CA CMIA Medical Privacy Compliance

Evaluate compliance with California Confidentiality of Medical Information Act (Civil Code §56-56.37), covering patient authorization, disclosure limits, and medical information security

HealthcareBiotechResearch20 minutes20 questions

1. Authorization & Consent

Do you obtain valid written authorization before disclosing medical information?*

§56.10(a): Written authorization required for disclosure with specific exceptions

Do authorizations include all required elements (patient name, recipient, purpose, expiration)?*

§56.11: Authorization must specify what info, to whom, for what purpose, expiration date

Are authorizations limited to one year unless a longer period is justified?*

§56.11(c): One year limit with patient option to specify longer period

Do you provide patients with a copy of signed authorizations?*

§56.11(e): Patient entitled to copy of authorization form

2. Disclosure Limitations

Do you limit disclosures to the minimum necessary information for the stated purpose?*

§56.10(d): Disclose only information specifically described in authorization

Are disclosures prohibited for marketing/sale purposes without explicit authorization?*

§56.10(b)(21): Marketing requires separate authorization, sale generally prohibited

Do you verify that recipients will maintain confidentiality of medical information?*

§56.10(c): Recipients must agree to maintain confidentiality

Are HIV/AIDS, mental health, and genetic test results subject to heightened protections?*

§56.10, §56.17, §56.31: Special protections for sensitive medical information

3. Patient Rights

Do you provide patients with access to their medical information upon request?*

§56.10(c)(5): Patients have right to inspect and copy medical records

Do you respond to patient access requests within 15 days?*

§56.10(c)(5): Promptly make records available, typically within 15 days

Can patients request amendments to inaccurate medical information?*

§56.10(c)(6): Right to amend or correct inaccurate information

Do you maintain an accounting of disclosures for patient review?*

§56.10(c)(7): Track disclosures and provide accounting upon request

4. Security & Confidentiality

Are administrative, technical, and physical safeguards in place to protect medical information?*

§56.101: Reasonable security procedures required for confidentiality

Is medical information encrypted when transmitted electronically?*

Best practice: Encryption protects confidentiality during transmission

Are employees trained on CMIA confidentiality requirements?*

§56.10: Staff must understand obligations to maintain patient confidentiality

Do you have procedures to investigate and respond to privacy breaches?*

§56.101: Detect and respond to unauthorized access or disclosure

5. Marketing & Communications

Do you obtain separate authorization for using medical information for marketing?*

§56.10(b)(21): Marketing communications require explicit patient consent

Are communications about treatment alternatives permitted without authorization?*

§56.10(b)(9): Healthcare operations and treatment coordination allowed

6. Enforcement & Liability

Do you maintain documentation demonstrating CMIA compliance?*

Best practice: Document authorizations, disclosures, security measures

Are violations investigated and remediated promptly?*

§56.35-56.37: Civil penalties $250-$10,000 per violation, criminal penalties possible

Please answer all required questions to see your results