The California Patient's Guide
  Your Health Care Rights and Remedies
   Home Back    Next
Chapter III.
Your Rights to Medical Records and Confidentiality1

  • You have the right to obtain complete information about your medical condition and care.
  • You have the right to inspect your medical records within 5 days of making a written request.
  • You have the right to have your medical records kept confidential unless you provide written consent, except in limited circumstances.
  • You have the right to sue any person who unlawfully releases your medical information without your consent.


You have a right under California law to access complete information about your medical condition and the care provided to you.2

You have the right to provide a health care provider with a written statement up to 250 words regarding any information contained in your medical records that you believe to be incorrect or incomplete. This statement will become part of your medical record and must be included whenever your medical records are disclosed by your health care provider to a third party.
From Health Care Providers
Health care providers, such as doctors, HMOs, and hospitals, must permit you to inspect your medical records during business hours within five working days after receiving a written request from you. You are required to pay reasonable clerical costs associated with locating the records and making the records available for your inspection.3

Your health care provider must provide copies of the records for not more than $.25 per page, or $.50 per page for records copied from microfilm.4 Your health care provider does not have to give you copies of X-rays if they provide them to another health care provider upon your written request within 15 days after receipt of the request, specifying the name and address of the health care provider to whom the records are to be delivered.5

From Corporations that Maintain Medical Information
Any corporation or entity that maintains medical records for the purpose of making them available to patients or health care providers for the purposes of diagnosing and treating must provide you, at no charge, with a copy of your records.


Any information about you, whether in electronic or physical form, regarding your medical history, mental or physical condition, or treatment is subject to California laws protecting your medical record confidentiality.


Unless provided by law, or authorized by you, your doctor, HMO, or other medical provider may not disclose, sell, or otherwise use your medical information for any purpose other than as is necessary for providing direct health care services to you. 8
Most of the time, yes, your written consent is required before your medical records can be released to anyone. Under California's Confidentiality of Medical Information Act,6 health care providers, HMOs and certain health care contractors must obtain your written authorization before disclosing your medical information, with some exceptions.7

Your doctor, HMO and other health care contractors must establish procedures to ensure the confidentiality of your medical record information in their possession and that they properly dispose of any medical record information in a way that preserves your confidentiality.9 A new California law signed by Governor Davis effective January 1, 2001 requires that all businesses, including HMOs, must dispose of records that are no longer needed by 1) shredding, 2) erasing, or 3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.10 If any business fails to properly destroy your records and you suffer harm because of it, you can sue that business.11


To be valid, an authorization form used by health care providers, HMOs and health care contractors must:
  • Be handwritten by you (or your authorized representative signing the authorization form) or be typewritten in no smaller than 8-point type.
  • Be clearly separate from any other language on the same page and have a line for your signature that serves no purpose other than to authorize the release of your information.
  • Be signed by one of the following:
    • you, the patient,
    • your legal representative if you are a minor or incompetent,
    • the beneficiary or personal representative of a deceased patient, or
    • your spouse or person financially responsible for you for the sole purpose of processing an application for health care insurance or enrollment in a health care service plan or employee benefit plan when you are to be an enrolled spouse or dependent under the policy or plan.
  • Specify the uses and limitations on the types of medical information to be disclosed,
  • Specify the name or functions of the health care provider that may disclose the information,
  • State the name or functions of the persons or entities authorized to receive the medical information,
  • State the specific uses and limitations on the use of the medical information by the persons or entities authorized to receive the medical information,
  • State a specific date after which the health care provider is no longer authorized to disclose your medical record information, and
  • State that you have a right to receive a copy of the authorization.12


