The "Gray Areas": Is Your Health Privacy Protected? (California Medical Privacy Series)

Posted: Apr 01 2013  | Revised: Oct 11 2017


  1. What does this guide cover?
  2. Gyms, health clubs, and spas
  3. Social media and websites that are not covered under HIPAA
  4. Personal medical devices
  5. Casual cosmetic medicine
  6. Weight loss centers and employee wellness weight-loss programs
  7. Alternative health and therapeutic practitioners
  8. Health fairs and other informal venues
  9. Body art-tattoos and piercing
  10. Conclusions
  11. Resources

1. What does this guide cover?

Outside of traditional medical contexts, individuals must increasingly rely on companies' privacy policies to disclose what personal information a company or website collects, what they may do with it, and what control you have over it, if any.  You must then rely on the company to carry its policies.  In some cases, there may be no policy at all. 


This Fact Sheet explains what privacy protections exist for medical information that falls outside of traditional uses, and how to weigh your options if there are no protections built in.   


2. Gyms, health clubs, and spas

There is no consistency in how or whether gyms, health clubs, and spas collect personal information.  Some have membership applications online, others do not.  If a business collects personally identifiable information online from California residents, the state’s Online Privacy Protection Act requires its website to post a privacy policy on the home page. Cal. Bus. and Prof. Code §§ 22575-22579 


If you are considering joining or visiting a gym, health club, or spa that does not provide clear notices about its privacy policies, you’ll need to ask. For instance, you may want to know answers to the following questions:

  • What does the business do with personal data it receives in membership applications?
  • Does the business keep other types of records pertaining to its clients or members?  For example, these could include vital signs while exercising or performance metrics from personal training sessions or even group exercise classes.
  • Does the business require its employees to sign a non-disclosure agreement that applies to members’ or clients’ records and any additional information about them?
  •  Does the business have any policies regarding the use of cameras—including cell phone cameras—or any kind of recording equipment?
  • How does the business store personal information? 
  • What happens to your personal information after you are no longer a member or client?  How long does the business retain the information?  How is information in paper or electronic format disposed of?

In general, you should be aware of the kinds of information these venues collect, in what form, and what they do with it.  At the same time, gyms, health clubs, and spas have a strong interest in keeping members’ and clients’ information private, partly in the interest of maintaining their business reputations, and also to avoid litigation.


3. Social media and websites that are not covered under HIPAA

It is very easy to reveal medical information online without thinking about it—or maybe even knowing about it.  You may enter medical information into a website to research your symptoms, or you may just visit one or many websites about your condition.  Even if you are casually looking at websites, advertisers on those sites—or more likely, ad networks—may track you across many or most of the websites you visit. 


Often advertising networks use cookies, or other tracking mechanisms, to gather and analyze data about the sites you visit. 


Companies may create profiles based on the browsing information they collect.  These profiles may be anonymous, meaning that the profile is linked to an identifier that does not specifically identify you. Or, there is always the potential that your personal information may somehow be linked with other information a company has collected about your browsing habits. 


Also, most websites you use are under no obligation to specifically protect any medical-related information you may reveal.


The Electronic Frontier Foundation (EFF) is a good source of information about online tracking.


4.  Personal medical devices 

Personal medical devices have been around for a long time and are widely and cheaply available. These familiar devices include pedometers, scales, thermometers, body fat analyzers, and heart rate, blood pressure and glucose monitors. But what were previously only standalone devices are now rapidly entering the digital data stream.


There are many smartphone applications that collect and transmit health metrics. These apps may also offer the option of integrating with social media or may play a role in telemedicine—telecom-enabled remote medical treatment.  Telemedicine is likely to grow since it cost-effective and efficient for people who live where medical services are limited.


In the relatively near future, expect to see more physician-prescribed monitoring devices or medical smartphone applications that connect directly to electronic health record systems (EHRs). This trend may begin with patients who suffer from chronic conditions, like diabetes or heart problems, or who are on a specific treatment plan, in order to permit remote monitoring of such things as vital signs and prescription compliance. This type of digital medicine has great potential.  But, it also raises many questions, not least of all about the privacy and security of data in transmission or storage.


