Health Care Under HIPAA: Changes in Your Privacy Rights

California and federal laws provide for the confidentiality of a patient’s medical information. The general rule is that a patient’s medical information may not be disclosed without the patient’s express written consent.   However, there are at least two major statutory and regulatory provisions which affect the disclosure of confidential medical information and may prevent your designated health care agent from receiving important information about you. They are 1) the Health Insurance Portability and Accountability Act (HIPAA) and 2) the California Confidentiality of Medical Information Act (CMIA).


Privacy rules under HIPAA became effective in April 2003 and since then the legal and medical communities have been working to understand how these rules apply to the various transactions that occur in the context of providing a health care to a person. HIPAA applies to doctors and other “covered entities” which transmit protected health information in the course of their treatment of a patient and their receipt of payment for such treatment.

The “protected health information” which is subject to HIPAA privacy rules includes ‘any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house which relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provisions of health care to an individual’.

Improper disclosure of a person’s protected health information carries with it heavy monetary and criminal penalties: up to $250,000 in fines and 10 years in prison! However, a doctor or other covered entity that has a valid authorization to disclose a patient’s medical information to a third party will not be penalized for transmitting the patient’s information to the third party. Further, the third party who properly receives such information may reveal that information to others without penalty.


Since HIPAA is a federal law, it preempts any state law which provides less protection. This means that the health care power of attorney or an advance directive, which is authorized by the California Probate Code, giving your agent or attorney-in-fact the right to receive medical information about you, may not be a valid privacy waiver under HIPAA. You should either sign a new advance directive for health care or sign a standalone authorization which is valid under HIPAA.

An authorization for release of medical information is valid if:

It is handwritten by the patient, or printed in at least 14 point type;

It is signed and dated by the patient, the patient’s legal representative, the patient’s spouse;

or the person financially responsible for the patient where the information is solely for the purpose of processing applications for dependent health care coverage, or the beneficiary or personal representative of a deceased patient;

It states the specific use and limitations on the type of information to be disclosed;

It states the name of the health care provider which may disclose the medical information;

It states the specific uses of and limitations on the use of the medical information by the authorized recipients;

Sets a specific termination date; and

States that the person authorized may have a copy of the authorization.


California’s medical privacy law also prevents doctors from disclosing medical information without a valid authorization. In some respects, California’s law is stricter than the federal law. For example, a patient is defined as “any natural person, whether or not living” which brings the law into the estate planning context for probates and conservatorships. There has been concern in the legal community that disclosure of a person’s medical condition which often is the subject of a conservatorship hearing may be a violation either under HIPAA or the CMIA if there is no valid authorization to disclose such information by the proposed conservatee.

Likewise, because the issue of whether or not a person has “capacity” to execute a Will or Trust or other estate planning document is often litigated probate courts, testimony involving a person=s medical condition can be revealed which may be a violation of the person’s privacy rights. The problem is that any disclosure of protected health information about a person who is a settlor of a trust or a trustee is a “disclosure” that is regulated under HIPAA and CMIA.


There are special rules for the discretionary release of a patient’s participation in out-patient treatment with a psychotherapist and such release of information is prohibited without the written request of the person wanting to receive the information. Such person must be an authorized recipient under the California Civil Code and must contain specific reference as to how the information will be used and the length of time it will be kept before it is destroyed.


A doctor is permitted to respond to anyone’s question about a specific patient by disclosing general information which is limited to the following: the patient’s name, address, age, gender, a general description of the reason for the treatment, the nature of the injury, general condition, and non-medical information.


It is common for doctors to dispute denials of payment with third part payors such as insurance companies. Important confidentiality concerns are associated with a doctor’s correspondence to the insurer because it usually includes specific information about the patient’s diagnosis and treatment in order to prove that the care was indeed medically necessary or covered by the health insurance plan. Doctors should not communicate with payors without a valid written authorization from the patient. You can expect to see increased use of authorization forms when you next visit your doctor or health care provider.