Yes, but only in certain limited situations when necessary to provide you with appropriate health care. Your doctor or HMO is required to release your medical record information, even without your written authorization, to the following:
  • A court pursuant to a court order.
  • A board, commission, or administrative agency for purposes of resolving a dispute pursuant to its lawful authority.
  • A party to a proceeding before a court or administrative agency pursuant to an investigative subpoena.
  • An arbitrator or arbitration panel, when arbitration is lawfully requested by either party pursuant to a subpoena.
  • A government law enforcement agency pursuant to a search warrant.13
Your health care provider or HMO may also, in their discretion, release medical information about you without your written authorization to the following entities in the following limited circumstances:
  • Billing, claims management, medical data processing or other administrative services for the health care provider or HMO.14
  • Organizations or professional societies that review the competence or qualifications of health care professionals.15
  • Any private or public body responsible for licensing or accrediting health care providers or HMOs for review at the premises of the health care provider or HMO.16
  • County coroner in the course of an investigation by the coroner's office.17
  • Agencies, investigators, and educational and research organizations engaged in bona fide research projects provided that the recipient does not further disclose your identity.18
  • Your employer who has paid for employment-related health care services in connection with a lawsuit or arbitration dispute where you have placed your medical condition in issue, provided that information is disclosed only in connection to the proceeding, or when used to determine your entitlement to leave from work for medical reasons or physical limitations that prevent you from performing your job.19
  • The sponsor, insurer, or administrator of your group or individual health plan for the purpose of evaluating the application for coverage of benefits.20
  • Your health care service plan for the purpose of transferring to other health care providers in the plan.21
  • Probate officers or domestic relations investigators for the purposes of determining the need for a conservatorship or guardianship.22
  • Organ procurement organization or tissue bank for purpose of aiding a transplant.23
  • Federal Food and Drug Administration when medical information relates to problems with drug products or medical devices.24
  • Disaster relief organizations for the purpose of responding to disaster welfare inquiries, but only basic information including your name, city of residence, age, sex and general condition may be disclosed. 25
  • Third parties for purposes of encoding, encrypting, or otherwise making information anonymous. 26
  • Disease management organizations that provide services to patients in order to improve their overall health in accordance with certain practice guidelines to which your doctor may refer you.27


Your employer must establish appropriate procedures to ensure the confidentiality of your medical information and to protect it from unauthorized use and disclosure. Your employer cannot use or disclose your medical information unless you sign an authorization, except in the following instances:
  • When compelled by a judicial or administrative process.
  • When relevant to a lawsuit, arbitration or other claim when you have first raised your medical history, condition or treatment as an issue in the case.
  • For the purpose of administering and maintaining employee benefit plans, including plans providing for disability and workers' compensation, and for determining eligibility for paid and unpaid leave from work for medical reasons.
  • To aid your health care provider in diagnosis or treatment when you or someone designated by you is unable to authorize disclosure.28
If you refuse to sign an authorization, your employer cannot discriminate against you in terms or conditions of employment. Your employer can take such actions as are necessary in the absence of medical information due to your refusal to sign an authorization (such as when all employees of a certain job are required to undergo a medical examination necessary to determine fitness to perform that job).29


In addition to the limited purposes described above, your doctor or HMO can disclose your medical information to private insurance companies and their agents that have complied with all the requirements for obtaining your information under the Insurance Information & Privacy Protection Act.30 This Act imposes similar requirements on private insurance companies and their agents as those imposed on doctors and HMOs by the Confidentiality of Medical Information Act. The insurance company must have a valid written authorization form from you that permits disclosure of your medical records to the insurance company or its agents. To be valid, the authorization form must:
  • Be written in plain language and dated.
  • Specify the persons authorized to disclose information about you.
  • Specify the nature of the information authorized to be disclosed.
  • Name the insurance institution or agent and identify generically representatives of the insurance institution to whom the individual is authorizing information to be disclosed.
  • Specify the purposes for which the information is collected.
  • Specify the length of time the authorization shall remain valid, which shall be no longer than:
    1. for authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement or a request for a change in policy benefits:
      1. thirty months from the date the authorization is signed if the application or request involves life, health, or disability insurance; or
      2. one year from the date the authorization is signed if the application or request involves property or casualty insurance.
    2. for authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy
      1. the term of coverage of the policy if the claim is for a health insurance benefit, or
      2. the duration of the claim if the claim is not for a health insurance benefit, or
      3. the duration of all claims processing activity performed in connection with all claims for benefits made by any person entitled to benefits under a nonprofit hospital service contract.
  • Advise you or the person authorized to act on your behalf of your or your authorized representative's right to receive a copy of the authorization form.31


  • Carefully read any and all forms you are asked to sign allowing the release of your medical information. Under California law, most disclosures of your medical information require your written consent and must be limited to the specific purposes you authorize. You should carefully read any form disclosures that you may be given to sign by your doctor, HMO, other health care provider or employer. Pay particular attention to the purposes for which the medical record information may be released, and only sign if you agree to these uses. Do not be talked into signing a general release that authorizes your medical records to be released for "all legally valid purposes." If you do not understand any of the terms of the authorization, ask your doctor, health care provider, or employer providing you with the authorization form to thoroughly explain its terms.

