California has prepared a list of policies in a document called the Statewide Health Information Policy Manual (SHIPM). SHIPM provides an overview of many of the health policies the state deems important that physicians, medical practices, hospitals, and health providers need to understand.
Experienced healthcare lawyers often explain to doctors, medical practices, and health companies that there are various types of healthcare laws and agencies. Compliance issues involve how health providers do business with the aim of helping to show compliance with Stark Law, the Anti-Kickback Statute, and other relevant laws. Health practices and businesses need to understand FTC rules for promoting and advertising their business so the FTC does not send warning letters or start other enforcement actions. Skilled healthcare lawyers also explain how the FDA regulates drugs, medical devices, dietary supplements, cosmetics, food, and other medical products.
What Medical Practices Should Know about the Stark Law
The Stark Law is named after California U.S. Congressman, Peter Stark. It seeks to regulate how physicians refer Medicare and Medicaid patients. The law is part of the Omnibus Budget […]
There are laws on licensing and the profession of medicine that must be followed or doctors and providers could lose their medical license and/or their business may be forced to close.
Other laws and regulations can damage a company’s economic prospects and a provider’s ability to practice if the doctor, health provider, or medical company does not understand these laws, does not create compliance plans, or does not respond to agency investigations.
Federal Policies and Regulations
The Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law sets national standards for how a patient’s health information (medical records and personal health information) should be handled and protected. HIPAA applies to healthcare providers, health planes, and health clearinghouses that use electronics or computers to conduct healthcare transactions. HIPAA also applies to some business associations that conduct health care transactions electronically.
Got HIPAA? Get HIPAA? Joyce explains why and how
Interview with an expert in healthcare privacy and security, both on the federal side with HIPAA, and the state side, especially California law.
HIPAA has two key parts:
- The HIPAA Privacy Rule. This rule requires that health providers and health businesses covered by the law protect the privacy of patient health information and sets conditions on how patient information can be used and disclosed. There are exceptions for payment of the patient’s services, providing proper treatment (doctors do need to be able to consult with specialists, for example) and other healthcare functions. The Privacy Rule gives patient’s rights including the right to access the records and the right to request corrections.
- The HIPAA Security Rule. This rule governs how patients’ medical information is protected by providing that covered health providers or health companies create and implement proper “administrative, physical, and technical safeguards” so that patient health records are available, secure, confidential, and meet integrity standards.
There are federal administrative rules that “reduce paperwork and streamline business processes across the healthcare system.” Specifically, the rules include:
- Confidentiality of Substance Use Disorder (SUD) Patient Records. These regulations apply to data that would identity a patient as someone who has a substance use disorder. Confidentiality rules generally require that the patient authorize any disclosures – with limited exceptions.
- Genetic Information Nondiscrimination Act (GINA). This law protects people from discrimination in employment based on their genetic information.
While CHHS only lists a few federal laws, health providers and medical companies need to consult with experienced health care lawyers because there are many more laws and regulations that apply.
California Laws and Regulations
General Privacy Protections
- Article 1 Section 1 of the California Constitution guarantees the right to privacy
- The Information Practices Act – Civil Code §§ 1798 – 1798.78 provides limits on how state agencies can collect, manage, and disclose personal information
- The Confidentiality of Medical Information Act (CMIA). This law supplements the federal HIPAA law.
- Disclosure of Medical Information – Civil Code §§ 56.10 – 56.16. This law requires that a health care provider, health care service plan, or contractor cannot disclose medical information without authorization from the patient, enrollee, or subscriber. Some exceptions do apply, such as a court order to disclose. The law protects medical information in paper format and digital format.
- Civil Penalties for Unauthorized Access, Use, or Disclosure of Medical Information – Civil Code § 56.36. The “CMIA was amended to further define administrative fines or civil penalties for any person or entity including licensed health care professionals who knowingly and willfully obtains, discloses, or uses medical information in violation of the CMIA.”
- Confidentiality of SUD Records – Health and Safety Code § 11845.5. This is the state version of the federal SUD confidentiality requirements.
- Physical Safeguards – Health and Safety Code § 1280.18. The law provides:
- Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.
- CHHS can consider numerous factors in determining whether the health provider or health company made the proper effort to secure a patient’s health information.
