3. Any corporation described in subdivision (a) shall be subject to the penalties for improper use and disclosure of medical information prescribed in this part.

56.07.

  1. Except as provided in subdivision (c), upon the patient's written request, any corporation described in Section 56.06, or any other entity that compiles or maintains medical information for any reason, shall provide the patient, at no charge, with a copy of any medical profile, summary, or information maintained by the corporation or entity with respect to the patient.
  2. A request by a patient pursuant to this section shall not be deemed to be an authorization by the patient for the release or disclosure of any information to any person or entity other than the patient.
  3. This section shall not apply to any patient records that are subject to inspection by the patient pursuant to Section 123110 of the Health and Safety Code and shall not be deemed to limit the right of a health care provider to charge a fee for the preparation of a summary of patient records as provided in Section 123130 of the Health and Safety Code. This section shall not apply to a health care service plan licensed pursuant to Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code or a disability insurer licensed pursuant to the Insurance Code. This section shall not apply to medical information compiled or maintained by a fire and casualty insurer or its retained counsel in the regular course of investigating or litigating a claim under a policy of insurance that it has written. For the purposes of this section, a fire and casualty insurer is an insurer writing policies that may be sold by a fire and casualty licensee pursuant to Section 1625 of the Insurance Code.

56.10.

  1. No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c).
  2. A provider of health care, a health care service plan, or a contractor shall disclose medical information if the disclosure is compelled by any of the following:
    1. By a court pursuant to an order of that court.
    2. By a board, commission, or administrative agency for purposes of adjudication pursuant to its lawful authority.
    3. By a party to a proceeding before a court or administrative agency pursuant to a subpoena, subpoena duces tecum, notice to appear served pursuant to Section 1987 of the Code of Civil Procedure, or any provision authorizing discovery in a proceeding before a court or administrative agency.
    4. By a board, commission, or administrative agency pursuant to an investigative subpoena issued under Article 2 (commencing with Section 11180) of Chapter 2 of Part 1 of Division 3 of Title 2 of the Government Code.
    5. By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, pursuant to a subpoena duces tecum issued under Section 1282.6 of the Code of Civil Procedure, or any other provision authorizing discovery in a proceeding before an arbitrator or arbitration panel.
    6. By a search warrant lawfully issued to a governmental law enforcement agency.
    7. By the patient or the patient's representative pursuant to Chapter 1 (commencing with Section 123100) of Part 1 of Division 106 of the Health and Safety Code.
    8. By a coroner, when requested in the course of an investigation by the coroner's office for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant death, suspicious deaths, unknown deaths, or criminal deaths, or when otherwise authorized by the decedent's representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation and shall be disclosed to the coroner without delay upon request.
    9. When otherwise specifically required by law.
  3. A provider of health care, or a health care service plan may disclose medical information as follows:
    1. The information may be disclosed to providers of health care, health care service plans, contractors or other health care professionals or facilities for purposes of diagnosis or treatment of the patient. This includes, in an emergency situation, the communication of patient information by radio transmission or other means between emergency medical personnel at the scene of an emergency, or in an emergency medical transport vehicle, and emergency medical personnel at a health facility licensed pursuant to Chapter 2 (commencing with Section 1250) of Division 2 of the Health and Safety Code.
    2. The information may be disclosed to an insurer, employer, health care service plan, hospital service plan, employee benefit plan, governmental authority, contractor or any other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made. If (A) the patient is, by reason of a comatose or other disabling medical condition, unable to consent to the disclosure of medical information and (B) no other arrangements have been made to pay for the health care services being rendered to the patient, the information may be disclosed to a governmental authority to the extent necessary to determine the patient's eligibility for, and to obtain, payment under a governmental program for health care services provided to the patient. The information may also be disclosed to another provider of health care or health care service plan as necessary to assist the other provider or health care service plan in obtaining payment for health care services rendered by that provider of health care or health care service plan to the patient.
    3. The information may be disclosed to any person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of health care or health care service plans or for any of the persons or entities specified in paragraph (2). However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part.
    4. The information may be disclosed to organized committees and agents of professional societies or of medical staffs of licensed hospitals, licensed health care service plans, professional standards review organizations, independent medical review organizations and their selected reviewers, utilization and quality control peer review organizations as established by Congress in Public Law 97-248 in 1982, contractor's or persons or organizations insuring, responsible for, or defending professional liability that a provider may incur, if the committees, agents, health care service plans, organizations, reviewers, contractors, or persons are engaged in reviewing the competence or qualifications of health care professionals or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges.
    5. The information in the possession of any provider of health care or health care service plan may be reviewed by any private or public body responsible for licensing or accrediting the provider of health care or health care service plan. However, no patient identifying medical information may be removed from the premises except as expressly permitted or required elsewhere by law, nor shall that information be further disclosed by the recipient in any way that would violate this part.
