Under CMIA, companies are prohibited from disclosing or using California residents' medical information for purposes not essential to the individual's health care services, unless an exception applies or the data subject grants authorization. CMIA, first enacted in 1981, got renewed attention during the COVID-19 pandemic as employers in California needed to obtain CMIA authorizations to process their employees' COVID-19 vaccination and illness information. In addition, CMIA was recently amended to expressly include businesses that offer mental health digital services as a health care provider subject to CMIA. Because the US federal Health Insurance Portability and Accountability Act (HIPAA) does not preempt more protective state laws, it does not preempt CMIA where CMIA offers greater privacy and security protections.
1. Who and what is protected by CMIA?
California residents are protected with respect to their medical information, which is defined to include any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, mental or physical condition, or treatment.
“Mental health application information”, which was recently added, is defined to mean information related to a consumer’s inferred or diagnosed mental health or substance use disorder collected by a mental health digital service. The inclusion of "inferred" health information follows a recent trend to broaden definitions of health information (under the Washington state My Health My Data Act and the Nevada Senate Bill 370, inferred or emergent data by any means is called out as included in the definition of consumer health data).
2. Who is required to comply with CMIA?
Health care providers, health care service plans, employers (in the context of employee health information), and now mental health digital services are covered. In addition, anyone who receives medical information from a person or company that is subject to CMIA must also comply with restrictions on disclosure under CMIA. According to CMIA "providers of health care" required to comply includes licensed physicians and clinics, but also “provider of health care” includes any business that offers software or hardware, including a mobile application, that enables a consumer to manage his or her medical information or that otherwise facilitates the diagnosis or treatment of such consumers.
3. How do regulated parties comply with CMIA?
Regulated parties are required to obtain valid authorization from patients or enrollees before disclosing their medical information, subject to a variety of exceptions. CMIA contains specific requirements of what a valid authorization looks like, including the requirement for it to be handwritten (or, if it is in typeface, no smaller than 14-point type), be clearly separate from any other language present on the same page, be executed by a signature which serves no other purpose than to execute the authorization, be signed and dated, and contain certain information, such as the specific uses and limitations of the medical information to be disclosed. The Washington, Connecticut, and Nevada consumer health laws have similarly burdensome requirements for obtaining valid authorization or consent to sell consumer health data, and valid consent when collecting or sharing consumer health data beyond data minimization requirements (or, in the case of Connecticut, processing it at all). Prescriptive authorization and consent requirements such as in CMIA and in the Washington, Connecticut and Nevada laws make it impractical to obtain valid authorization and consent in commercial contexts. Businesses may therefore decide to limit use and disclosures of health data and document internally why certain authorization and consent requirements are not triggered.
Besides the requirement to obtain valid authorization, CMIA requires regulated parties to establish and implement appropriate administrative, technical and physical safeguards, such as to create, maintain, store or destroy medical information in a manner that preserves the confidentiality of the information.
4. What are the penalties for non-compliance?
CMIA empowers the California Attorney General, as well as a number of other named authorities, to levy civil penalties. The amount of civil penalties differs based on intent. For example, violators who negligently disclose covered medical information may be subject to an administrative fine or civil penalty not to exceed USD 2,500 per violation. This number may be increased to USD 25,000 per violation if the violation was done knowingly and willfully, and further increased to USD 250,000 per violation plus disgorgement of profit if the violation was done knowingly or willfully for the purpose of financial gain.
Individuals who have suffered an economic loss or personal injury may bring a civil lawsuit to recover compensatory damages, up to USD 3,000 in punitive damages, up to USD 1,000 in attorney's fees and the costs of the suit. Individuals without a showing of actual damages may bring action for nominal damages of USD 1,000.
Outlook
Businesses working to comply with the many omnibus US state privacy laws and the new state laws specific to consumer health data should assess and document why collection or sharing of health data is necessary and when consent or authorization is required under CMIA or another state law. If consent or authorization requirements apply, businesses should determine how to operationalize obtaining consent or authorization in an efficient way across the laws that apply to them.
