Last November a California Court of Appeal upheld the right of a healthcare provider to disclose a patient’s private medical records to a governmental agency against the patient’s wishes. The patient plaintiff, a bus driver, sued the City and County of San Francisco and doctor Kim, staff physician at the Department of Public Health, for breach of contract, based primarily on the consent to release information the patient had signed, and intentional tort of breach of privacy.

The trial court ruled against the plaintiff patient on both grounds and the appellate court upheld the trial court’s decision with a detailed and well-analyzed opinion (copy attached and on website at

The case centered around the doctor’s letter to the Department of Motor Vehicles informing the DMV of the patient’s cognitive disorders and other serious conditions that would impair his ability to drive and would pose a threat to himself and others. The patient did not authorize the letter.

The Court found that neither HIPAA nor the California Confidentiality of Medical Information Act (CMIA) preempted or prevented the letter. The Court found that both statutes have exemptions for issues regarding law enforcement and public safety, and also found that the defendants’ Notice of Privacy Practices contained a provision that allowed for the disclosure without authorization. The Court further noted California’s strong public policy encouraging the reporting of unsafe drivers.

The Court also based its opinion on California’s “litigation privilege” which protects communications in judicial or “quasi-judicial” proceedings, and which is broadly interpreted. The Court deemed the DMV proceeding concerning the suspension or revocation of a driver’s license to meet that definition and ruled that neither HIPAA nor the CMIA preempted the litigation privilege.

Take away from this case: providers are protected if they disclose medical information protected by HIPAA and the CMIA if done in good faith and for health and safety concerns, but must do so in the proper context and consistent with their Notice of Privacy Practices.