    6. The information may be disclosed to the county coroner in the course of an investigation by the coroner's office when requested for all purposes not included in paragraph (8) of subdivision (b).
    7. The information may be disclosed to public agencies, clinical investigators, including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions for bona fide research purposes. However, no information so disclosed shall be further disclosed by the recipient in any way that would disclose the identity of any patient or be violative of this part.
    8. A provider of health care or health care service plan that has created medical information as a result of employment-related health care services to an employee conducted at the specific prior written request and expense of the employer may disclose to the employee's employer that part of the information that:
      1. Is relevant in a law suit, arbitration, grievance, or other claim or challenge to which the employer and the employee are parties and in which the patient has placed in issue his or her medical history, mental or physical condition, or treatment, provided that information may only be used or disclosed in connection with that proceeding.
      2. Describes functional limitations of the patient that may entitle the patient to leave from work for medical reasons or limit the patient's fitness to perform his or her present employment, provided that no statement of medical cause is included in the information disclosed.
    9. Unless the provider of health care or health care service plan is notified in writing of an agreement by the sponsor, insurer, or administrator to the contrary, the information may be disclosed to a sponsor, insurer, or administrator of a group or individual insured or uninsured plan or policy that the patient seeks coverage by or benefits from, if the information was created by the provider of health care or health care service plan as the result of services conducted at the specific prior written request and expense of the sponsor, insurer, or administrator for the purpose of evaluating the application for coverage or benefits.
    10. The information may be disclosed to a health care service plan by providers of health care that contract with the health care service plan and may be transferred among providers of health care that contract with the health care service plan, for the purpose of administering the health care service plan. Medical information may not otherwise be disclosed by a health care service plan except in accordance with the provisions of this part.
    11. Nothing in this part shall prevent the disclosure by a provider of health care or a health care service plan to an insurance institution, agent, or support organization, subject to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code, of medical information if the insurance institution, agent, or support organization has complied with all requirements for obtaining the information pursuant to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code.
    12. The information relevant to the patient's condition and care and treatment provided may be disclosed to a probate court investigator engaged in determining the need for an initial conservatorship or continuation of an existent conservatorship, if the patient is unable to give informed consent, or to a probate court investigator, probation officer, or domestic relations investigator engaged in determining the need for an initial guardianship or continuation of an existent guardianship.
    13. The information may be disclosed to an organ procurement organization or a tissue bank processing the tissue of a decedent for transplantation into the body of another person, but only with respect to the donating decedent, for the purpose of aiding the transplant. For the purpose of this paragraph, the terms "tissue bank" and "tissue" have the same meaning as defined in Section 1635 of the Health and Safety Code.
    14. The information may be disclosed when the disclosure is otherwise specifically authorized by law, such as the voluntary reporting, either directly or indirectly, to the federal Food and Drug Administration of adverse events related to drug products or medical device problems.
    15. Basic information including the patient's name, city of residence, age, sex, and general condition may be disclosed to a state or federally recognized disaster relief organization for the purpose of responding to disaster welfare inquiries.
    16. The information may be disclosed to a third party for purposes of encoding, encrypting, or otherwise anonymizing data. However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part, including the unauthorized manipulation of coded or encrypted medical information that reveals individually identifiable medical information.
    17. For purposes of disease management programs and services as defined in Section 1399.901 of the Health and Safety Code, information may be disclosed as follows: (A) to any entity contracting with a health care service plan or the health care service plan's contractors to monitor or administer care of enrollees for a covered benefit, provided that the disease management services and care are authorized by a treating physician or (B) to any disease management organization, as defined in Section 1399.900 of the Health and Safety Code, that complies fully with the physician authorization requirements of Section 1399.902 of the Health and Safety Code, provided that the health care service plan or its contractor provides or has provided a description of the disease management services to a treating physician or to the health care service plan's or contractor's network of physicians. Nothing in this paragraph shall be construed to require physician authorization for the care or treatment of the adherents of any well-recognized church or religious denomination who depend solely upon prayer or spiritual means for healing in the practice of the religion of that church or denomination.
  4. Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no provider of health care, health care service plan contractor, or corporation and its subsidiaries and affiliates shall intentionally share, sell, or otherwise use any medical information for any purpose not necessary to provide health care services to the patient.
  5. Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no contractor or corporation and its subsidiaries and affiliates shall further disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan or insurer or self-insured employer received under this section to any person or entity that is not engaged in providing direct health care services to the patient or his or her provider of health care or health care service plan or insurer or self-insured employer.
  6. This section shall become operative January 1, 2003.