Patients’ Right to Access
CHHS lists the following laws that govern patients’ right to access their medical records.
- Patient Access to Health Records – Health and Safety Code § 123100 and § 123111. This law, with some exceptions, allows patients to see any information about their medical condition(s) that their healthcare provider has kept in the record. The law allows patients to provide amendments to the medical record if the patient thinks the records are inaccurate or incomplete.
- Consent by Patient for Lab Results via Internet or other Electronic Means – Health and Safety Code § 123148. Patients, on request, have the right to see the results of their laboratory tests – in written or oral form. To send the results electronically, the health provider must obtain patient consent – in accordance with the CMIA requirements and other federal and state laws. Some test results cannot be sent electronically unless certain additional requirements are met. These test results include HIV antibody tests, hepatitis infection tests, drug abuse tests, and tests related to routinely processed tissues revealing malignant results. Test results and information cannot be used for commercial purposes without patient consent.
According to the Statewide Health Information Policy Manual (SHIPM), there are other state laws that govern proper uses and disclosures of health information.
Mental Health Information
The following laws regulate the confidentiality of information and records on involuntary and some voluntary mental health services.
- Lanterman-Petris-Short Act (LPS) – Welfare and Institutions Code § 5328 et seq. This law applies to state hospitals and regional centers, community health clinics, and county and city health agencies. If the records are not covered by this law, the records are usually covered by the CMIA.
- Access to Mental Health Information by Patients’ Rights Advocate – Welfare and Institutions Code § 5541
- Persons with Developmental Disabilities, Confidential Information and Records; Disclosure; Consent – Welfare and Institutions Code § 4514
Additional California Laws and Regulations
CHHS also lists these health care compliance laws. As with the federal laws, there are numerous California laws and regulations that govern medical practices and healthcare developers, and healthcare companies. The laws vary depending on the type of Health Company and other issues. Again, it is critical that any health practitioner or medical business speak with an experienced health care lawyer before starting, buying, investing, in or continuing their health company.
- Medical Information, Collection for Direct Marketing Purposes – Civil Code § 1798.91. This law governs how businesses can collect medical information from patients or individuals for direct marketing. Essentially, businesses cannot seek this information unless the business:
- Clearly discloses how the information will be used and shared
- Gets the individual’s consent.
- Mandated Blood Testing and Confidentiality to Protect Public Health – Health and Safety Code §§ 120975 – 121020. “This law protects the privacy of individuals who are the subject of blood testing for human immunodeficiency virus (HIV).” The law essentially provides that people cannot be compelled to provide the results of an HIV blood test in governmental proceedings unless an exception applies.
- Disclosures by State or Local Public Health Agencies of Records relating to HIV or AIDS – Health and Safety Code § 121025. This is another law to protect HIV or AIDS information.
Breach Duties and Requirements
The Civil Code § 1798.29 and § 1798.82 details what happens if there is a breach of any private information.
Key definitions are:
- “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- “health insurance information” means any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
- “personal information” includes: Social Security number, driver’s license number, account number, credit or debit card number, or security code or password for accessing their financial account as well as medical information and health insurance information.
If a data security breach involving patient personal information does occurs, businesses (and state agencies) that collect patient information need to notify the affected patients that the security breach has occurred.
Health Facilities Data Breach – Health and Safety Code § 1280.15.
Some health facilities can be fined for breaching a patient’s medical information. The law also provides additional notification requirements if the health facility breaches its duty to “prevent unlawful or unauthorized access to, or the use or disclosure of, a patient’s medical information.”
California’s Statewide Health Information Policy Manual (SHIPM) lists some, but not all, of the various healthcare privacy laws, breach of privacy laws, disclosure laws, and other laws regarding patient information. The laws cover mental health, lab results, information for marketing, and many other uses and abuses of patient health care information.
Contact Cohen Healthcare Law Group, PC for legal counsel on healthcare transactions, regulatory compliance, and FDA and FTC law. Our experienced healthcare & FDA attorneys advise healthcare companies and healthcare providers ranging from medical centers, to integrative and functional medicine practices, cosmetics and supplement companies, and medical device manufacturers.

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.
Contact Us
