1. Introduction
  2. What information do your medical records contain?
  3. What is a notice of privacy practices?
  4. When is authorization required to use or disclose your medical   information?
  5. When can your medical information be used and disclosed without your authorization or consent?
  6. What are some other ways that medical information may be disclosed?
  7. Resources

1. Introduction

It is very likely that you consider all your medical information to be personal, sensitive, and private—something that is kept strictly between you and your doctors, to be used only for your own medical treatment. Unfortunately, this is far from reality. Many people who have nothing to do with your treatment have access to and use your medical information.

Doctors, nurses, and other health care professionals practice medicine, but they do it within the context of the larger health care industry. This means insurers, practice management services, transcribers, pharmacy benefits managers, and many others all use your identifiable medical information. Further, it is assumed that you consent to covered entities or their business associates’ use of this information for purposes of treatment, payment, and routine business operations.

For definitions of medical privacy terms used in this guide, see PRC’s California Medical Privacy Fact Sheet C1: Medical Privacy Basics for Californians.

This may leave you wondering if you have any privacy rights at all concerning your medical information. Fortunately, you have some rights, and this Fact Sheet explains what they are, how to exercise them, and what their limits are.

2.  What information do your medical records contain?

PRC’s Fact Sheet C1: Medical Privacy Basics for Californians covers this in more depth, but to summarize, a typical medical record includes:

  • Unique identifiers such as your full name and your provider account number.  Most providers have eliminated Social Security numbers (SSN) from patient records because of the risk of identity theft. If your SSN is still in a record, it should be truncated to reveal only the last four or five digits.
  • Demographic data including your address, phone number(s), and email address. There may be additional information you provided on an intake form such as age, gender, and race.
  • Known medical conditions, allergies, drug/alcohol/smoking habits, as well as your health care provider’s records of your visits, diagnoses, treatments, diagnostic test results, prescriptions, and referrals to other doctors.
  • Billing and payment information, such as the party responsible for payment, health insurer, and primary beneficiary.
  • Information you provide on an intake form about the health of your immediate family members, particularly parents and siblings, and whether there is a history of certain diseases.

Providers currently keep your records in either paper or electronic files at their individual locations.  Electronic health information exchange (HIE) will change this model radically. HIE will make your records electronically accessible to all permissible health care personnel, wherever those records may be.  You may have noticed the change already if your health care provider has introduced you to a “patient portal” where you can access some of your medical information online—possibly diagnostic test results—and send and receive secure emails with the provider.

The goals driving HIE are improved quality of care, greater overall efficiency of medical practice, and lower costs. It will certainly result in widespread flow of your medical information, which could benefit your health but will also likely increase privacy risks.  For in-depth information on HIE, see California Medical Privacy Fact Sheet C6: Health Information Exchange: Is Your Privacy Protected?

3.  What is a notice of privacy practices?

A notice of privacy practices (NPP) is a written statement from a person, institution, or business that collects and maintains personal information. The NPP explains what is done with that information and what your rights are regarding it. A health care provider usually gives you an NPP on your first visit, and perhaps annually thereafter.  You will also receive an annual NPP from your health plan.

California law requires notice only when the health care provider is a state agency such as a county hospital or clinic.  However, HIPAA requires all covered entities to notify you of their privacy practices. The HIPAA regulations state that the notice should be written in plain language and should tell you:

  • How your doctor or health care provider may use and disclose your medical information.
  • Your rights concerning the information and how to exercise them, including how to complain to your health care provider, and also how to file a complaint with the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), which enforces the HIPAA regulations.
  • The provider’s legal duties concerning your information, including a statement that the provider is legally required to maintain the privacy of that information.
  • Who to contact for further information about the provider’s privacy policies. (45 CFR 164.520)

4.  When is authorization required to use or disclose your medical information?

A notice of privacy practices is just that. It is not a consent form.  By signing the notice, you acknowledge that you have read and understood it.  Your signature does not authorize any use or disclosure of your medical information.

a. Is there a difference between “authorization” and “consent”?

