California HIPAA Law Explained: Key Requirements, CMIA, and CCPA/CPRA

HIPAA Overview and Privacy Rule

HIPAA sets a national baseline for health privacy and applies to covered entities—healthcare providers, health plans, and clearinghouses—and their business associates. It governs Protected Health Information (PHI), meaning individually identifiable health data in any form: paper, oral, or electronic.

The Privacy Rule permits use and disclosure of PHI for treatment, payment, and healthcare operations (TPO) without patient authorization. Outside TPO and other defined exceptions, you must obtain valid, written authorization describing the purpose, recipients, and expiration—core Patient Authorization Requirements that also influence California compliance decisions.

Patients have robust rights: access to records, request for amendments, an accounting of disclosures, restrictions, and confidential communications. You must provide a Notice of Privacy Practices and follow the minimum necessary standard to limit PHI use and disclosure to what is reasonably needed.

HIPAA preempts conflicting state laws unless the state rule is more protective. In California, the Confidentiality of Medical Information Act (CMIA) often sets a stricter bar, so you apply the rule that grants greater Medical Information Confidentiality to the patient.

HIPAA Security Rule Requirements

The Security Rule protects electronic PHI (ePHI) by requiring administrative, physical, and technical safeguards. Its risk-based framework expects you to assess threats, implement reasonable and appropriate controls, and document decisions.

Administrative safeguards

• Enterprise-wide risk analysis and ongoing risk management.
• Workforce security, role-based access, training, and sanction policies.
• Vendor due diligence and business associate agreements aligned to Security Rule controls.
• Contingency planning: backups, disaster recovery, emergency operations, and testing.
• Security incident response, logging review, and periodic evaluations.

Physical safeguards

• Facility access controls, visitor management, and secure server rooms.
• Workstation positioning, screen privacy, and device/media controls for disposal and reuse.

Technical safeguards

• Unique user IDs, multi-factor authentication, and automatic logoff.
• Encryption in transit and at rest for Electronic Health Records Security and endpoints.
• Audit controls, tamper-evident logs, and integrity checks.
• Transmission security and secure configuration baselines for EHRs and cloud services.

Effective programs layer security: least-privilege access, network segmentation, patching, vulnerability management, and continuous monitoring. Map these controls to real-world workflows such as telehealth, patient portals, and mobile charting.

CMIA Scope and Definitions

California’s Confidentiality of Medical Information Act (CMIA) protects “medical information,” defined as individually identifiable details about a person’s medical history, mental or physical condition, or treatment, held by providers, health care service plans, or their contractors. CMIA applies regardless of format and covers data maintained in clinical, billing, and ancillary systems.

CMIA’s scope is narrower in definition than HIPAA’s PHI but often stronger in protection. It emphasizes Medical Information Confidentiality through explicit limits on disclosure, prescriptive authorization rules, and a private right of action for negligent or willful violations in addition to regulatory enforcement.

Entities frequently subject to CMIA include hospitals, physician groups, labs, imaging centers, health plans, and contractors performing services that involve access to medical information, such as billing, IT support, utilization review, and quality management.

CMIA Disclosure Restrictions

Under CMIA, you generally may not disclose medical information without the patient’s written authorization. A valid authorization must identify the disclosing provider, the recipient, the specific information, the purpose, an expiration, and the right to revoke. Blanket or open-ended permissions do not satisfy Patient Authorization Requirements.

CMIA permits disclosures without authorization for limited purposes, including treatment and related care coordination, payment, and certain healthcare operations. Other permitted disclosures include those required by law (e.g., public health reporting, court orders), narrowly tailored law enforcement requests, and specified oversight activities—each subject to strict minimum necessary limits.

California law adds heightened protections for sensitive services and for minors who may consent to certain care. In such cases, disclosure to parents or guardians can be restricted without the minor’s authorization, subject to defined exceptions. CMIA also curbs the sale or marketing use of medical information absent specific, informed authorization.

Maintain auditable processes for identity verification, authorization intake, denial letters where applicable, and rapid response to improper access. California breach notification duties and HIPAA’s Breach Notification Rule often both apply, so you should harmonize timelines and content while using the stricter standard.

CCPA and CPRA Consumer Rights

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents rights over personal information held by covered “businesses.” While many clinical records are exempt, CCPA/CPRA still matters for non-HIPAA data such as website analytics, marketing lists, recruiting, and wellness programs.

Key consumer rights

• Right to know/access categories and specific pieces of personal information.
• Right to delete and to correct inaccurate information, subject to exceptions.
• Right to data portability in a readily usable format.
• Right to opt out of sale or sharing (including cross-context behavioral advertising).
• Right to limit the use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising privacy rights.

CCPA/CPRA also codifies role-based obligations for service providers and contractors, mandates reasonable security, and empowers the California Privacy Protection Agency (CPPA) and the Attorney General to enforce rules. Covered businesses must implement identity verification, document responses (typically within 45 days), and maintain records of requests.