56.101. Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.

56.104.

  1. Notwithstanding subdivision (c) of Section 56.10, no provider of health care, health care service plan, or contractor may release medical information to persons or entities authorized by law to receive that information pursuant to subdivision (c) of Section 56.10, if the requested information specifically relates to the patient's participation in outpatient treatment with a psychotherapist, unless the person or entity requesting that information submits to the patient pursuant to subdivision (b) and to the provider of health care, health care service plan, or contractor a written request, signed by the person requesting the information or an authorized agent of the entity requesting the information, that includes all of the following:
    1. The specific information relating to a patient's participation in outpatient treatment with a psychotherapist being requested and its specific intended use or uses.
    2. The length of time during which the information will be kept before being destroyed or disposed of. A person or entity may extend that timeframe, provided that the person or entity notifies the provider, plan, or contractor of the extension. Any notification of an extension shall include the specific reason for the extension, the intended use or uses of the information during the extended time, and the expected date of the destruction of the information.
    3. A statement that the information will not be used for any purpose other than its intended use.
    4. A statement that the person or entity requesting the information will destroy the information and all copies in the person's or entity's possession or control, will cause it to be destroyed, or will return the information and all copies of it before or immediately after the length of time specified in paragraph (2) has expired.
  2. The person or entity requesting the information shall submit a copy of the written request required by this section to the patient within 30 days of receipt of the information requested, unless the patient has signed a written waiver in the form of a letter signed and submitted by the patient to the provider of health care or health care service plan waiving notification.
  3. For purposes of this section, "psychotherapist" means a person who is both a "psychotherapist" as defined in Section 1010 of the Evidence Code and a "provider of health care" as defined in subdivision (d) of Section 56.05 of the Civil Code.
  4. This section does not apply to the disclosure or use of medical information by a law enforcement agency or a regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.
  5. Nothing in this section shall be construed to grant any additional authority to a provider of health care, health care service plan, or contractor to disclose information to a person or entity without the patient's consent.