Yes. Although the terms “authorization” and “consent” are often use interchangeably, “authorization” has a defined legal meaning.  Authorization is written consent.  It may be either handwritten or in at least 14-point type, signed, and dated by you.  Your authorization gives others permission to access and use your medical information. (the CMIA definition of “authorization” is at Cal. Civ. Code § 56.21; HIPAA requirements for valid authorization are at 45 CFR § 164.508(c))

b. Authorization for “sensitive” information

California requires separate written authorization for certain types of sensitive information. These include:

  • Psychotherapy notes, which you can release to others but not see yourself. (Cal. Civ. Code § 56.104)
  • Drug and alcohol treatment records. (Cal. Health & Safety Code §§ 11845.5, 123105(b))
  • HIV status and test results, except for diagnosis, care, and treatment. (Cal. Health & Safety Code §§ 120975-121125)
  • Genetic test results for a life or disability insurance application. (Cal. Ins. Code § 10140.1)

c. Authorization for research

Except for public health research, researchers who want to use your identifiable medical information need either your written authorization or a waiver for their project from an Institutional Review Board (IRB).  There is an exception for data that is de-identified or considered a limited data set.

De-identified data has had 18 specific identifiers removed. (45 CFR § 164.514(b)(2))

A limited data set has had most identifiers removed, but may still include: dates of admission or discharge from a hospital; dates you have received medical treatment; date of birth and death; age (including age 90 or older); and a five-digit zip code, along with state, county, city, or precinct, but not your actual street address.

d. Authorization for marketing

Your authorization, along with a clear disclosure of how information will be used and shared, is required for your medical information to be used for marketing purposes.  (Cal. Civ. Code § 1798.91)  However, there are exceptions.  For more detailed information on medical information and marketing, see PRC’s California Medical Privacy Fact Sheet C3, Section 5: What are your rights regarding marketing and your medical information?

e. Before you give authorization…

It is always important to read and understand anything you are asked to sign.  If you are authorizing a release of your medical records, look for the specific purposes for which the information will be used and how long the authorization lasts.  Be wary of signing a form that authorizes your medical records’ release for “all legally valid purposes” and has no time limit.  If you see this language or something equally broad and open-ended, cross it out and write in your own terms.

5.  When can your medical information be used and disclosed without your authorization or consent?

Your authorization is generally not required to use and disclose your medical information for the purposes most people would consider “normal.” Your data—unless it is legally defined as “sensitive” —will be used for treatment, payment, and health care operations regardless of whether you authorize it or not.  In addition, the Confidentiality of Medical Information Act (CMIA) has nine mandatory exceptions to the authorization requirement and 22 permitted exceptions. (Cal. Civ. Code § 56.10) A partial list of exceptions includes:

  • determining your eligibility for benefits or services;
  • law enforcement purposes;
  • a court order or search warrant;
  • a coroner’s investigation;
  • public health purposes or disaster relief.

When you take all of the exceptions into account, your authorization is required only for use and disclosure of certain types of “sensitive” information, in some research situations, and under some marketing scenarios.

a. Information disclosed for medical treatment and payment

Disclosures for treatment and payment are fairly self-explanatory.  Medical information is used and shared for the purpose of treating you.  In addition, whoever pays your medical bills—most likely an insurer or health plan—sees the information necessary to determine charges and to determine who pays what amount.

Insurers cannot see your actual medical record without your authorization.  They receive a treatment code from your health care provider so that they know how much to pay the provider and can determine what your share is on the explanation of benefits (EOB) they send you.  It is important to note that billing codes can supply enough information to create an outline of your medical history.  If your employer is responsible for paying your medical costs, disclosure to insurers may also include disclosures to employers. For more information, see California Medical Privacy Fact Sheet C5: Employment and Your Medical Privacy.

i. Medical information can end up in credit reports

Your medical information may be revealed without your authorization if you are late paying a medical bill. If your overdue medical bill continues to go unpaid, the hospital, doctor, insurer or any other covered entity, like any creditor, might hire a third-party debt collector. Reports to credit bureaus and a collection agency’s efforts are considered “payment” functions under HIPAA. This means that information can be disclosed without your knowledge or consent.

Collection agencies pursuing unpaid medical bills operate as “business associates” of a health care provider. What they may or may not do is regulated by HIPAA’s “business associate” and “minimum necessary” requirements. They may receive from the health provider only the minimum amount of information necessary to carry out their function. Currently, it is up to providers to determine what the minimum necessary amount of information is.

