California Healthcare Data Privacy Laws: CCPA/CPRA and HIPAA Explained

HIPAA Overview and Privacy Rule

HIPAA is the federal baseline for safeguarding Protected Health Information (PHI). It applies to covered entities—healthcare providers, health plans, and clearinghouses—and to their business associates that handle PHI. Beyond security, HIPAA emphasizes health information portability and accountability, ensuring your patients can receive care and coverage without unnecessary data barriers.

What counts as PHI and who must comply

• PHI is individually identifiable health information in any form (paper, electronic, oral) created or received by a covered entity or business associate.
• Business associate agreements (BAAs) bind vendors to HIPAA duties when they create, receive, maintain, or transmit PHI for you.

Core Privacy Rule requirements

• Use and disclose PHI only for treatment, payment, and healthcare operations unless another permission or a valid authorization applies.
• Apply the minimum necessary standard, role-based access, and documented policies for routine disclosures.
• Provide patient rights: access and obtain copies, request amendments, receive an accounting of disclosures, request restrictions, and choose confidential communication channels.

Security, de-identification, and breaches

• The Security Rule requires administrative, physical, and technical safeguards for electronic PHI, risk analyses, and ongoing monitoring.
• De-identified data (via expert determination or removal of specified identifiers) is not PHI, but you should guard against re-identification risks.
• Breach Notification rules trigger timely notices to affected individuals and regulators when unsecured PHI is compromised.

CMIA Overview and Protections

California’s Confidentiality of Medical Information Act (CMIA) adds state-specific protections for medical information confidentiality. It covers providers of health care, health service plans, and certain contractors, and in some areas is stricter than HIPAA.

Scope and definitions

• “Medical information” includes any individually identifiable information about a patient’s medical history, mental or physical condition, or treatment maintained by a covered California entity.
• CMIA often requires written patient authorization for disclosures beyond treatment, payment, or operations, with targeted exceptions (e.g., public health, law enforcement when authorized).

Practical obligations

• Adopt reasonable security procedures to prevent unauthorized access, use, or disclosure.
• Train your workforce on California-specific rules, especially around sensitive services and minors.
• Coordinate CMIA requirements with HIPAA policies so state-specific restrictions are honored where they are more protective.

CCPA Overview and Consumer Rights

The California Consumer Privacy Act (CCPA) regulates personal information handled by qualifying businesses. While PHI and CMIA-governed medical information are exempt, CCPA can still cover other data you collect—such as website analytics, marketing lists, employee/applicant data, or wellness information outside HIPAA.

Who is a covered “business”

• For-profit entities doing business in California that meet statutory thresholds (e.g., revenue, volume of personal information, or revenue share from selling/sharing data).
• Service providers and contractors must follow contract-based limits on data use consistent with CCPA/CPRA.

Key Consumer Data Rights

• Right to know/access categories and specific pieces of personal information collected, used, or disclosed.
• Right to delete, subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information (including cross-context behavioral advertising).
• Right to limit the use and disclosure of Sensitive Personal Information to what is necessary for basic services.
• Right to data portability and freedom from discrimination for exercising rights.

Provide clear notices at collection, honor user-enabled global opt-out signals, and maintain robust intake and verification processes for requests.

CPRA Amendments and Enforcement

The California Privacy Rights Act (CPRA) amends and expands the CCPA. It creates the California Privacy Protection Agency to issue regulations and bring administrative enforcement actions, while the Attorney General retains enforcement authority.

Substantive changes you must operationalize

• New rights and concepts: Sensitive Personal Information, correction, purpose limitation, data minimization, and storage limitation.
• “Sharing” for targeted advertising is regulated alongside “selling.” Honor both opt-outs consistently.
• Stronger contracts with service providers, contractors, and third parties, including purpose, use limits, assistance with consumer requests, and audit rights.
• Risk-focused governance: document data inventories, conduct assessments for high-risk processing, and align retention schedules with stated purposes.
• Employee and B2B data are within scope, so expand notices, rights management, and retention controls across your workforce and vendor ecosystem.

Program governance

• Stand up a central consumer rights workflow, unify preference signals across channels, and test for consistent outcomes.
• Embed privacy by design in product and IT change management, including DPIAs for new data uses.

Interaction Between HIPAA and CCPA/CPRA

These regimes complement each other. HIPAA governs PHI handled by covered entities and business associates; CCPA/CPRA generally excludes PHI and CMIA-governed data, but can cover non-PHI personal information your organization collects.

