United States: In the emerging patchwork of US State Consumer Health Privacy laws

Understanding and complying with California's confidentiality of medical information act

In brief

So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies. Most companies that do business in California are subject to CMIA, because the law applies to employers. Also, any business that offers software or hardware, including a mobile application, that enables a consumer to manage medical information must comply with CMIA. 


Contents

Under CMIA, companies are prohibited from disclosing or using California residents' medical information for purposes not essential to the individual's health care services, unless an exception applies or the data subject grants authorization. CMIA, first enacted in 1981, got renewed attention during the COVID-19 pandemic as employers in California needed to obtain CMIA authorizations to process their employees' COVID-19 vaccination and illness information. In addition, CMIA was recently amended to expressly include businesses that offer mental health digital services as a health care provider subject to CMIA. Because the US federal Health Insurance Portability and Accountability Act (HIPAA) does not preempt more protective state laws, it does not preempt CMIA where CMIA offers greater privacy and security protections. 

1. Who and what is protected by CMIA? 

California residents are protected with respect to their medical information, which is defined to include any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, mental or physical condition, or treatment. 

“Mental health application information”, which was recently added, is defined to mean information related to a consumer’s inferred or diagnosed mental health or substance use disorder collected by a mental health digital service. The inclusion of "inferred" health information follows a recent trend to broaden definitions of health information (under the Washington state My Health My Data Act and the Nevada Senate Bill 370, inferred or emergent data by any means is called out as included in the definition of consumer health data). 

2. Who is required to comply with CMIA? 

Health care providers, health care service plans, employers (in the context of employee health information), and now mental health digital services are covered. In addition, anyone who receives medical information from a person or company that is subject to CMIA must also comply with restrictions on disclosure under CMIA. According to CMIA "providers of health care" required to comply includes licensed physicians and clinics, but also “provider of health care” includes any business that offers software or hardware, including a mobile application, that enables a consumer to manage his or her medical information or that otherwise facilitates the diagnosis or treatment of such consumers.

3. How do regulated parties comply with CMIA?

Regulated parties are required to obtain valid authorization from patients or enrollees before disclosing their medical information, subject to a variety of exceptions. CMIA contains specific requirements of what a valid authorization looks like, including the requirement for it to be handwritten (or, if it is in typeface, no smaller than 14-point type), be clearly separate from any other language present on the same page, be executed by a signature which serves no other purpose than to execute the authorization, be signed and dated, and contain certain information, such as the specific uses and limitations of the medical information to be disclosed. The Washington, Connecticut, and Nevada consumer health laws have similarly burdensome requirements for obtaining valid authorization or consent to sell consumer health data, and valid consent when collecting or sharing consumer health data beyond data minimization requirements (or, in the case of Connecticut, processing it at all). Prescriptive authorization and consent requirements such as in CMIA and in the Washington, Connecticut and Nevada laws make it impractical to obtain valid authorization and consent in commercial contexts. Businesses may therefore decide to limit use and disclosures of health data and document internally why certain authorization and consent requirements are not triggered. 

Besides the requirement to obtain valid authorization, CMIA requires regulated parties to establish and implement appropriate administrative, technical and physical safeguards, such as to create, maintain, store or destroy medical information in a manner that preserves the confidentiality of the information.

4. What are the penalties for non-compliance? 

CMIA empowers the California Attorney General, as well as a number of other named authorities, to levy civil penalties. The amount of civil penalties differs based on intent. For example, violators who negligently disclose covered medical information may be subject to an administrative fine or civil penalty not to exceed USD 2,500 per violation. This number may be increased to USD 25,000 per violation if the violation was done knowingly and willfully, and further increased to USD 250,000 per violation plus disgorgement of profit if the violation was done knowingly or willfully for the purpose of financial gain. 

Individuals who have suffered an economic loss or personal injury may bring a civil lawsuit to recover compensatory damages, up to USD 3,000 in punitive damages, up to USD 1,000 in attorney's fees and the costs of the suit. Individuals without a showing of actual damages may bring action for nominal damages of USD 1,000.

Outlook

Businesses working to comply with the many omnibus US state privacy laws and the new state laws specific to consumer health data should assess and document why collection or sharing of health data is necessary and when consent or authorization is required under CMIA or another state law. If consent or authorization requirements apply, businesses should determine how to operationalize obtaining consent or authorization in an efficient way across the laws that apply to them.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.