All-in-one Risk Management Platform

CMIA (California Confidentiality of Medical Information Act)

California's Confidentiality of Medical Information Act (CMIA) sets strict requirements for medical providers to release patients' medical information with written authorization. This article provides a comprehensive overview of the California CMIA, including its differences and distinctions from the federal HIPAA law.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

CMIA (California Confidentiality of Medical Information Act)

As a patient, you trust your medical records to be handled in a confidential manner, with access granted to only various authorized individuals. In the state of California, medical providers must adhere to the California Confidentiality of Medical Information Act (CMIA) to secure the privacy rights of patients. This rule sets the protocol for healthcare providers seeking written approval prior to exchanging medical details.

This article explores the CMIA legislation in depth, including its principal clauses, amended versions and comparison with the federal Health Insurance Portability and Accountability Act (HIPAA).

Key Provisions of California CMIA

The CMIA was one of the most stringent medical privacy laws enacted in 1981 and applies to a broad array of healthcare organizations, including medical doctors, hospitals, clinics, and more.

Key provisions under the CMIA include:

1. Written Authorization

Medical providers must take written authorization from patients before releasing their medical data to any third party, apart from what the law allows or in urgent circumstances. This means they must explicitly get written consent from patients before they can share their medical records with other clinicians, insurers, employers or relatives.

This authorization must be supported by the patient or a designated representative and must plainly state the rationale for disclosing the information and detail precisely what info will be shared and to whom.

2. Patient Access

Under the CMIA, patients have the right to access their medical records and request copies of them. This is an essential right, allowing individuals to ensure the accuracy of their healthcare info and detect any potential infringements of their privacy.

Medical providers must deliver accessible medical records within a reasonable timeframe once they receive a request. The duration of accessibility may fluctuate depending on the type of data required and the complexity of the inquiry. For example, a single record could be provided faster than a historical record.

Patients may also be charged a reasonable fee for copies of their medical documents, including costs associated with duplication, delivery, or administrative fees. However, providers are not allowed to bill patients for retrieving or amassing such files.

3. Record Retention

Medical providers must keep patient records for at least seven years from the date of service, discharge, or death. Security protocols must be put in place to ensure records are protected from unauthorized access or disclosure. CMIA also mandates that healthcare providers have policies and procedures in place for storing, destroying, and disposing of confidential records so that they comply with state and federal regulations.

4. Penalties

The CMIA implements civil and criminal penalties for flaunting the law, including financial penalties and imprisonment. These punishments are intended to dissuade medical professionals from wrongfully disclosing or mishandling patients' medical information and grant patients a way to seek restitution in case their privacy has been breached.

Civil punishments may involve fines of up to $25,000 per victim for each incident of violation of the CMIA. The concerned medical provider could be held liable for paying damages experienced by the individuals as an aftermath of the violation, such as medical costs, mental/emotional trauma, or lost wages. Depending upon the intensity of the infraction and number of persons impacted, victims might even be eligible for punitive damage awards, determined to punish the medical expert and avert future infringements of this legislation.

Besides civil charges, offenders may also face criminal prosecution under the CMIA. Such ramifications could include monetary fines along with prison time or both. The potential sanctions will hinge on how major and serious the breach was, in addition to how many people were affected.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Recent Amendment to CMIA

In 2021, the California legislature passed an amendment to the CMIA that came into force on January 1, 2022. This amendment clarifies that medical providers can share patient medical information with their family members or caregivers without needing written authorization so long as it is in the best interest of the patient and the information shared is only what is essential.


While both CMIA and HIPAA strive to secure patients' medical information, there are certain discrepancies between the two laws. HIPAA is a federal law that establishes national norms for the privacy and security of protected health data (PHI), whereas CMIA is a California state law that offers extra safeguards for people’s medical records.

A key distinction is that CMIA requires medical practitioners to procure written consent from patients before disclosing their health information, whereas HIPAA allows verbal consent in certain scenarios. Furthermore, CMIA provides recipients with the right to access their medical records and demand copies of them, while HIPAA affords them the right to scrutinize and acquire a copy of their PHI.

Another difference between CMIA and HIPAA is the scope of their coverage. HIPAA applies to a broader range of entities than CMIA, including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. On the other hand, CMIA primarily applies to healthcare providers in California.

The penalties for violating CMIA and HIPAA also differ. While CMIA provides for both civil and criminal penalties for violations, HIPAA only allows for civil penalties. CMIA also sets higher maximum penalties than HIPAA for certain types of violations.

Another key difference between the two laws is their enforcement mechanisms. HIPAA is primarily enforced by the Department of Health and Human Services' Office for Civil Rights, while CMIA is enforced by the California Department of Public Health. This means that patients in California may have additional avenues for pursuing complaints and seeking remedies under CMIA than they would under HIPAA.

The Bottomline: Partner with Accountable HQ for Comprehensive Compliance Solutions

In conclusion, the California Confidentiality of Medical Information Act (CMIA) plays a crucial role in protecting patients' privacy rights and regulating the disclosure of their medical information. It is important for healthcare providers and patients alike to understand the requirements of CMIA and its differences from other privacy laws, such as HIPAA.

If you are a healthcare provider seeking to ensure compliance with the CMIA and other relevant privacy laws, or a patient who wants to protect their medical privacy rights, consider partnering with Accountable HQ. Our risk and compliance software-as-a-service platform can provide you with the tools and information you need to navigate the complex worlds of data security, privacy legislation, and risk management.

Visit our blog for more insights and information on these important topics, and start your journey towards greater peace of mind and compliance today.

Like what you see?  Learn more below

California's Confidentiality of Medical Information Act (CMIA) sets strict requirements for medical providers to release patients' medical information with written authorization. This article provides a comprehensive overview of the California CMIA, including its differences and distinctions from the federal HIPAA law.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)