Applying the right rule to the right dataset

• Ask: Is the information PHI processed by a HIPAA covered entity or business associate under a BAA? If yes, HIPAA (and CMIA, where more protective) control that data.
• Data outside HIPAA—such as marketing, website telemetry, or APP data from consumers—may fall under CCPA/CPRA obligations.
• De-identification standards differ: HIPAA de-identification may exceed CCPA’s definition; align to the stricter standard if you plan to reuse or share datasets.
• Contracts must reflect both frameworks: BAAs for PHI; CCPA service provider/contractor terms for non-PHI personal information.

Common scenarios

• Provider email lists for treatment reminders: typically HIPAA-permitted use of PHI; CCPA exclusions apply to that PHI.
• Hospital website advertising pixels: likely non-PHI personal information subject to CCPA/CPRA opt-out and SPI limits.
• Employer health benefits data: HIPAA may apply when administered by a group health plan; other HR data can be CCPA-covered.

Enforcement Mechanisms and Penalties

HIPAA

• Federal enforcement by HHS Office for Civil Rights, with tiered civil penalties that escalate by culpability and potential criminal penalties for wrongful disclosures.
• Settlement agreements often require multi-year corrective action plans; regulators focus on risk analyses, access controls, and timely breach notification.

CCPA/CPRA

• Enforced by the Attorney General and the California Privacy Protection Agency through investigations, audits, and administrative actions.
• Civil penalties can reach up to $2,500 per violation or up to $7,500 for intentional violations and for violations involving minors.
• Private right of action for certain data breaches of nonencrypted, nonredacted personal information, with statutory damages between $100 and $750 per consumer per incident or actual damages, plus injunctive relief.

CMIA and related California laws

• CMIA provides private rights of action with statutory and actual damages, and courts may award attorneys’ fees and injunctive relief.
• Licensed facilities can face additional administrative penalties for privacy breaches under California health facility laws.

Your best defense is demonstrable compliance: documented risk assessments, vendor due diligence, training, prompt incident response, and careful, role-based access management.

State Constitutional Privacy Protections

California’s Constitution expressly recognizes privacy as an inalienable right. Courts use this provision to police serious intrusions by public and, in certain contexts, private actors. It heightens expectations for necessity, proportionality, and transparency in your data practices.

Information Practices Act (IPA)

• For California state agencies and contractors, the IPA establishes rules for notice, purpose specification, accuracy, access, and security of personal information.
• If you provide services to a state agency, ensure contract terms, retention limits, and security controls satisfy both the IPA and any overlapping HIPAA/CMIA duties.

Operational takeaways

• Collect only what you need, keep it only as long as necessary, and clearly explain purposes at collection.
• Honor Sensitive Personal Information limits, apply least-privilege access, and monitor for unauthorized use.
• Maintain an auditable trail of decisions and controls to show good-faith compliance across overlapping laws.

Conclusion

HIPAA, CMIA, and the CCPA/CPRA form a layered framework: federal rules for PHI, state medical confidentiality for healthcare actors, and broad consumer privacy rights for non-PHI data. Map your datasets, apply the strictest applicable rule, and build a governance program that unifies consent, rights handling, vendor controls, and security.

FAQs.

How does HIPAA protect healthcare data in California?

HIPAA requires safeguards for PHI, limits uses and disclosures, and grants patient rights to access and amend their records. In California, those federal rules operate alongside CMIA, which can be even more protective for medical information handled by providers, plans, and certain contractors.

What are the key consumer rights under the CCPA and CPRA?

You must support rights to know/access, delete, correct, opt out of sale or sharing, limit Sensitive Personal Information, and receive data portability—without discrimination. You also must provide clear notices at collection and honor user-enabled opt-out signals.

How do HIPAA and CCPA/CPRA regulations interact?

PHI governed by HIPAA (and CMIA) is generally exempt from CCPA/CPRA. However, personal information you collect outside HIPAA—like website analytics, marketing data, or certain HR data—can be fully subject to CCPA/CPRA obligations, including opt-outs and SPI limits.

What penalties exist for violations of California healthcare data privacy laws?

HIPAA violations can lead to substantial civil penalties and, in egregious cases, criminal liability. Under CCPA/CPRA, regulators can impose up to $2,500 per violation or $7,500 for intentional or minors-related violations, and consumers can seek $100–$750 per person per incident for certain data breaches. CMIA also allows private suits with statutory and actual damages.