California HIPAA Laws Explained: A Practical Guide to HIPAA, CMIA, and CCPA Compliance

HIPAA Requirements for Healthcare Providers

What HIPAA Covers and How It Interacts with California Law

HIPAA sets a nationwide baseline for safeguarding Protected Health Information. In California, you must apply HIPAA first, then layer on any state rule—such as CMIA—that is more protective. When state and federal rules differ, you follow the provision that offers stronger privacy for individuals.

Core Obligations You Must Operationalize

• Privacy Rule: Define and document permissible uses and disclosures for treatment, payment, and health care operations. Obtain Patient Authorization for uses beyond these purposes and honor the minimum necessary standard.
• Security Rule: Perform a risk analysis and implement administrative, physical, and technical safeguards (access controls, audit logs, encryption in transit, and secure configuration baselines).
• Breach Notification: Maintain incident response plans, assess impermissible uses or disclosures, and deliver timely notifications to affected individuals and regulators when required.
• Right of Access: Provide individuals access to their PHI—generally within 30 days—and allow them to receive records in the form and format requested if readily producible.
• Business Associate Management: Execute Business Associate Agreements that bind vendors to HIPAA duties, including breach reporting and downstream subcontractor controls.

Medical Information Disclosure in a California Context

For California providers, the same event can trigger both HIPAA and CMIA obligations. Build decision trees that ask: Is the information PHI? Is the recipient a covered entity, business associate, or contractor? Is Patient Authorization required? This prevents unauthorized Medical Information Disclosure and ensures consistent logging and accounting of disclosures.

CMIA Protections for Medical Information

Who CMIA Covers and What It Protects

The Confidentiality of Medical Information Act (CMIA) protects “medical information” held by providers of health care, health care service plans, and their contractors. It focuses on individually identifiable details about a patient’s condition, diagnosis, or treatment that these entities create, maintain, or disclose. CMIA can be stricter than HIPAA, so you must map which datasets qualify as CMIA-protected medical information.

Authorizations, Disclosures, and Special Limits

• Authorization: Except for defined exceptions (for example, treatment or certain public health activities), written Patient Authorization is required before disclosure. The authorization should specify the information, purpose, recipient, and expiration.
• No Sale of Medical Information: CMIA generally prohibits selling medical information, closing a common monetization route for data-intensive products.
• Vendor Oversight: “Contractors” handling medical information must implement safeguards and are subject to penalties for improper Medical Information Disclosure.

Practical CMIA Controls

• Classify records as HIPAA PHI, CMIA medical information, both, or neither to apply the strictest rule.
• Limit workforce access on a need-to-know basis and monitor with audit logs.
• Use data minimization and retention schedules so you retain only what you need for the shortest time feasible.

CCPA Scope and Exemptions

Regulatory Compliance Thresholds

The California Consumer Privacy Act (as amended by the CPRA) applies to for-profit entities doing business in California that collect or determine the purposes and means of processing personal information and meet at least one threshold: over $25 million in annual gross revenues in the preceding calendar year; buy, sell, or share personal information of 100,000 or more California consumers or households; or derive 50% or more of annual revenue from selling or sharing personal information.

Health Data Exemptions

• PHI under HIPAA: Personal information that is Protected Health Information collected by a covered entity or business associate is exempt from CCPA obligations.
• CMIA Medical Information: Medical information handled by CMIA-regulated entities is exempt.
• Clinical Trials and Certain Research: Data processed under specified research regimes is out of CCPA scope.
• De-identified and Aggregate Data: Properly de-identified or aggregate information falls outside CCPA, provided you maintain processes that prevent re-identification.

Consumer Privacy Rights Under CPRA

For non-exempt personal information, you must offer Consumer Privacy Rights: the rights to know, access, delete, and correct; to opt out of sale or sharing; to limit the use and disclosure of sensitive personal information; and to be free from retaliation. You also need clear notices at collection, a privacy policy covering data practices, and robust verification and response workflows.

AB 713 Amendments to CCPA

What AB 713 Changed for Health Data

AB 713 clarifies that health information de-identified in accordance with HIPAA’s standards is exempt from CCPA. If you sell or disclose HIPAA de-identified “patient information,” AB 713 requires specific privacy policy disclosures and written contracts that prohibit re-identification and restrict downstream use. It also aligns the definition of research more closely with federal frameworks, easing compliant collaboration with academic and industry partners.

Data De-identification Standards

• HIPAA Safe Harbor: Remove the specified identifiers and implement safeguards to prevent re-identification.
• HIPAA Expert Determination: Use a qualified expert to determine that the risk of re-identification is very small and document the methodology.
• CCPA/CPRA Deidentified Data: Maintain technical and organizational measures that prevent re-identification, publicly commit not to re-identify, and contractually obligate recipients to honor these limits.

Compliance Strategies for Health Apps

Scope Your Role and Data Flows First

Determine whether your app is a HIPAA covered entity, a business associate, a CMIA “contractor,” a CCPA/CPRA “business,” or a combination. Map what you collect (device IDs, biometrics, symptoms, precise geolocation), where it goes (analytics, ads, cloud storage), and which Health Data Exemptions apply.

