Rights and Requirements: A Guide to Privacy and Security of Health Information in California

Center for Democracy & Technology

Protecting patients' personal health information is key. This report describes the matrix of federal and California laws that protect their information and address any breaches.

October 2013

The federal government and the State of California both have laws and regulations protecting the privacy and security of personal health information. This report describes the health privacy landscape in California, including the federal Health Insurance Portability and Accountability Act (HIPAA) and California's own Confidentiality of Medical Information Act (CMIA). It also examines the impact of the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Patient Protection and Affordable Care Act (ACA). 

The report explains how these laws work in tandem under the legal doctrine of federal preemption. Specific topics include:

  • Sources of legal protection for health information privacy
  • Who and what types of health information are covered by which privacy laws
  • Patients' rights to access and amend health information
  • Audit trails for health information disclosures
  • How entities are permitted to use and disclose health information
  • Patient notification in the event of a breach
  • Enforcement of health information privacy laws
  • Protections for information collected by health insurers and health insurance exchanges

The report also identifies gaps in privacy protection that remain unaddressed. 

The complete report is available under Document Downloads.