56.105. Whenever, prior to the service of a complaint upon a defendant in any action arising out of the professional negligence of a person holding a valid physician's and surgeon's certificate issued pursuant to Chapter 5 (commencing with Section 2000) of Division 2 of the Business and Professions Code, a demand for settlement or offer to compromise is made on a patient's behalf, the demand or offer shall be accompanied by an authorization to disclose medical information to persons or organizations insuring, responsible for, or defending professional liability that the certificate holder may incur. The authorization shall be in accordance with Section 56.11 and shall authorize disclosure of that information that is necessary to investigate issues of liability and extent of potential damages in evaluating the merits of the demand for settlement or offer to compromise.

Notice of any request for medical information made pursuant to an authorization as provided by this section shall be given to the patient or the patient's legal representative. The notice shall describe the inclusive subject matter and dates of the materials requested and shall also authorize the patient or the patient's legal representative to receive, upon request, copies of the information at his or her expense.

Nothing in this section shall be construed to waive or limit any applicable privileges set forth in the Evidence Code except for the disclosure of medical information subject to the patient's authorization. Nothing in this section shall be construed as authorizing a representative of any person from whom settlement has been demanded to communicate in violation of the physician-patient privilege with a treating physician except for the medical information request.

The requirements of this section are independent of the requirements of Section 364 of the Code of Civil Procedure.

56.11. Any person or entity that wishes to obtain medical information pursuant to subdivision (a) of Section 56.10, other than a person or entity authorized to receive medical information pursuant to subdivision (b) or (c) of Section 56.10, shall obtain a valid authorization for the release of this information.

An authorization for the release of medical information by a provider of health care, a health care service plan, or contractor shall be valid if it:

  1. Is handwritten by the person who signs it or is in typeface no smaller than 8-point type.
  2. Is clearly separate from any other language present on the same page and is executed by a signature which serves no other purpose than to execute the authorization.
  3. Is signed and dated by one of the following:
    1. The patient. A patient who is a minor may only sign an authorization for the release of medical information obtained by a provider of health care, health care service plan, or contractor in the course of furnishing services to which the minor could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60).
    2. The legal representative of the patient, if the patient is a minor or an incompetent. However, authorization may not be given under this subdivision for the disclosure of medical information obtained by the provider of health care, a health care service plan, or a contractor in the course of furnishing services to which a minor patient could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60).
    3. The spouse of the patient or the person financially responsible for the patient, where the medical information is being sought for the sole purpose of processing an application for health insurance or for enrollment in a nonprofit hospital plan, a health care service plan, or an employee benefit plan, and where the patient is to be an enrolled spouse or dependent under the policy or plan.
    4. The beneficiary or personal representative of a deceased patient.
  4. States the specific uses and limitations on the types of medical information to be disclosed.
  5. States the name or functions of the provider of health care, health care service plan, or contractor that may disclose the medical information.
  6. States the name or functions of the persons or entities authorized to receive the medical information.
  7. States the specific uses and limitations on the use of the medical information by the persons or entities authorized to receive the medical information.
  8. States a specific date after which the provider of health care, health care service plan, or contractor is no longer authorized to disclose the medical information.
  9. Advises the person signing the authorization of the right to receive a copy of the authorization.

56.12. Upon demand by the patient or the person who signed an authorization, a provider of health care, a health care service plan, or contractor possessing the authorization shall furnish a true copy thereof.

56.13. A recipient of medical information pursuant to an authorization as provided by this chapter or pursuant to the provisions of subdivision (c) of Section 56.10 may not further disclose that medical information except in accordance with a new authorization that meets the requirements of Section 56.11, or as specifically required or permitted by other provisions of this chapter or by law.

56.14. A provider of health care, health care service plan, or contractor that discloses medical information pursuant to the authorizations required by this chapter shall communicate to the person or entity to which it discloses the medical information any limitations in the authorization regarding the use of the medical information. No provider of health care, health care service plan, or contractor that has attempted in good faith to comply with this provision shall be liable for any unauthorized use of the medical information by the person or entity to which the provider, plan, or contractor disclosed the medical information.

