Beginner’s Guide to California’s Confidentiality of Medical Information Act (CMIA): What It Covers and How to Comply

CMIA Overview

California’s Confidentiality of Medical Information Act (CMIA) is the state’s core medical information confidentiality law. It governs how medical information is collected, used, disclosed, and safeguarded by specified organizations and their partners.

CMIA complements federal rules by setting California-specific standards for health information safeguarding. It addresses when you need patient authorization, what limited disclosures are permitted, and how to respond to breaches and patient requests.

CMIA versus HIPAA compliance

Think of CMIA as an additional layer on top of HIPAA. If you are subject to both, you must meet the stricter rule in each situation. CMIA often narrows disclosures, raises documentation expectations, and strengthens remedies for patients compared with HIPAA.

California periodically refines privacy protections, including targeted updates such as the SB 81 patient privacy amendment. Track state changes even if your HIPAA program is mature.

Covered Entities

CMIA applies to specific categories, broadly referred to in the statute as providers, plans, and contractors. If you operate in California or handle Californians’ medical information for these entities, you likely have duties under CMIA.

• Providers of health care: physicians, clinics, hospitals, labs, pharmacies, and similar licensed professionals and facilities.
• Health care service plans: HMOs and other health plans operating in California.
• Contractors and service partners: billing companies, EHR and telehealth vendors, TPAs, data processors, document storage providers, and similar vendors acting on behalf of a covered entity.
• Other contexts: employers, researchers, and pharmaceutical companies may have CMIA obligations when they receive or maintain medical information from a provider, plan, or contractor.

If you are unsure whether you are a covered entity or contractor, review your role and data flows. The more you handle identifiable medical information for a provider or plan, the more likely CMIA applies.

Protected Medical Information

CMIA protects “medical information,” meaning individually identifiable information in any form that relates to a person’s medical history, mental or physical condition, or treatment, and that is held by a covered entity or contractor.

Examples include diagnoses, test results, treatment notes, prescriptions, imaging, referral and claims details, and administrative data that reveals care. Both paper and electronic records are covered, including archived backups.

De-identified data (that cannot reasonably identify a person) is generally outside CMIA’s scope. However, if re-identification is possible or you maintain linkable codes, treat the data cautiously and apply appropriate controls.

Patient Rights Under CMIA

Patients have robust rights. You must provide clear notices describing how information is used and disclosed, and you must honor lawful requests promptly.

• Access and copies: Patients can inspect or obtain copies of their medical records within defined timeframes.
• Amendments/addenda: Patients may request corrections or submit an addendum to clarify disputed information in their records.
• Confidential communications: Patients can request alternate addresses or contact methods to protect privacy.
• Restrictions and complaints: Patients may request limits on certain disclosures and can pursue remedies if rights are violated.

Disclosure Limitations

Under CMIA, you generally need patient authorization to disclose medical information unless a specific exception applies. Patient authorization requirements include a clear description of information, purpose, recipients, duration, and the patient’s signature and date.

Disclosures without authorization are narrowly defined and should follow the minimum necessary principle. Always verify the legal basis, document the rationale, and record the disclosure.

• Treatment, payment, and health care operations necessary to run your practice or plan.
• Mandatory reporting and public health activities required by law.
• Court orders, subpoenas, or other legally authorized processes with appropriate safeguards.
• Law enforcement or protective disclosures permitted in limited, specific circumstances.
• Research with appropriate approvals and privacy protections.
• De-identified or aggregated data that does not reveal patient identity.

Penalties for CMIA Violations

Violations can trigger civil penalties CMIA authorizes, as well as a private right of action for individuals harmed by unlawful disclosures or inadequate safeguards. Courts may award actual damages, statutory or nominal damages, and, in egregious cases, punitive damages.

Regulators and courts may also impose injunctive relief, compliance monitoring, and, for willful or reckless misconduct, potential criminal consequences. Beyond legal exposure, reputational damage and contractual repercussions with plans and partners can be severe.

Compliance Requirements for Healthcare Providers

Build a CMIA program that is practical, documented, and auditable. If you already follow HIPAA, align controls and close California-specific gaps to ensure end‑to‑end compliance.

• Governance: Assign accountable privacy and security owners; define escalation paths for incidents and requests.
• Data inventory: Map where medical information lives, who accesses it, and which vendors process it.
• Policies and procedures: Codify collection, use, disclosure, retention, and disposal aligned to CMIA.
• Patient authorization management: Use standardized, intelligible forms; validate scope and expiration; log all authorizations.
• Access controls: Enforce role-based access, unique credentials, and periodic access reviews.
• Security safeguards: Encrypt data in transit and at rest, patch systems, segment networks, and monitor for anomalies.
• Workforce training: Provide initial and periodic training on CMIA, patient authorization requirements, and incident response.
• Vendor management: Execute written agreements with contractors that bind them to CMIA duties and security standards.
• Breach response: Maintain a tested plan for investigation, containment, notifications, and remediation under California timelines.
• Documentation and audits: Keep evidence of decisions, disclosures, training, and assessments; perform regular internal audits.
• Continuous improvement: Track state updates, including refinements like the SB 81 patient privacy amendment, and adjust controls.

Conclusion

CMIA sets clear expectations for medical information confidentiality and health information safeguarding in California. By layering CMIA onto HIPAA, tightening disclosures, and operationalizing strong safeguards, you reduce risk and respect patients’ rights.

FAQs.

What types of medical information are protected under CMIA?

CMIA protects individually identifiable information about a person’s medical history, mental or physical condition, or treatment that is created, received, or maintained by a covered provider, plan, or contractor. This includes clinical data, billing details that reveal care, and any format—paper, electronic, images, audio, or backups.

How do healthcare providers comply with CMIA requirements?

Establish written policies, train your workforce, manage authorizations, restrict access, secure systems, and document all disclosures. Align HIPAA controls with CMIA specifics, execute contractor agreements, maintain an incident response plan, and audit regularly to verify effectiveness and close gaps.

What penalties exist for CMIA violations?

Consequences can include civil penalties, statutory or nominal damages, and a private right of action for affected individuals. Courts may order injunctive relief and, for willful or reckless conduct, impose enhanced remedies and potential criminal liability.

Can patients request amendments to their medical records under CMIA?

Yes. Patients can ask you to correct inaccuracies or, if a correction is not made, to add an addendum explaining their position. You must review and respond within applicable California timeframes and include approved amendments or addenda in future disclosures as required.