For more information, see:

While a health care provider can disclose minimum necessary information to a collection agency, HIPAA restricts the amount of information either a provider-creditor or a collection agency can furnish to a credit bureau.  Information furnished to a credit bureau may only include (1) name and address; (2) date of birth; (3) Social Security number; (4) payment history; (5) account number; and (6) name and address of the health care provider or health plan.

Unpaid medical debts can also turn up in a credit report and reveal an underlying medical condition.  The Fair and Accurate Credit Transactions Act (FACTA) gives you some protection against disclosure of medical information here.  FACTA restricts consumer reporting agencies from including credit-related medical information in reports used for employment, credit transactions, or insurance transactions without your authorization.  A consumer reporting agency (CRA) may not disclose the name, address, and telephone number of a medical provider responsible for information in the report. Creditors may not base a decision to grant consumer credit on medical information. (Pub. L. No. 108-159, 117 Stat. 1952 (2003))

California law offers similar protection.  A CRA may not include medical information in consumer files or provide medical information for employment, insurance, or credit purposes in a consumer credit report without authorization. (Cal. Civ. Code § 1785.13(f))

b. Information disclosed for health care operations

Your authorization is not needed to disclose medical information for health care operations. What are health care operations? From a privacy perspective, HIPAA has a long and non-reassuring definition, which includes many terms in need of definitions themselves. (45 CFR § 164.501)  Health care operations include, in part:

  • a standards board rating the quality of health care providers;
  • providers contacting patients with information about treatment alternatives and related matters other than treatment;
  • training for health care professionals and non-health care professionals;
  • activities related to creating, renewing, or replacing health insurance contracts or benefits between providers and insurers;
  • auditing for fraud, abuse, and regulatory compliance;
  • business management and general administrative duties;
  • data transfers involved in the sale, merger, or consolidation of a provider (such as a hospital or clinic);
  • fundraising—although under pending regulations you must be notified of your right to opt out of a written fundraising solicitation. Fundraising is a potential privacy issue because it is often contracted to third parties outside the health care system.

Without actually being involved in the functions or activities that fall under “operations,” it is all but impossible to know how much of your medical information is disclosed as such and who may see it.  However broad the “health care operations” exception to the CMIA and HIPAA may be, your consent to the use of your medical information for anything that falls under that category is assumed.

c. Disclosures to contractors and business associates of covered entities

Under California law, a “contractor” is a “medical group, independent practice association (IPA), pharmacy benefits manager (PBM), or a medical service organization that is not a health care service plan or provider of health care.” (Cal. Civ. Code § 56.05(c))  Just as health care providers and insurers do not need your authorization to use your medical information for treatment, payment, health care operations, or additional statutory exceptions, neither do contractors.

Under HIPAA, a “business associate” has a contract with a covered entity to perform services on behalf of a health care provider or institution during which individually identifiable health information is created, used, or disclosed. Examples include legal representation, actuarial work (for example, assessing risk for insurers), accounting and billing, collections, data aggregation, administration and management, accreditation, or consulting.  (45 CFR § 164.103) For more information, see the HHS web page on business associates.

Whether they are called a contractor or business associate, many persons or businesses with whom you have no direct relationship—and certainly no treatment relationship—have access to your medical records. Examples include your doctor’s billing or practice management services.  However, recent changes to HIPAA impose some of the same privacy and security requirements on business associates (and their subcontractors) that apply to covered entities:

  • Business associates must implement administrative safeguards such as policies and training regarding handling personal health information (PHI). They must also implement physical safeguards (facility security) and technical security safeguards (encryption, authentication, and so on) required by the HIPAA Security Rule.  For more on the Security Rule, see our FS 8a, Section 12, The HIPAA Security Rule.
  • Business associates must pay the same civil and criminal penalties as covered entities for privacy and security violations. (HITECH Act § 13401; 42 U.S.C. § 17931)
  • Business associates have the same breach notification requirements as covered entities.  (HITECH Act § 13402; 42 U.S.C. §17930)
  • Business associates must account to patients for disclosures of protected health information. The U.S. Department of Health and Human Services has not yet finalized the “accounting for disclosures” rule. It will give individuals the right to ask their providers for a list of disclosures of their medical information for three years prior to the date of the request, including disclosures made for treatment, payment, and business operations.

