The California Confidentiality of Medical Information Act


The California Confidentiality of Medical Information Act (CMIA) is a crucial piece of legislation that protects the privacy of patients’ medical information. Introduced in 1981 and later amended to keep up with technological advancements, the CMIA ensures that patients’ sensitive medical information is handled with the utmost care by healthcare providers, insurance companies, and other organizations. This blog post will provide a comprehensive overview of the CMIA, including its purpose, scope, and key provisions.

Purpose of the CMIA

The primary purpose of the CMIA is to safeguard the confidentiality of medical information and protect the privacy rights of patients in California. The legislation recognizes the sensitive nature of medical data and the potential harm that could result from unauthorized access, use, or disclosure. By imposing strict standards on how medical information is handled, the CMIA aims to promote patient trust in the healthcare system, encourage open communication between patients and providers, and ultimately improve the quality of care.

Scope of the CMIA

The CMIA applies to a wide range of entities, including:

Healthcare providers: Physicians, nurses, hospitals, clinics, and other licensed professionals who provide healthcare services.
Health plans and insurance companies: Organizations that provide or arrange for the provision of healthcare services.
Medical service contractors: Independent contractors that perform administrative or management services for healthcare providers or health plans.
Pharmaceutical companies: Businesses that manufacture, distribute, or sell prescription medications.
Other organizations: Any person or entity that receives medical information for specific purposes, such as billing or claims processing.

Key Provisions of the CMIA

1. Confidentiality of Medical Information: The CMIA requires that medical information be kept confidential and not disclosed without the patient's written authorization. This applies to both oral and written communications, as well as electronic storage and transmission of medical data.

2. Written Authorization: In general, a patient's written authorization is required before their medical information can be disclosed to third parties. The authorization must include specific details, such as the purpose of the disclosure, the type of information to be disclosed, and an expiration date.

3. Exceptions to Authorization Requirement: There are some situations in which medical information can be disclosed without written authorization, such as when required by law (e.g., reporting communicable diseases), responding to a court order or subpoena, or during emergencies.

4. Safeguards: The CMIA mandates that providers, health plans, and other covered entities implement reasonable safeguards to protect medical information from unauthorized access, use, or disclosure. This includes physical, technical, and administrative measures, such as secure storage facilities, data encryption, and employee training.

5. Notice of Privacy Practices: Covered entities must provide patients with a notice that explains their privacy practices, including how medical information is used and disclosed, the patient's rights to access and amend their records, and how to file a complaint.

6. Patient Rights: Patients have the right to access their own medical records, request amendments, and receive an accounting of disclosures of their information. Additionally, patients can request restrictions on certain uses or disclosures of their information.

7. Penalties for Violations: The CMIA imposes civil penalties for violations, including statutory damages of $1,000 per violation plus the amount of actual damages.  In some cases, individuals who knowingly and willfully obtain, disclose, or use medical information in violation of the CMIA may also face criminal charges.


The California Confidentiality of Medical Information Act plays a vital role in protecting the privacy rights of patients and promoting trust in the healthcare system. By understanding the key provisions of the CMIA, healthcare providers, insurers, and other organizations can ensure they are compliant with the law and up

Scroll to Top