  • Prepare a written statement to give your doctor or other health care provider if you want to have a particular visit or treatment kept confidential. If you do not want a particular treatment or condition to be disclosed to your insurance company or employer, write a statement to bring to your doctor or HMO. This statement should direct that you do not consent to release of your medical record information for that particular visit. Since insurers and employers may be entitled to certain medical information related to health care services that they are paying for, you may want to personally pay for those services for which you do not want any information disclosed.

  • Be careful when asked to provide medical history information to entities other than your doctor, HMO or insurance company. It is wise to limit the information you give out about your medical history to only those who need it for treatment of an illness or payment of a claim for health benefits. With the proliferation of Web-based health information sites, there are an increasing number of avenues from which third parties can gain access to your medical information.


    The Medical Information Bureau (MIB) is a company that keeps a database of medical record information on individuals as provided to them by insurance companies that subscribe to their services. Insurance companies use information obtained from MIB to make decisions regarding your eligibility for coverage at the time of application for insurance benefits. According to the MIB, about 1 or 2 in 10 people have a record with MIB. Insurance companies may only report information to MIB with your written consent, and are supposed to only report information if you have a condition that is significant to health or longevity. MIB reports are kept for seven years. For information on how to access and correct any misinformation that MIB may have about you, access MIB's website at or write to:

    MIB, Inc.
    P.O. Box 105
    Essex Station
    Boston, MA 02112
    Phone: 617-426-3660
    Fax: 781-461-2453

    There is an $8.50 charge for obtaining a copy of your MIB report.


    Anyone who illegally obtains or discloses your medical information that causes you economic loss or personal injury may be guilty of a misdemeanor under California law.

    You may also bring an action against any person or entity that negligently releases confidential information or records in violation of California law for:
    • Nominal damages of one thousand dollars ($1,000). (Damages awarded when you are unable to prove that the violation caused you monetary loss)
    • Actual damages sustained by you.
    The Attorney General, any district attorney, city attorney, or city prosecutor may bring an action in the name of the people of California to recover a civil penalty. Licensing agencies or certifying boards may impose an administrative fine against individuals or entities that illegally obtain or disclose your medical record information.


  • Privacy Rights Clearinghouse
    Provides a consumer helpline and educational materials on a wide range of privacy issues. Visit their Web site at (See Fact Sheet #8: How Private Is My Medical Information?) or call (619) 298-3396.

  • California Medical Association
    Visit their Web site at or send a fax request to (800) 592-4CMA to obtain CMA ON-CALL Document # 1101: Confidentiality: CMIA and IIPPA

    Back    Next

    1. The information contained in this section is based on California law. The federal Health Insurance Portability and Accountability Act passed by Congress in 1996 required that Congress pass regulations to protect patients medical record privacy. The U.S. Department of Health and Human Services adopted the final rule officially published December 28, 2000. For more information on the new federal rule, go to
    2. Cal. Health and Safety Code § 123100.
    3. Cal. Health and Safety Code § 123110(a).
    4. Cal. Health and Safety Code § 123110(b).
    5. Cal. Health and Safety Code § 123110(c).
    6. Cal. Civil Code § 56 et seq.
    7. Cal. Civil Code § 56.10(a).
    8. Cal. Civil Code § 56.10(d) (italics added).
    9. Cal. Civil Code § 56.101.
    10. Cal. Civil Code § 1798.81.
    11. Cal. Civil Code § 1798.82.
    12. Cal. Civil Code § 56.11.
    13. Cal. Civil Code § 56.10(b).
    14. Cal. Civil Code § 56.10(c)(3).
    15. Cal. Civil Code § 56.10(c)(4).
    16. Cal. Civil Code § 56.10(c)(5).
    17. Cal. Civil Code § 56.10(c)(6).
    18. Cal. Civil Code § 56.10(c)(7).
    19. Cal. Civil Code § 56.10(c)(8).
    20. Cal. Civil Code § 56.10(c)(9).
    21. Cal. Civil Code § 56.10(c)(10).
    22. Cal. Civil Code § 56.10(c)(12).
    23. Cal. Civil Code § 56.10(c)(13).
    24. Cal. Civil Code § 56.10(c)(14).
    25. Cal. Civil Code § 56.10(c)(15).
    26. Cal. Civil Code § 56.10(c)(16).
    27. Cal. Civil Code § 56.10(c)(17).
    28. Cal. Civil Code § 56.20(c).
    29. Cal. Civil Code § 56.20(b).
    30. Insurance Code § 791 et seq.
    31. Cal. Ins. Code § 791.06.