The rule is part of the HITECH Act, but its implement has raised objections from various competing interests. The questions surrounding which disclosures should be mandatory and in what form they should be made are the subject of much discussion. It is difficult to predict when this rule will be finalized, but it is certain to take longer than the rest of the new rules promulgated under HITECH. (HITECH Act § 13405(c); 42 U.S.C. §17935) The proposed rule is available here.

6. What are some other ways that medical information may be disclosed?

In addition to treatment, payment, health care operations, and the numerous statutory exceptions to consent requirements, there are other ways your health information may be disclosed.  Sometimes these are with your knowledge and consent, but sometimes they are not.

a. Individual health insurance

If you buy your own health insurance, you must authorize the release of your medical records to the insurer so that it may evaluate you for a policy.  Make sure that the release you sign is limited to the insurance policy you are applying for.  In addition, make sure that the release provides a time limit on access to your information.

Insurance companies are regulated by the California Department of Insurance. They also have consumer privacy and data security obligations as financial institutions under the federal Gramm-Leach-Bliley (GLB) Act. For more about GLB, see PRC Fact Sheet 24: Protecting Financial Privacy: the Burden Is on You.

Insurance companies must:

  • notify you about how they may share your information;
  • allow you to opt out of sharing your information with third parties not affiliated with the company;
  • safeguard sensitive data. (15 U.S.C., Subchapter II, Sec. 6821-6827)

For help with questions, or problems concerning health insurers, see the California Department of Insurance website.

b. Group health insurance

If you have group health insurance through an employer, you may be asked to fill out a health questionnaire to determine if you have a pre-existing condition that would be excluded from coverage for a period of time. If your group health plan is through a small business (2-50 employees), the exclusion period for pre-existing conditions is six months following the effective date of coverage under the plan. (Cal. Health & Safety Code §§ 1357.06 and 1357.51(a))

Large-employer group health plans (for more than 50 employees) and association group health insurance require medical underwriting to evaluate an applicant for coverage. This means that in order to find out if you have a pre-existing condition for which there may be an exclusionary period or coverage can be denied, an employer may ask you to fill out a health questionnaire. Although an employer can obtain health information in this way, the CMIA imposes privacy and confidentiality requirements on the employer regarding that information. (Cal. Civ. Code § 56.20-56.245)

For more information on insurance and disclosures of medical information, see California Medical Privacy Fact Sheet C5, Section 6: If your employer sponsors your health plan, does it have access to your medical information?

c. Employment or applying for work

California law prohibits employers from requiring job applicants to take a medical or psychological examination before offering a job. It also prohibits employers from inquiring about mental or physical disabilities or medical conditions. However, an employer may ask about an applicant’s ability to perform any job-related functions. After offering a job, the employer may ask the applicant to have a pre-employment medical exam or laboratory test as long as it relates specifically to the requirements of the job. (Fair Employment and Housing Act (FEHA), Cal. Gov’t Code §§ 12900 – 12996)

See the California Department of Fair Employment and Housing Fact Sheet titled “Employment Inquiries”for more information about what employers can ask job applicants and employees.

In California, the CMIA requires employers who receive your medical information to protect its confidentiality.  An employer must also get your authorization to disclose the information.  But there are exceptions, including:

  • disclosures compelled by law;
  • for information that is part of a lawsuit between you and your employer;
  • if it is necessary to maintain an employee benefit plan;
  • if it is requested by a health care provider.  (Cal. Civ. Code §§ 56.20-56.245)

California Medical Privacy Fact Sheet C5: Employment and Your Medical Privacy discusses issues related to employment and your medical information’s privacy.  It also addresses medical privacy and employee wellness programs.

d. Interaction with government agencies

State and federal government agencies that process claims related to medical records may request your records for the purpose of verifying your claims.  This includes Medicare, Medicaid, MediCal, Social Security Disability, and Workers Compensation.  The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has access to your medical records if they are part of a claim being investigated.

e. Prescription drug monitoring

Law enforcement agencies can access your medical and prescription information. In almost all cases, a subpoena is required.  There is an exception for prescription drug databases that many states, including California, have set up to monitor abuse of controlled substances.  All health care providers and pharmacists must report their prescriptions for certain drugs considered, for example, to be narcotics, to the state.  For more information on prescription drug monitoring, see California Medical Privacy Fact Sheet C4: Your Prescriptions and Your Privacy.

f. Public health purposes

Public health reporting generally does not require your authorization Reasons for public health reporting include:

  • monitoring epidemics;
  • investigating tainted food or drug cases;
  • intervening in emergency or disaster situations;
  • evaluating public health programs;
  • terrorism preparedness;
  • public health services; and
  • public health research. (Cal. Civ. Code § 56.10(b)(3); 45 CFR § 164.512(b))

Some federal agencies that may access personal health information are: the Centers for Disease Control (CDC), the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Federal Emergency Management Administration (FEMA), and the Occupational Health and Safety Administration (OSHA).