To the extent that a personal medical device or smartphone application is involved in your treatment, the data flowing between you and your EHR or physician, and back to you from your physician, is covered by the HIPAA regulations that protect the privacy and security of such information. Freelance devices and applications that are not prescribed or part of a treatment regime are another matter, and may be protected only by the developer’s or manufacturer’s privacy policy. 


AHIMA (the American Health Information Management Association) has a good summary of issues raised by telemedicine in Personal Medical Devices Managing Personal Data, Personally Collected.


a. Medical alert devices

Another class of medical monitoring devices to be aware of are medical alert devices, general marketed to elderly or frail individuals in anticipation of getting help in an emergency. There are many different types of alert devices, with variations for who is alerted and by what means, for the inclusion of GPS, and other options.


The privacy and security of information collected in the purchase and use of an alert device is entirely up to the policies and practices of the device manufacturer. If you are considering one of these devices for yourself or a family member, read the company’s privacy policy carefully to understand what personal information it collects, how it may use that information, and what control you may have over the information.


5.  Casual cosmetic medicine

California law is clear about the specific cosmetic procedures that constitute the practice of medicine.  A physician's or surgeon's license is necessary "to use drugs or devices in or upon human beings and to sever or penetrate the tissues of human beings." Cal. Bus. & Prof. Code § 2051  The only cosmetic procedures that do not amount to practicing medicine are those that penetrate only the outermost layer of skin, like shallow microdermabrasion.  For example, Botox injections and laser hair removal cross the line into medical practice, and must be done by a doctor or by a nurse, nurse practitioner, or physician's assistant under a doctor's supervision.


Patient-physician confidentiality and privacy protections for any medical information collected for a cosmetic procedure depend on whether the person administering the treatment is licensed to practice medicine.  If he or she is licensed, the standard privacy protections in HIPAA and the CMIA apply.  If he or she is not licensed, the treatment is illegal and it is possible that no privacy protections apply. 


If you go for treatments to a place that calls itself a medical spa (or someplace even more informal), and whose services involve using drugs or devices that penetrate the skin, it is in your medical interest as well as your privacy interest to find out if there is a supervising physician on site. 


To learn more, see the Medical Board of California's FAQ on cosmetic treatments and its web page, Medical Spas-What You Need to Know.  The Medical Board also provides information on how to file a complaint about someone you believe is practicing without a license (in English and Spanish).


6.  Weight loss centers and employee wellness weight-loss programs

Commercial weight-loss centers may collect various types of health information including: medical history and a record of your weight, food intake, and exercise for as long as you participate.  Unless the weight loss center's program includes prescription drugs, the health information it collects is protected only by its privacy policy, if it has one. 


If prescription drugs are part of the program, only licensed medical professionals with a supervisory role may prescribe them.  In this case, the business is a medical weight loss center as well as a health care provider. Its medical information practices are covered either by HIPAA, the CMIA, or both.


a. Employee wellness weight-loss programs

Many employers offer weight loss programs as an employee wellness option.  Before enrolling in a work-related wellness program where your medical or behavioral information will be collected or recorded, you should ask some questions:

  • What information will the program collect about you?
  • Who will collect the information?
  • Who has access to the information, and for what purposes?
  • What privacy protections do, or do not, apply to your information?
  • Do you have any control over the use and dissemination of the information that is collected?

Your information's privacy, and the control you can exercise over it, will depend on the way the employee wellness weight-loss program is offered.

  • Your employer may offer the program as a benefit of an employer-sponsored health plan (meaning the plan pays for the program).  If this is the case, the program vendor must have a business associate agreement with the employer-sponsor.  This obligates the vendor to comply with HIPAA and the CMIA.
  • Your employer may not offer the program as a health-plan benefit, but may simply have an agreement with the vendor to provide the service to its employees.  If this is the case, you should review the vendor's privacy policy, if there is one, to find out whether your information is protected in a manner you find acceptable.

To learn more about employee wellness programs and privacy in general, see PRC's Guide: Employment and Your Medical Privacy.


