The Confidentiality of Medical Information Act (CMIA): An update on HIPAA’s stricter counterpart
In July 2022, the Confidentiality of Medical Information Act (CMIA), a California law protecting the confidentiality of individually identifiable medical information obtained by healthcare providers, health insurers, and their contractors, was amended to prohibit the disclosure of medical information related to sensitive services (mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender-affirming care, and intimate partner violence).
Specifically, this prohibits the disclosure of medical information to anyone other than the enrollee without the individual’s express written authorization, including the policyholder or parent of a minor patient.
To ensure compliance and protection of the confidentiality of individually identifiable medical information obtained by a healthcare provider under CMIA, organizations must ensure that they, amongst other requirements:
- prohibit the disclosure of medical information regarding a patient, enrollee, or subscriber without first obtaining authorization, except as specified; and
- require a healthcare provider, healthcare service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.
Damages allowed under CMIA
Under CMIA, an individual may bring an action against a person or entity who has negligently released confidential information for either:
- nominal damages of $1,000.00 (without the requirement of demonstrating actually suffering any damages); or
- the amount of actual damages, if any, sustained by the individual.
Further, any person or entity who knowingly and willfully obtains, discloses, or uses medical information shall be liable for an administrative fine not to exceed $2,500 per violation.
CMIA's newest bill
The recent introduction of CMIA’s newest bill sets further restrictions on healthcare providers, insurers, and their contractors, who are now prohibited from the disclosure of medical information related to sensitive services to anyone other than the enrollee without the individual’s express written authorization, including the policyholder or parent of a minor child.
Now, a subscriber or enrollee can request “confidential communications” for all communications regarding the individual’s medical information and applies to communications that disclosure: (1) medical information; or (2) provider name and address related to receipt of medical services by the individual requesting the confidential communication.
Ensure CMIA compliance and patient privacy
With this recent change to the CMIA, organizations, covered entities, and health care providers should ensure that those who fall under both HIPAA and the CMIA are trained and knowledgeable about the specific and changing requirements to ensure not only privacy compliance but also the patient’s privacy. Understanding and monitoring these differences and updating policies regularly will give your employees the knowledge to succeed and protect not only your business but also your patients.