56.15. Nothing in this part shall be construed to prevent a person who could sign the authorization pursuant to subdivision (c) of Section 56.11 from cancelling or modifying an authorization. However, the cancellation or modification shall be effective only after the provider of health care actually receives written notice of the cancellation or modification.

56.16. Unless there is a specific written request by the patient to the contrary, nothing in this part shall be construed to prevent a provider, upon an inquiry concerning a specific patient, from releasing at its discretion any of the following information: the patient's name, address, age, and sex; a general description of the reason for treatment (whether an injury, a burn, poisoning, or some unrelated condition); the general nature of the injury, burn, poisoning, or other condition; the general condition of the patient; and any information that is not medical information as defined in subdivision (c) of Section 56.05.

56.17.

  1. This section shall apply to the disclosure of genetic test results contained in an applicant's or enrollee's medical records by a health care service plan.
  2. Any person who negligently discloses results of a test for a genetic characteristic to any third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the test.
  3. Any person who willfully discloses the results of a test for a genetic characteristic to any third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and no more than five thousand dollars ($5,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the test.
  4. Any person who willfully or negligently discloses the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), that results in economic, bodily, or emotional harm to the subject of the test, is guilty of a misdemeanor punishable by a fine not to exceed ten thousand dollars ($10,000).
  5. In addition to the penalties listed in subdivisions (b) and (c), any person who commits any act described in subdivision (b) or (c) shall be liable to the subject for all actual damages, including damages for economic, bodily, or emotional harm which is proximately caused by the act.
  6. Each disclosure made in violation of this section is a separate and actionable offense.
  7. The applicant's "written authorization," as used in this section, shall satisfy the following requirements:
    1. Is written in plain language.
    2. Is dated and signed by the individual or a person authorized to act on behalf of the individual.
    3. Specifies the types of persons authorized to disclose information about the individual.
    4. Specifies the nature of the information authorized to be disclosed.
    5. States the name or functions of the persons or entities authorized to receive the information.
    6. Specifies the purposes for which the information is collected.
    7. Specifies the length of time the authorization shall remain valid.
    8. Advises the person signing the authorization of the right to receive a copy of the authorization. Written authorization is required for each separate disclosure of the test results.
  8. This section shall not apply to disclosures required by the Department of Health Services necessary to monitor compliance with Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code, nor to disclosures required by the Department of Managed Care necessary to administer and enforce compliance with Section 1374.7 of the Health and Safety Code.
  9. For purposes of this section, "genetic characteristic" has the same meaning as that set forth in subdivision (d) of Section 1374.7 of the Health and Safety Code.

56.20.

  1. Each employer who receives medical information shall establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information. These procedures may include, but are not limited to, instruction regarding confidentiality of employees and agents handling files containing medical information, and security systems restricting access to files containing medical information.
  2. No employee shall be discriminated against in terms or conditions of employment due to that employee's refusal to sign an authorization under this part. However, nothing in this section shall prohibit an employer from taking such action as is necessary in the absence of medical information due to an employee's refusal to sign an authorization under this part.
  3. No employer shall use, disclose, or knowingly permit its employees or agents to use or disclose medical information which the employer possesses pertaining to its employees without the patient having first signed an authorization under Section 56.11 or Section 56.21 permitting such use or disclosure, except as follows:
    1. The information may be disclosed if the disclosure is compelled by judicial or administrative process or by any other specific provision of law.
    2. That part of the information which is relevant in a lawsuit, arbitration, grievance, or other claim or challenge to which the employer and employee are parties and in which the patient has placed in issue his or her medical history, mental or physical condition, or treatment may be used or disclosed in connection with that proceeding.
    3. The information may be used only for the purpose of administering and maintaining employee benefit plans, including health care plans and plans providing short-term and long-term disability income, workers' compensation and for determining eligibility for paid and unpaid leave from work for medical reasons.
    4. The information may be disclosed to a provider of health care or other health care professional or facility to aid the diagnosis or treatment of the patient, where the patient or other person specified in subdivision (c) of Section 56. 21 is unable to authorize the disclosure.
  4. If an employer agrees in writing with one or more of its employees or maintains a written policy which provides that particular types of medical information shall not be used or disclosed by the employer in particular ways, the employer shall obtain an authorization for such uses or disclosures even if an authorization would not otherwise be required by subdivision (c).