7. Alternative health and therapeutic practitioners

There are many alternatives to standard medical practice.  Some of these are licensed and regulated by the state, and some are not.  California passed a law to de-criminalize and regulate complementary medicine in 2001.  The law deals almost entirely with consumer disclosure requirements, so that a patient/client knows before receiving the services:

  • that the practitioner is not a physician;
  • whether the treatment is a complementary practice that is or is not licensed by the state;
  • what services will be provided and the treatment theory they rely on;
  • the practitioner's training, qualifications, and experience.

Patients will sign a written acknowledgement that they have received this information.  Cal. Bus. & Prof Code § 2053.5


The California Department of Consumer Affairs has a list of licensed health care professionals. There are two types of alternative practitioners on this list: acupuncturists and naturopaths. 


California's Confidentiality of Medical Information Act (CMIA), which protects the privacy of medical records, applies only to licensed health care professionals. (Cal. Civ. Code § 56.05(e))  Only those alternative practitioners that are defined as health care professionals under one of the following California Code sections, fall under the CMIA: Cal. Bus.& Prof. Code § 500 et. seq; Bus. & Prof. Code §§ 2450-2459.7 (Osteopathic Initiative Act); or Health & Safety Code § 1797 (Emergency Medical Technicians, or EMTs).


Chiropractors are also considered licensed health care practitioners and are covered by the CMIA, although the Chiropractic Initiative Act is not formally part of the Business and Professions Code.  The Act sets the terms for licensing chiropractors and creates the profession’s governing body, the Board of Chiropractic Examiners. The Board regulates licensing and disciplinary procedures.


This means that personal health information collected by other types of state-licensed alternative practitioners, for example, massage and body workers, is not covered by the CMIA or HIPAA.  The California law that enables the practice of complementary medicine also requires the practitioner to tell you if he or she is licensed.  It is up to you to ask how he or she protects the privacy of your treatment records.


For more information about various alternative health practices:

  • Massage and bodywork practice in California is administered by the California Massage Therapy Council, which manages certification and education for practitioners, but is not covered by the CMIA and is not a state agency.  Its website also has information for consumers, including how to file a complaint.
  • Herbalists who operate independently of acupuncture, naturopathy, or some other licensed professional health practice, are regulated as small businesses rather than health practitioners.  They are not covered by the CMIA.  They may give nutrition advice.  They are not authorized to "practice medicine or surgery or to undertake the prevention, treatment, or cure of disease, pain, injury, deformity, or physical or mental conditions or to state that any product might cure any disease, disorder, or condition in violation of any provision of law." Cal. Bus. & Prof. Code § 2068

    Also, the FDA labels herbs as dietary supplements and regulates their quality.  You can find information about herbalist certification in California here.
  • Nutritionists and dieticians are distinguished by California law as either "nutrition consultants" (no license or registration required) or "registered dieticians" (education and licensing requirements).  Cal. Health & Safety Code §§ 2585-2586

    They are not covered by the CMIA.  In addition we have not found an unbiased online source of information for this practice.
  • Occupational therapists treat patients with injuries, illnesses, or disabilities through the therapeutic use of everyday activities (like walking, or sitting and standing up).  They help patients develop, recover, and improve the skills needed for daily living and working.

    Their patient treatment records are not covered by the CMIA.  The Department of Consumer Affairs Board of Occupational Therapy has information about the practice, including a page for consumers.     

a. Is there any protection for information you reveal when you buy non-prescription health products and foods?

You may be reluctant to reveal some types of non-prescription purchases, like anti-anxiety remedies or body-building products.  If this is the case, you should be aware of ways that your personally identifying information may be connected to purchases of non-prescription health products and foods. 


When you use a credit card in a store, you create a transaction record that links your name, billing information, and transaction history with a product, location, date, and time.  As explained in PRC Fact Sheet C8: Medical Information Covered by Laws Other than HIPAA: Section 2: What privacy protections exist for medical information found in financial records?, under California's Financial Information Privacy Act (FIPA), financial companies that have this data need your consent before sharing it with non-affiliated third parties.  In addition, you can opt out of sharing information for joint marketing purposes. That is the extent of your privacy protection in this case.


