Your Health Privacy Rights in California

What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects your health information (PHI) by ensuring it is kept confidential and used only for treatment, payment, or healthcare operations unless you give consent.

Your Rights Under HIPAA:

  • Access your medical records.
  • Request changes to your records.
  • Limit who sees your information.
  • Receive a notice of privacy practices.
  • Request communications be sent confidentially.
  • File complaints for privacy violations.

California-Specific Privacy Protections:

In California, you are also protected under state laws that offer additional rights beyond HIPAA:

  • California Confidentiality of Medical Information Act (CMIA): This law provides strict guidelines on how medical information is shared by healthcare providers, insurers, and third parties.
  • California Consumer Privacy Act (CCPA): Gives you the right to know what personal data is collected, request deletion, and opt out of its sale — including some health-related data collected by certain businesses.
  • California requires written authorization for most disclosures not related to direct care, payment, or operations.
  • Additional protections apply for sensitive information such as HIV status, mental health treatment, and substance use disorder records.

What Is Considered Protected Health Information (PHI)?
PHI includes any health data that can identify you — such as medical history, test results, insurance data, or billing information — whether electronic, paper, or spoken.

How Can Your PHI Be Shared?
Without your permission, your PHI can only be used for treatment, payment, or healthcare operations. All other uses — including marketing or sharing with third parties — generally require your explicit written consent under both HIPAA and California law.

Filing a Complaint:
If you believe your privacy rights have been violated:

  • File a complaint with your healthcare provider’s privacy officer.
  • Contact the U.S. Department of Health & Human Services: File a HIPAA complaint
  • File a complaint with the California Department of Public Health: CDPH Privacy Page