The Confidentiality Of Medical Information Act (CMIA)
The Confidentiality of Medical Information Act (CMIA) is a state law that adds to the federal protection of personal medical records under the Health Information Portability and Accountability Act (HIPAA). CMIA protects the confidentiality of individually identifiable medical information obtained by a health care provider and includes the following:
- CMIA prohibits a health care provider, health care service plan, or contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified.
- CMIA requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.
- CMIA defines “medical information” to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that reveals the individual’s identity.
- Any individual may bring an action against any person or entity that has negligently released confidential information or records, for either or both nominal damages of $1,000 and the amount of actual damages, if any, sustained by the patient. It shall not be necessary to prove that the plaintiff suffered or was threatened with actual damages to recovery nominal damages.
- Any person or entity who knowingly and willfully obtains, discloses, or uses medical information in violation of CMIA shall be liable for an administrative fine not to exceed $2,500 per violation.*
- Your Medical Privacy Rights
- Health Information Portability and Accountability Act (HIPAA)
- 2013 HIPAA Omnibus Rule
- Who Must Comply With HIPAA Privacy Rules?
- Concerns With HIPAA
- How to Submit a Medical Privacy Complaint