CMIA & HPIAA – Unauthorized Disclosure Of Medical Information

Unlawful Disclosure Of Medical Information

Medical history often contains highly personal, and sometimes embarrassing, information. Whether such information concerns past procedures, chronic medical issues, or a catastrophic diagnosis, it is with good reason lawmakers have created privacy protections for this sensitive data.

So when a medical provider, health care company, or outside contractor is not as careful with your information as they should be, you may wonder whether, and how, you can be made whole again. 

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) sets the regulatory baseline for the protection of patient health information at the federal level.

But HIPAA limits consumers’ ability to obtain damages for impermissible disclosures of protected health information. Under HIPPA, only the Department of Health and Human Services and states attorneys general have the power to enforce violations – individuals do not.

Given the high stakes for consumers, some states have gone a step further to give victims a voice when their privacy has been breached. 

California Confidentiality of Medical Information Act (CMIA)

The California Confidentiality of Medical Information Act (CMIA) is one such attempt to enable consumers to be made whole when their medical information has been improperly disseminated. The CMIA goes further than HIPAA in a number of respects.

Most notably, the CMIA allows individuals to initiate lawsuits and potentially recover compensatory damages, punitive damages not to exceed $3,000, attorneys’ fees not to exceed $1,000, and the costs of litigation. See California Civil Code § 56.35

Under CMIA, “medical information” means disclosure of any “individually identifiable information” in possession of or derived from “a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”

“Individually identifiable information” means information that contains elements sufficient to allow for identification of the individual, including but not limited to the “patient’s name, address, electronic mail address, telephone number, or social security number” that, when combined with publicly available information, would allow someone to identify the individual.  California Civil Code § 56.05(j).

CMIA’s reach does not only extend to medical professionals – the statute also allows individuals to seek disgorgement of profits when any “person or entity” uses medical information “knowingly or willfully,” and “for the purpose of financial gain. California Civil Code § 56.36.

If you believe your personal medical information has been used without your consent and in violation of the law, you may have legal options to hold those responsible accountable. Dhillon Law Group’s attorneys would be happy to speak with you to see how we can help. 

Karin Sweigart handles First Amendment and defamation matters as Counsel at Dhillon Law Group.