56.21. An authorization for an employer to disclose medical information shall be valid if it:

  1. Is handwritten by the person who signs it or is in typeface no smaller than 8-point type.
  2. Is clearly separate from any other language present on the same page and is executed by a signature which serves no purpose other than to execute the authorization.
  3. Is signed and dated by one of the following:
    1. The patient, except that a patient who is a minor may only sign an authorization for the disclosure of medical information obtained by a provider of health care in the course of furnishing services to which the minor could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60) of Division 1.
    2. The legal representative of the patient, if the patient is a minor or incompetent. However, authorization may not be given under this subdivision for the disclosure of medical information which pertains to a competent minor and which was created by a provider of health care in the course of furnishing services to which a minor patient could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60) of Division 1.
    3. The beneficiary or personal representative of a deceased patient.
  4. States the limitations, if any, on the types of medical information to be disclosed.
  5. States the name or functions of the employer or person authorized to disclose the medical information.
  6. States the names or functions of the persons or entities authorized to receive the medical information.
  7. States the limitations, if any, on the use of the medical information by the persons or entities authorized to receive the medical information.
  8. States a specific date after which the employer is no longer authorized to disclose the medical information.
  9. Advises the person who signed the authorization of the right to receive a copy of the authorization.

56.22. Upon demand by the patient or the person who signed an authorization, an employer possessing the authorization shall furnish a true copy thereof.

56.23. An employer that discloses medical information pursuant to an authorization required by this chapter shall communicate to the person or entity to which it discloses the medical information any limitations in the authorization regarding the use of the medical information. No employer that has attempted in good faith to comply with this provision shall be liable for any unauthorized use of the medical information by the person or entity to which the employer disclosed the medical information.

56.24. Nothing in this part shall be construed to prevent a person who could sign the authorization pursuant to subdivision (c) of Section 56.21 from cancelling or modifying an authorization. However, the cancellation or modification shall be effective only after the employer actually receives written notice of the cancellation or modification.

56.245. A recipient of medical information pursuant to an authorization as provided by this chapter may not further disclose such medical information unless in accordance with a new authorization that meets the requirements of Section 56. 21, or as specifically required or permitted by other provisions of this chapter or by law.

56.25.

  1. An employer that is a provider of health care shall not be deemed to have violated Section 56.20 by disclosing, in accordance with Chapter 2 (commencing with Section 56.10), medical information possessed in connection with providing health care services to the provider's patients.
  2. An employer shall not be deemed to have violated Section 56.20 because a provider of health care that is an employee or agent of the employer uses or discloses, in accordance with Chapter 2 (commencing with Section 56.10), medical information possessed by the provider in connection with providing health care services to the provider's patients.
  3. A provider of health care that is an employer shall not be deemed to have violated Section 56.10 by disclosing, in accordance with Chapter 3 (commencing with Section 56.20), medical information possessed in connection with employing the provider's employees. Information maintained by a provider of health care in connection with employing the provider's employees shall not be deemed to be medical information for purposes of Chapter 3 (commencing with Section 56.20), unless it would be deemed medical information if received or maintained by an employer that is not a provider of health care.

56.26.

