California Health Data Protection Requirements: How to Comply with CMIA, HIPAA, and CPRA

Confidentiality of Medical Information Act Overview

California’s Confidentiality of Medical Information Act (CMIA) protects individually identifiable medical information held by health care providers, health plans, and their contractors. It governs how you collect, use, disclose, and secure patient data, and it sits alongside federal rules to create California’s baseline for privacy and security.

Scope and covered information

CMIA applies to medical information that identifies a patient and relates to their physical or mental health, treatment, or payment. It reaches beyond traditional providers to contractors that handle data on a provider’s behalf, closing gaps where sensitive records might otherwise be exposed.

Health Information Disclosure Limitations

As a default, you may not disclose medical information without the patient’s authorization. CMIA permits limited disclosures for treatment, payment, and health care operations, and for public interest exceptions such as mandated reporting. Disclosures must be the minimum necessary and documented to support accountability.

Patient Authorization Requirements

When authorization is required, obtain a signed, dated form that specifies what you may release, to whom, for what purpose, and when the authorization expires. Tell patients they can revoke authorization in writing and that redisclosure by recipients may be restricted under state or federal law.

Security duties and incident response

CMIA requires reasonable administrative, technical, and physical safeguards to protect records, including electronic health information safeguards. Maintain role-based access, audit trails, workforce training, and vendor oversight. If you discover an unauthorized access or disclosure, investigate promptly, mitigate harm, notify affected patients as required, and document your actions.

Private Right of Action CMIA

Patients may sue for negligent disclosure or use of their medical information. Remedies can include statutory and actual damages, attorney’s fees, and injunctive relief. Separate civil or administrative penalties may also apply for egregious or willful violations, emphasizing the need for rigorous compliance.

Health Insurance Portability and Accountability Act Standards

HIPAA establishes national standards for protected health information (PHI). If you are a covered entity or business associate, you must comply with the Privacy, Security, and Breach Notification Rules, which complement CMIA’s state-specific obligations.

Privacy Rule essentials

• Use and disclose PHI for treatment, payment, and operations, and for specified public purposes, while honoring the minimum necessary standard.
• Provide a Notice of Privacy Practices, maintain policies, and limit workforce access to the least amount of PHI needed to do a job.
• Honor patient rights to access, amend, and receive an accounting of disclosures, subject to narrow exceptions.

Security Rule: Electronic Health Information Safeguards

• Conduct and update a risk analysis; implement risk management, access controls, authentication, audit logging, and integrity protections.
• Adopt encryption and device/media controls appropriate to your risks, and enforce workforce security, training, and sanctions.
• Establish contingency planning, including backups and disaster recovery, to keep ePHI available and secure.

Breach Notification Rule

• Assess any impermissible use or disclosure of unsecured PHI to determine if it poses a significant risk of harm.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify HHS (and, for large incidents, prominent media) as required.
• Apply safe harbors where PHI was encrypted or properly destroyed, and keep detailed incident records.

Business associates and contracts

Vendors that create, receive, maintain, or transmit PHI on your behalf are business associates. Execute business associate agreements that define permitted uses, security controls, breach notification duties, and return or destruction of PHI at contract end.

California Privacy Rights Act Regulations

The CPRA expands California’s consumer privacy regime and can apply to health-related data that falls outside CMIA or HIPAA. If your organization meets CPRA’s business thresholds, you must align your practices even when you also handle regulated medical records.

When CPRA applies

CPRA generally covers for-profit entities that meet certain revenue or data-processing thresholds. It regulates the collection, use, and sharing of personal information, including sensitive personal information such as health data, outside CMIA/HIPAA contexts.

Exemptions and interplay with CMIA/HIPAA

PHI under HIPAA and medical information under CMIA are largely exempt from CPRA, but other data you hold—like wellness app events, website tracking, or HR and device telemetry—may be in scope. Map your systems to separate exempt medical records from CPRA-governed data.

Consumer rights and sensitive data

• Give clear notice at collection with purpose, categories, and retention disclosures; honor purpose limitation and data minimization.
• Enable rights to know, access, delete, and correct; provide opt-outs for sale or sharing; and allow consumers to limit the use of sensitive personal information.
• Implement contracts with service providers and contractors to restrict secondary use, improve security, and support consumer requests.

Patient Access to Health Records Provisions

California’s Patient Access to Health Records Act gives patients strong, timely access to their records. You must deliver copies in the format requested if readily producible, including electronic copies when maintained electronically, and verify identity before release.

Timelines and formats

Provide inspection within a short, defined period after receiving a written request and furnish copies within 15 days when feasible. If producing an exact copy is not possible, supply a legible substitute or a summary that meets statutory requirements.