California’s Department of Public Health (DPH) may also access medical records for public health emergency preparedness; drinking water and environmental management; food, drug, and radiation safety; and environmental and occupational disease control.  In addition, reporting is required for certain diseases (like AIDS), child and elder abuse, and births and deaths.

The HIPAA notice of privacy practices you receive from health care providers tells you that “your health information may be shared with public health authorities for public health purposes.” You can request information about public health disclosures to learn who received the information, the dates of disclosures, a summary of what was disclosed, and a brief explanation of the reasons for disclosure or a copy of the request.

To learn more about this, including how to request an accounting of disclosures, see the California Department of Public Health (DPH) website.

g. The Medical Information Bureau

There is a great deal of misunderstanding about the Medical Information Bureau (MIB). The MIB is a private company that maintains a database of individual medical and other information for approximately 750 member insurance companies.  MIB members use the database to assess risk and prevent fraud on applications.

The Affordable Care Act (ACA), by requiring all adults to puchase health insurance, eliminates pre-existing conditions as a qualifying factor.  When the state health insurance exchanges mandated by the ACA begin operating in 2014, insurers will not be able to require you to authorize release of your medical records when you apply for insurance.  They will also no longer need to refer to the MIB to assess risk or the validity of medical information in your applicaion because it will not contain medical information.  Insurers will still want your medical records and will still have use for the MIB in assessing other types of individual insurance applications where health is a risk factor, like life, disability, and long-term-care policies.

According to the MIB, only about 15-20% of applicants for individual insurance end up in the database, because they have applied within the last seven years (the length of time the MIB maintains records) andtheir application has revealed a medical problem that affects morbidity or mortality, in other words, the likelihood of acquiring a certain disease or condition or dying from it.

If you want to find out if you are in the MIB database, and if so, what is in your record, you may request a free MIB report annually by calling 866-692-6901 (a recording).  You will be asked for some personally identifying information so that your record can be located, if one exists.  In about two weeks, you will receive either your record or a notice that no record was found.

What is in a MIB report? The MIB database contains information about medical conditions and diagnostic tests, reported by insurers, and based on medical records they receive as part of your application process.  The MIB does not have the actual records.  Instead, it identifies medical conditions and risky lifestyle choices (for example, smoking or skydiving) by code numbers.  A report also includes the name(s) of MIB member companies that submitted your information and that have received a copy of your record during the two years prior to your request.

Read your MIB report carefully.  If you find incorrect information, ask for an investigation form.  The MIB will contact the company that reported the information and the company will investigate its accuracy.  According to the MIB, only one percent of consumer files are ever amended. If your record is not changed and you believe it should be, you can enter a “statement of dispute” in your file.  This will be given to any insurer that requests your MIB file.

What rights do you have regarding your MIB report? The MIB is considered a consumer reporting agency (CRA) and is regulated by the Fair Credit Reporting Act (FCRA).  The MIB is not regulated by HIPAA or the CMIA.  Insurers are not supposed to deny insurance based solely on a MIB report.  In fact, an insurer must send you an adverse action notice even if the information in the report was not the main reason for denying you insurance (or increasing your rate).

The notice must include:

  • the name, address, and telephone number of the CRA (in this case, the MIB) that supplied the report the insurer used in reaching its decision;
  • a statement that the MIB did not make the adverse decision and cannot give specific reasons for it; and
  • notice of your right to dispute the accuracy or completeness of the MIB’s information, and to request a free report within 60 days.