Design for Authorization, Notice, and Choice

• Use Patient Authorization when pulling records from providers or plans, and segregate authorized data from consumer-supplied wellness data.
• Present concise, just-in-time notices and a persistent privacy center that supports Consumer Privacy Rights, including opt-out of sale or sharing and honoring Global Privacy Control signals.
• Offer granular controls for sensitive categories (e.g., reproductive health, mental health notes) and document consent provenance.

Embed Security and Governance

• Adopt Security Rule–style safeguards: strong authentication, least-privilege access, encryption in transit, secure coding, and continuous monitoring.
• Apply retention schedules and data minimization; use Data De-identification Standards for analytics and research whenever possible.
• Run tabletop exercises for incident response and breach notification across HIPAA, CMIA, and CCPA scenarios.

Manage Vendors and SDKs

• Classify adtech and analytics partners as service providers/contractors when possible, with contracts that ban re-identification and secondary use.
• Audit mobile SDKs and server-to-server integrations to avoid unintended Medical Information Disclosure.
• Maintain data maps and transfer impact assessments so you can answer regulator inquiries quickly.

CCPA Enforcement by California Attorney General

What the AG Looks For

The Attorney General enforces CCPA through investigations, sweeps, and actions that can lead to civil penalties per violation, with higher amounts for intentional violations and those involving minors. Since January 1, 2023, there is no automatic 30‑day cure period—fixing issues after notice does not erase past violations. The AG also expects businesses to recognize opt-out signals like Global Privacy Control for sale or sharing.

How to Prepare and Respond

• Maintain current data inventories, risk assessments, and records of Consumer Privacy Rights requests and responses.
• Test your opt-out of sale/share flows, sensitive data limitation controls, and verification procedures end to end.
• Ensure vendor contracts clearly designate service provider or contractor status and prohibit secondary use and re-identification.
• When contacted by the AG, preserve evidence, engage counsel, and provide factual, timely responses backed by documentation.

Employee Data Regulations under CPRA

Who and What Are Covered

As of January 1, 2023, CPRA fully applies to employee, applicant, contractor, and dependent data. You must provide notices at collection, honor access, deletion, and correction requests (subject to narrow exceptions), and allow employees to limit the use and disclosure of sensitive personal information such as precise geolocation or government IDs. HIPAA/CMIA data processed for health plan benefits may be exempt, but non-PHI HR data remains within CPRA scope.

Practical Steps for HR and IT

• Issue a clear employee privacy notice with purposes, categories, retention periods, and rights instructions.
• Stand up a request portal for employees; verify identity with role-appropriate methods and track fulfillment deadlines.
• Segment sensitive logs (access badges, GPS, productivity telemetry) and set strict access controls and retention rules.
• Execute data processing agreements with HRIS, payroll, benefits, and recruiting vendors that bar selling or sharing and restrict re-identification.

Conclusion

California HIPAA laws form an integrated framework: HIPAA provides the federal floor for Protected Health Information, CMIA adds state-specific safeguards for medical information, and CCPA/CPRA fills the gaps for non-exempt personal data. AB 713 clarifies how HIPAA de-identification interacts with CCPA, enabling responsible analytics when you use strong Data De-identification Standards and tight contracts. By scoping your role, minimizing data, honoring Consumer Privacy Rights, and controlling disclosures and vendors, you can meet overlapping requirements with a single, well-governed program.

FAQs.

What entities are covered by HIPAA in California?

HIPAA covers the same types of entities in California as nationwide: health care providers that transmit certain transactions electronically, health plans, and health care clearinghouses, plus their business associates. If you’re one of these—or you receive PHI from them under a Business Associate Agreement—you must comply with HIPAA regardless of where in California you operate.

How does CMIA differ from HIPAA in protecting health information?

HIPAA protects PHI handled by covered entities and business associates. CMIA protects medical information held by California providers, health care service plans, and their contractors, and it can impose stricter limits—such as prohibitions on selling medical information and detailed authorization rules. In practice, you classify the data and apply whichever rule is more protective in a given scenario.

When does CCPA apply to health data and businesses?

CCPA (as amended by CPRA) applies when a for-profit entity doing business in California meets the regulatory compliance thresholds and processes personal information that is not otherwise exempt. Health-related data that is PHI under HIPAA or medical information under CMIA is generally exempt, but direct-to-consumer wellness or app telemetry often is not—so you must provide notices and rights for that non-exempt data.

What are the recent amendments affecting health data under CCPA?

AB 713 confirms that HIPAA de-identified patient information is exempt and requires privacy policy disclosures and contracts that prohibit re-identification when such data is sold or disclosed. CPRA also updated the CCPA framework by adding “sharing,” creating limits for sensitive personal information, ending broad employee/B2B exemptions, and strengthening enforcement mechanisms, all of which affect health-adjacent datasets.