  1. No person or entity engaged in the business of furnishing administrative services to programs which provide payment for health care services shall knowingly use, disclose, or permit its employees or agents to use of disclose medical information possessed in connection with performing administrative functions for such a program, except as reasonably necessary in connection with the administration or maintenance of the program, or as required by law, or with an authorization.
  2. An authorization required by this section shall be in the same form as described in Section 56.21, except that "third party administrator" shall be substituted for "employer" wherever it appears in Section 56.21.
  3. This section shall not apply to any person or entity that is subject to the Insurance Information Privacy Act or to Chapter 2 (commencing with Section 56.10) or Chapter 3 (commencing with Section 56.20).

56.265. A person or entity that underwrites or sells annuity contracts or contracts insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, and any affiliate of that person or entity, shall not disclose individually identifiable information concerning the health of, or the medical or genetic history of, a customer, to any affiliated or nonaffiliated depository institution, or to any other affiliated or nonaffiliated third party for use with regard to the granting of credit.

56.27. An employer that is an insurance institution, insurance agent, or insurance support organization subject to the Insurance Information and Privacy Protection Act, Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code, shall not be deemed to have violated Section 56.20 by disclosing medical information gathered in connection with an insurance transaction in accordance with that act.

56.28. Nothing in this part shall be deemed to affect existing laws relating to a patient's right of access to his or her own medical information, or relating to disclosures made pursuant to Section 1158 of the Evidence Code, or relating to privileges established under the Evidence Code.

56.29.

  1. Nothing in Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3 shall be construed to permit the acquisition or disclosure of medical information regarding a patient without an authorization, where the authorization is required by this part.
  2. The disclosure of medical information regarding a patient which is subject to subdivision (b) of Section 1798.24 shall be made only with an authorization which complies with the provisions of this part. Such disclosure may be made only within the time limits specified in subdivision (b) of Section 1798.24.
  3. Where the acquisition or disclosure of medical information regarding a patient is prohibited or limited by any provision of Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3, the prohibition or limit shall be applicable in addition to the requirements of this part.

56.30. The disclosure and use of the following medical information shall not be subject to the limitations of this part:

  1. (Mental health and developmental disabilities) Information and records obtained in the course of providing services under Division 4 (commencing with Section 4000), Division 4.1 (commencing with Section 4400), Division 4.5 (commencing with Section 4500), Division 5 (commencing with Section 5000), Division 6 (commencing with Section 6000), or Division 7 (commencing with Section 7100) of the Welfare and Institutions Code.
  2. (Public social services) Information and records that are subject to Sections 10850, 14124.1, and 14124.2 of the Welfare and Institutions Code.
  3. (State health services, communicable diseases, developmental disabilities) Information and records maintained pursuant to former Chapter 2 (commencing with Section 200) of Part 1 of Division 1 of the Health and Safety Code and pursuant to the Communicable Disease Prevention and Control Act (subdivision (a) of Section 27 of the Health and Safety Code).
  4. (Licensing and statistics) Information and records maintained pursuant to Division 2 (commencing with Section 1200) and Part 1 (commencing with Section 102100) of Division 102 of the Health and Safety Code; pursuant to Chapter 3 (commencing with Section 1200) of Division 2 of the Business and Professions Code; and pursuant to Section 8608, 8817, or 8909 of the Family Code.
  5. (Medical survey, workers' safety) Information and records acquired and maintained or disclosed pursuant to Sections 1380 and 1382 of the Health and Safety Code and pursuant to Division 5 (commencing with Section 6300) of the Labor Code.
  6. (Industrial accidents) Information and records acquired, maintained, or disclosed pursuant to Division 1 (commencing with Section 50), Division 4 (commencing with Section 3200), Division 4.5 (commencing with Section 6100), and Division 4.7 (commencing with Section 6200) of the Labor Code.
  7. (Law enforcement) Information and records maintained by a health facility which are sought by a law enforcement agency under Chapter 3.5 (commencing with Section 1543) of Title 12 of Part 2 of the Penal Code.
  8. (Investigations of employment accident or illness) Information and records sought as part of an investigation of an on-the-job accident or illness pursuant to Division 5 (commencing with Section 6300) of the Labor Code or pursuant to Section 105200 of the Health and Safety Code.
  9. (Alcohol or drug abuse) Information and records subject to the federal alcohol and drug abuse regulations (Part 2 (commencing with Section 2.1) of subchapter A of Chapter 1 of Title 42 of the Code of Federal Regulations) or to Section 11977 of the Health and Safety Code dealing with narcotic and drug abuse.
  10. (Patient discharge data) Nothing in this part shall be construed to limit, expand, or otherwise affect the authority of the California Health Facilities Commission to collect patient discharge information from health facilities.
  11. Medical information and records disclosed to, and their use by, the Insurance Commissioner, the Director of the Department of Managed Health Care, the Division of Industrial Accidents, the Workers' Compensation Appeals Board, the Department of Insurance, or the Department of Managed Health Care.