For more information, see the Federal Trade Commission’s website on insurers and consumer reports.

h. Prescription drug reports

Personally identifiable prescription information can be legally bought and sold.  Two companies, Milliman and Ingenix, compile individual prescription drug histories from databases kept by pharmacy chains and pharmacy benefit managers (PBMs). A PBM administers drug benefit programs for health plans and employers.  It has your prescription records because it processes and pays prescription drug claims. Insurers buy the reports—for $15—to evaluate applications for individual health, life, or disability policies. For more information on PBMs, see California Medical Privacy Fact Sheet C4: Your Prescriptions and Your Privacy.

What is in a prescription report? Your report contains a five-year record of your prescriptions, including dosages, refills, and prescribing doctors as well as their medical specialty.  Prescription information can reveal treatment for a disease or condition that you actually have, but it can also easily lead to incorrect assumptions.  For instance, consider off-label prescribing: menopausal women are routinely prescribed anti-depressants for insomnia.  An insurer reviewing that report might come to another conclusion about that woman’s mental health, which could affect her insurability or her premium.

What rights do you have concerning prescription reports?  Like the MIB, Milliman and Ingenix are considered consumer reporting agencies (CRAs) and are regulated by the Fair Credit Reporting Act.  This entitles you to a notice of adverse action from the insurer, even if your prescription report was not the primary reason for denial of coverage or a premium increase.  You can dispute the accuracy of the report and request a free copy of it.  If you want to know whether a report exists for you, and what it contains, you can contact the companies and request it. Click here to request a Milliman Intelliscript report; or here for an Ingenix Medpoint report.

i. Disclosures of medical information for law enforcement purposes

Some law enforcement activities require the disclosure of medical information.  These include mandatory reporting of elder or child abuse; natural or crime-related death; response to a request for medical information about a victim of a crime with the victim’s agreement; or a gunshot or stabbing wound treated at a hospital.  For more information about permitted or required disclosures of medical information to law enforcement, see this U.S. Department of Health and Human Services FAQ.

j. Inadvertent personal disclosures of medical information

There are many ways individuals unknowingly or unthinkingly give up personal information in situations where no legal protections apply.

Screenings or treatments in informal, non-medical settings. Free or low-cost health screenings are routinely offered at work, health clubs, malls, pharmacies, health fairs, health food stores, and other informal venues.  You may want to take advantage of the opportunity to be tested for diabetes; to have your body mass index (BMI) measured; or even to have your forearm or heel screened for bone density.  However, you should be aware that screenings are often conducted or sponsored by companies that make or sell the diagnostic equipment or medications or treatments related to the test.  You should not be surprised if you start receiving marketing materials related to the screening.

In addition to giving up your name and contact information—and possibly your age, date of birth, and some personal health information—to receive a screening or test, you may also be giving up any privacy rights in the test results.

If you want to have the test, ask first about the privacy policy of the company or organization that is conducting the screening. What information is being collected and will it be retained?  Who will have access to it, and what will they do with it?  Ask if you can opt out of some or all marketing uses, or of having your data shared with the screening sponsor’s affiliates, or sold to other direct marketers.

Medical information and the Internet.  There are many ways to reveal personal medical information online.  Medical (or “medical-like”) websites often ask you to fill in registration forms or surveys. You give up medical information by participating in health or disease discussion forums.  Buying health-related products with a credit card can link medical and personally identifying information.  Just visiting a website or clicking advertisements for drugs or treatments can create a trail that combines medical and personally identifying information.

Be aware of what you are sharing.  Your only protection is the protection that the particular website’s privacy policy offers, and privacy policies often change.  Read website privacy policies to see what information a site collects, how the company uses it, and what protections they offer, if any.

Keep in mind that California law requires websites that collect personally identifiable information from California residents to post a privacy policy.  (Online Privacy Protection Act, Cal. Business and Professions Code, §§ 22575-22579) To learn more about online tracking, see PRC’s Fact Sheet 18: Online Privacy: Using the Internet Safely.

If you feel you are being scammed—with offers of quick cures, “free” trials or gifts, or demands for advance payment and claims of limited supplies of the product—you can file a complaint with the Federal Trade Commission’s (FTC) Bureau of Consumer Protection.

Gyms and health clubs or spas.  These businesses generally ask for medical information on their application forms.  You may create additional medical information by monitoring and recording your vital signs while you work out, or taking advantage of health-related tests or products offered at the gym, health club, or spa.  Once again, you should find out what the business’ privacy policy is—or if there even is a privacy policy.