8.  Health fairs and other informal venues

Medical information that you give up at informal health venues may or may not be protected depending on the status of the vendor.  If the vendor is a commercial business doing blood pressure or diabetes tests, for example, the only privacy protections would be what the vendor offers.  If the vendor is a health care provider—a HIPAA-defined "covered entity"—the information is probably protected. 

For example, when Kaiser puts on a health fair and its own employees offer free medical services like lung function or partial bone density tests, any medical information collected in the process is protected.  However, if Costco offers flu shots and you fill out a form with personal and some medical information (such as whether you have any allergies or are pregnant), that information probably has only the protection that the vendor offers.

The best practice in any informal situation where you are required to give personally identifying and medical information—and where medical information like a test result may be recorded—is to ask the following questions:

  • Who is collecting the information—is it a company, a health care provider, or someone else?
  • Who has access to the information, and for what purposes?
  • What privacy protections do (or don't) apply?
  • Do you have any right to restrict the use or dissemination of the information that is collected?
  • Where will the information be retained, and for how long?

9.  Body art--tattoos and piercing

California has regulated tattoo and body art businesses closely for some time, focusing primarily on the health and safety of the premises and the practitioners. (Cal. Health & Safety Code §§ 119300-119328)  A law that took effect in July 2012, the Safe Body Art Act, requires a business to keep a log of all procedures it performs.  The log must include data about the procedure and name of the practitioner and the client.  This information is hardly the same as a record of a surgery, and you may not think of it as health-related.  However, body art businesses are subject to state health inspection at any time during business hours, which includes examination of all records they are required to keep.  Your personal information's privacy is not protected or immune from inspection.


10. Conclusions

It requires a shift in our habitual ways of thinking to see medical information as something that exists outside the context of medical treatment. But very often it does.  When that is the case, the privacy of that information is far from guaranteed.  Be sure to look for privacy policies, if any, and ask questions of the provider.


11. Resources

California laws and resources

To find the full text of California laws, visit

California Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code §§ 56-56.37)

California Financial Information Privacy Act (FIPA) (Cal. Fin. Code §§ 4050-4060)

California Online Privacy Protection Act (Cal. Bus. And Prof. Code §§ 22575-22579)   


Medical Board of California

For information on submitting a complaint:

Toll-free line: 1-800-633-2322
Phone: (916) 263-2382


California Board of Chiropractic Examiners

2525 Natomas Park Drive
Suite 260
Sacramento, CA 95833
Telephone: (916) 263-5355
Fax: (916) 263-5369

CA Relay Service TT/TDD: (800) 735-2929
Consumer Complaint Hotline: (866) 543-1311


California Department of Consumer Affairs


California Acupuncture Board

1747 N. Market Blvd
Suite 180
Sacramento, CA 95834
Phone: (916) 515-5200

Fax: (916) 928-2204

To file a complaint:


Naturopathic Medicine Committee—State of California

To file a complaint:

California Board of Occupational Therapy

2005 Evergreen Street, Suite 2050
Sacramento, CA 95815
Tel: (916) 263-2294
Fax: (916) 263-2701

For help with filing a complaint, email


California Massage Therapy Council

To submit a complaint:

Please send complaints in writing to CAMTC by email or mail:


California Massage Therapy Council
Consumer Complaints Department
One Capitol Mall - Suite 320
Sacramento, CA 95814


Federal laws and resources

For More Information on HIPAA:

U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: (866) 627-7748


To file a complaint about a HIPAA violation
Regional offices of the HHS Office for Civil Rights


Privacy Rights Clearinghouse Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age

Food and Drug Administration


FDA For Consumers:


Consumer Health Information Staff

Room 5377, Building 32
10903 New Hampshire Ave.
Silver Spring, MD 20993


Originally funded in 2012 with cy pres award from Rodriguez et al. v. NDHealth et al.

Updated in 2017 with funding from the Rose Foundation for Communities and the Environment.