What is CMIA: The Confidentiality of Medical Information Act (CMIA) is a California law that protects the confidentiality of individually identifiable medical information obtained by healthcare providers, health insurers, and their contractors.
Who does it apply to?
- Healthcare Providers
- Healthcare Service Plan
- Health Insurers
- Pharmaceutical Companies
- Contractors of the above
Medical Information under CMIA: Medical information is defined as: “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”
Individually identifiable Information: Includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”
Are payroll providers health service providers or Contractors under the Regulation? The short answer is NO. But every case is nuanced and you may fall under the definition under this regulation based on some of the activities that you have undertaken. Consult an expert to get a final determination for your company.
Fines and Damages:
Under CMIA, an individual may bring an action against a person or entity who has negligently released confidential information for either:
- nominal damages of $1,000.00 (without the requirement of demonstrating suffering any damages); or
- the amount of actual damages, if any, sustained by the individual.
Note: Any person or entity who knowingly and willfully obtains, discloses, or uses medical information shall be liable for an administrative fine not to exceed $2,500 per violation.
Difference between HIPAA and CIMA: CMIA applies to all healthcare providers within California and has more stringent requirements than HIPAA in many areas.