Mobile health and fitness applications. There are currently well over 40,000 mobile health and fitness applications on the market and that number is expected to quadruple by 2016; see Top Health and Fitness Apps to Improve Your Workout and Diet, an article promoting such applications. If there is any aspect of health (defined very broadly), diet, or fitness that is not currently monitored and measured by a smartphone app, it will be shortly. These range from apps that help you track calories by inputting everything you eat, to those that sync your workouts by using GPS and then share them on social media, to those that track the general progress of your pregnancy.

While many of these applications seem faddish and frivolous, some point in the direction of radical change in monitoring and delivering health care. Phone screens are touch sensitive, and there are already apps that have adapted this functionality to measure and record your blood pressure.

Further development of smartphones as medical diagnostic tools is well underway. Apps are available that take daily measurements of heartbeat, weight, food consumption, exercise, and health metrics, and can share them with physician. An application for the iPhone, iPad, and iTouch supports voice-based house calls and will soon offer two-way video. It’s foreseeable that you will soon be able to send a daily report of various health-related functions and activities collected by your phone for automated analysis of your condition, which could keep you apprised of changes or anomalies as they develop.

Much of this technology—existing and potential—holds real promise for improving the efficiency and delivery of health care. As always, the problem is determining who has access to the data the applications can generate, collect, and transmit, and what they do with it. It’s often simply unknown—until it’s perhaps discovered through investigative news reporting—what information smartphone applications collect and what they do with it. Apple’s agreement with its software developers says that apps “may not collect user or device data without prior user consent,” but since users are not generally aware of the content of developer agreements, there is no way to know whether an app is complying with that agreement.

Devices that use Google’s Android operating system must tell users most of the information they gather before you install the software. But they don’t have to disclose whether they are collecting the Android ID, a number that uniquely identifies the phone and which can be matched with data about you from other sources to serve you targeted advertising. Google’s response is that if users don’t want an app to access their phone’s unique ID, they shouldn’t download it.

The message to take away here is to pause before you download. If the application has a privacy policy, read it. Smartphone applications are not covered by HIPAA privacy and security regulations. California law covers them only to the extent that developers must notify you of what information they collect and with whom they share it. (Cal. Bus. & Prof. Code § 22575) Access can mean by users who share their health data publicly or privately on social media, or by developers who sell it to third parties for marketing or other purposes.  Obviously, you may not want other parties, like insurers, to get access to this data, but the only way to prevent that is by not making the information public in the first place.

7.  Resources

California State Law and Agencies:
To find the full text of California laws, visit www.leginfo.ca.gov.

California Office of Privacy Protection
915 Capitol Mall, Suite 200
Sacramento, CA 95814
Email: privacy@scsa.ca.gov
Website: www.privacy.ca.gov

State of California Office of Health Information Integrity (CalOHII)
1600 9th Street, Room 460
Sacramento, CA 95814
Phone: (916) 651-6907
Email: OHIComments@ohi.ca.gov
Website: www.ohii.ca.gov/calohi/

Office of the Attorney General
California Department of Justice
Attn: Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244
Phone: (800) 952-5225
Website: www.oag.ca.gov

To learn more about the California Information Practices Act and how to request information, see the California Department of Social Services pamphlet, “Rights of Individuals Under the Information Practices Act,” at http://www.dss.cahwnet.gov/pdf/ipaattachment1.pdf.

To learn more about the California Patient Access to Health Records Act (PAHRA) and how to request information, see the Medical Board of California’s website at www.mbc.ca.gov/consumer/access_records.html.

For a detailed, practical, and easy to read guide to getting an amending your medical records in California, see “Your Medical Rights in California,” by Joy Pritts, Georgetown University Health Policy Institute, available at http://ihcrp.georgetown.edu/privacy/stateguides/ca/caguide5.html.

For More Information on HIPAA:

U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: (866) 627-7748
Website: www.hhs.gov

To file a complaint about a HIPAA violation
Regional offices of the HHS Office for Civil Rights

Additional guides:

Fact Sheet 8: Medical Records Privacy

Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age

Fact Sheet 8b: Medical Privacy FAQ

World Privacy Forum Patient’s Guide to HIPAA: How to Use the Law to Guard Your Health Privacy

Center for Democracy and Technology: Health Privacy Project