56.31. Notwithstanding any other provision of law, nothing in subdivision (f) of Section 56.30 shall permit the disclosure or use of medical information regarding whether a patient is infected with or exposed to the human immunodeficiency virus without the prior authorization from the patient unless the patient is an injured worker claiming to be infected with or exposed to the human immunodeficiency virus through an exposure incident arising out of and in the course of employment.

56.35. In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 or 56.104 or 56.20 or subdivision (a) of Section 56.26 and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars ($3,000), attorneys' fees not to exceed one thousand dollars ($1,000), and the costs of litigation.

56.36.

  1. Any violation of the provisions of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
  2. In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following:
    1. Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.
    2. The amount of actual damages, if any, sustained by the patient.
    1. In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation.
      1. Any person or entity, other than a licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation.
      2. Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, or on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.
      1. Any person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation.
      2. Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part for financial gain shall be liable on a first violation, for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, or on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.
    2. Nothing in this subdivision shall be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation.
    3. Any person or entity who is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation.
  3. In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the licensing agency or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following:
    1. Whether the defendant has made a reasonable, good faith attempt to comply with this part.
    2. The nature and seriousness of the misconduct.
    3. The harm to the patient, enrollee, or subscriber.
    4. The number of violations.
    5. The persistence of the misconduct.
    6. The length of time over which the misconduct occurred.
    7. The willfulness of the defendant's misconduct.
    8. The defendant's assets, liabilities, and net worth.
    1. The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following:
      1. The Attorney General.
      2. Any district attorney.
      3. Any county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance.
      4. Any city attorney of a city.
      5. Any city attorney of a city and county having a population in excess of 750,000, with the consent of the district attorney.
      6. A city prosecutor in any city having a full-time city prosecutor or, with the consent of the district attorney, by a city attorney in any city and county.
    2. If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney or county counsel, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half to the treasurer of the county in which the judgment was entered.
    3. If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be paid to the treasurer of the city and county in which the judgment was entered.
    4. Nothing in this section shall be construed as authorizing both an administrative fine and civil penalty for the same violation.
    5. Imposition of a fine or penalty provided for in this section shall not preclude imposition of any other sanctions or remedies authorized by law.
  4. For purposes of this section, "knowing" and "willful" shall have the same meanings as in Section 7 of the Penal Code.
  5. No person who discloses protected medical information in accordance with the provisions of this part shall be subject to the penalty provisions of this part.

56.37.

  1. No provider of health care, health care service plan, or contractor may require a patient, as a condition of receiving health care services, to sign an authorization, release, consent, or waiver that would permit the disclosure of medical information that otherwise may not be disclosed under Section 56.10 or any other provision of law. However, a health care service plan or disability insurer may require relevant enrollee or subscriber medical information as a condition of the medical underwriting process, provided that Sections 1374.7 and 1389.1 of the Health and Safety Code are strictly observed.
  2. Any waiver by a patient of the provisions of this part, except as authorized by Section 56.11 or 56.21 or subdivision (b) of Section 56.26, shall be deemed contrary to public policy and shall be unenforceable.