Fees and third-party access

Charge only reasonable, cost-based fees permitted by law. Upon valid direction, you may send records to a patient’s designee, another provider, or a legal representative, documenting the request and the recipient.

Amendments and addenda

Patients may submit a written addendum—often up to 250 words per disputed item—to be attached to the relevant record. Maintain both the original entry and the addendum and include both in future disclosures.

Special cases

Mental health records can be summarized in limited circumstances; minors’ records involve nuanced consent rules; and authorized representatives may access records for deceased patients subject to documentation requirements.

Substance Use Disorder Records Protections

Substance use disorder (SUD) records carry heightened protections under 42 CFR Part 2. If you operate a federally assisted SUD program, you generally need specific written patient consent before disclosing patient-identifying information, and recipients are barred from redisclosure.

Core Part 2 requirements

• Obtain detailed consent naming the recipient and purpose; include the required prohibition on redisclosure notice with each release.
• Use limited exceptions—for medical emergencies, research, audits, or court orders—only as the rules allow, and document each disclosure.
• Align your privacy notices, access controls, and EHR segmentation so Part 2 data is not inadvertently shared.

California Health and Safety Code §11845.5

California law reinforces SUD confidentiality. Health and Safety Code §11845.5 protects the identity and records of persons receiving SUD services, restricting disclosures except with patient consent, valid court orders, or as required for audits and program oversight.

Physical Safeguards for Health Information

Physical controls anchor your privacy program by reducing theft, loss, and shoulder-surfing risks. Pair them with administrative and technical measures to form defense in depth for electronic health information safeguards.

Facility and workstation controls

• Restrict access to records rooms and server areas; use badges, visitor logs, and cameras where appropriate.
• Position screens away from public view; enable automatic screen locks and secure printing with release codes.

Device and media protections

• Encrypt laptops, mobile devices, and removable media; maintain inventories and chain-of-custody records.
• Sanitize or shred media before reuse or disposal; verify e-waste vendors follow approved destruction standards.

Continuity and resilience

• Store backups offsite or in resilient cloud zones; test restores regularly and document recovery time objectives.
• Harden network closets and telehealth spaces; control keys and promptly revoke access for departing staff.

Enforcement and Penalties Under CMIA

CMIA violations can trigger multiple layers of liability. Patients have a private right of action CMIA provides, and regulators may pursue civil or administrative penalties for unauthorized access, use, or disclosure. Health data breach penalties escalate with willful conduct, repeat offenses, and the number of affected patients.

Regulatory and civil exposure

• Private lawsuits may seek statutory and actual damages, attorney’s fees, and injunctive relief for negligent releases.
• State authorities can impose per-violation penalties and require corrective action plans and audits.
• Separate breach-notification obligations, including those under general California data breach statutes, can add enforcement risk.

Practical compliance steps

• Maintain a written information security program, role-based access, and vendor oversight aligned to your risk analysis.
• Run tabletop exercises; document incident response; notify affected individuals promptly and keep thorough records.
• Train staff on health information disclosure limitations and patient authorization requirements at onboarding and annually.

FAQs

What are the key differences between CMIA and HIPAA?

HIPAA is a federal baseline that governs PHI handled by covered entities and business associates nationwide. CMIA is a California statute that protects individually identifiable medical information and applies to providers, plans, and contractors in the state. CMIA often sets stricter disclosure limits and grants a more direct private right of action, so when both apply you should follow the more protective rule.

How does CPRA affect health data protection?

CPRA covers personal information—including sensitive personal information like health data—when it is outside HIPAA/CMIA contexts. If you meet CPRA thresholds, you must provide notices, honor access/correction/deletion rights, allow opt-outs of sale or sharing, and limit uses of sensitive data. You also need contracts and data mapping so CPRA-governed data does not commingle with exempt medical records.

What rights do patients have under PAHRA?

Under California’s Patient Access to Health Records Act (PAHRA), patients can inspect records promptly and obtain copies—often within 15 days of a written request—at a reasonable, cost-based fee. They may receive electronic copies if available, direct records to a chosen recipient, and submit a written addendum (commonly up to 250 words per disputed item). Limited exceptions apply for mental health summaries and other narrow circumstances.

What penalties exist for unauthorized medical information disclosure?

Consequences can include CMIA statutory and actual damages through private lawsuits, civil or administrative penalties from state authorities, and mandated corrective actions. Separate HIPAA enforcement can impose tiered civil money penalties and settlement obligations, while CPRA may add administrative fines for misuse of consumer health data outside HIPAA/CMIA. Prompt response and remediation help reduce health data breach penalties and downstream risk.