CCPA/CPRA Exemptions Pertaining to Health Data

Most PHI processed by HIPAA covered entities and business associates is exempt from CCPA/CPRA, as is medical information governed by CMIA. Deidentified data meeting HIPAA or CCPA standards and information collected as part of certain clinical research can also be exempt.

However, health-related data outside HIPAA/CMIA—such as consumer wellness app metrics, fitness tracker data, retail pharmacy loyalty profiles, website interaction data, and call center recordings—remains within CCPA/CPRA’s scope. If you use such data for targeted advertising or analytics, you must provide notices and honor opt-out and limitation rights.

CPRA’s “sensitive personal information” category includes health data and precise geolocation. For non-exempt datasets, you must offer a clear method to limit sensitive PI uses to what is necessary to provide requested services, and you should avoid characterizing medical information uses as “necessary” unless you can substantiate that claim.

Compliance Strategies for Healthcare Entities

Begin with a data map across clinical, operational, and marketing systems. Classify each flow as HIPAA PHI, CMIA medical information, CCPA/CPRA personal information, or exempt/deidentified. This scoping decision drives your notices, contracts, and technical safeguards.

Program governance

• Assign leadership for HIPAA, CMIA, and CCPA/CPRA with a unified risk register and board reporting.
• Maintain policies for minimum necessary, access, authorization management, retention, and disposal.
• Run privacy-by-design reviews for new telehealth features, portals, and third-party SDKs.

Notices, rights, and contracts

• Publish a HIPAA Notice of Privacy Practices and a consumer-facing privacy policy covering non-PHI under CCPA/CPRA.
• Operationalize consumer rights: authenticated portals for access/correction/deletion; documented exceptions for medical record retention and legal holds.
• Use Business Associate Agreements for HIPAA data and “service provider/contractor” terms for CCPA/CPRA data; prohibit secondary use, sale, or sharing.

Security controls and EHR hardening

• Implement encryption at rest and in transit, MFA, least-privilege, robust logging, and continuous monitoring for Electronic Health Records Security.
• Apply device and media controls, secure backups, disaster recovery testing, and third-party risk assessments for hosting and analytics providers.
• Use data loss prevention and tokenization where possible; segment clinical networks from marketing and administrative systems.

Authorization and disclosure management

• Standardize Patient Authorization Requirements with precise scopes, expirations, and revocation workflows.
• Train staff on CMIA’s stricter disclosure rules, minor-consent scenarios, and sensitive services.
• Automate accounting of disclosures and maintain defensible logs for audits and investigations.

Marketing, cookies, and analytics

• Avoid embedding tracking technologies that capture PHI on patient-facing pages; segregate PHI from analytics streams.
• Provide opt-outs for sale/sharing, honor Global Privacy Control signals, and limit sensitive PI processing where CCPA/CPRA applies.
• Do not use PHI for marketing without specific, written HIPAA-compliant authorization.

Incident readiness

• Maintain a unified incident response plan that aligns HIPAA breach analysis with California notification rules and CCPA/CPRA security obligations.
• Test playbooks for misdirected faxes, portal misconfigurations, lost devices, vendor breaches, and web tracker exposures.

Conclusion

California HIPAA law compliance means layering federal HIPAA standards with CMIA’s stricter confidentiality rules and CCPA/CPRA’s consumer rights for non-clinical data. Classify data first, apply the most protective rule, and operationalize privacy through sound contracts, hardened systems, and clear rights-response processes.

FAQs.

What are the main differences between HIPAA and CMIA?

HIPAA is a federal baseline that covers PHI held by covered entities and business associates, allowing TPO uses and defining national patient rights. CMIA is a California statute focused on “medical information” held by providers, plans, and contractors, often imposing tighter disclosure limits and offering a private right of action. When both apply, you follow the standard that provides greater Medical Information Confidentiality.

How does CPRA affect healthcare data privacy?

CPRA extends CCPA by adding correction rights, sensitive personal information limits, and stronger enforcement. While HIPAA/CMIA data is exempt, CPRA governs non-exempt data such as website analytics, marketing databases, and wellness-program information. Covered businesses must provide notices, enable opt-outs of sale/sharing, limit sensitive PI uses, and respond to consumer requests.

When is patient authorization required under CMIA?

Authorization is required for most disclosures not expressly permitted by law or related to TPO. A valid CMIA authorization must be specific about the information, purpose, recipients, and duration, and it must inform the patient of the right to revoke. Broad or indefinite consents are insufficient.

What protections exist for electronic health records under HIPAA?

HIPAA’s Security Rule requires administrative, physical, and technical safeguards for ePHI, including risk analysis, workforce controls, facility and device protections, and measures like access controls, audit logging, integrity checks, and encryption. These controls collectively strengthen Electronic Health Records Security and reduce breach risk.