California Medical Records Law: Access, Privacy, and Your Rights Under CMIA and HIPAA

Confidentiality of Medical Information Act Protections

California’s Confidentiality of Medical Information Act (CMIA) safeguards any individually identifiable “medical information” held by health care providers, health care service plans, contractors, and certain related entities. In practice, that means your diagnoses, treatments, prescriptions, lab results, and other sensitive details may not be disclosed, used, or sold without your valid written authorization unless a specific exception applies.

CMIA requires covered entities to implement reasonable administrative, technical, and physical safeguards to protect medical records. It also restricts conditioning care on signing blanket authorizations and limits uses to the minimum necessary to accomplish a permitted purpose. Special rules protect especially sensitive categories (for example, reproductive and sexual health data and certain mental health records), and providers must maintain clear, auditable processes for access, disclosure, and retention.

Health Insurance Portability and Accountability Standards

HIPAA is the federal baseline for privacy and security. Its Privacy Rule protects “Protected Health Information” (PHI); its Security Rule requires safeguards for electronic PHI; and its Breach Notification Rule compels notices after certain incidents. HIPAA applies to covered entities (providers, health plans, clearinghouses) and their business associates that handle PHI on their behalf.

Key HIPAA standards you’ll encounter include: the “minimum necessary” rule for most non-treatment disclosures; the right to receive an accounting of certain disclosures; and the right of access (usually within 30 days, with one permitted 30‑day extension). HIPAA permits disclosures for treatment, payment, and health care operations without separate authorization, and it lists public‑interest exceptions (for example, required-by-law reporting, public health, health oversight, court orders, and specific law-enforcement requests).

Patient Rights to Access Medical Records

Under California law, you have strong, time‑bound Medical Record Access Rights. Providers must allow you to inspect your records within five working days of a written request and must transmit copies within 15 days. You can request paper or electronic copies; per‑page fees are capped under state law (for example, $0.25/page for paper or $0.50/page from microfilm), plus reasonable clerical costs and postage if mailed.

You may authorize a personal representative to act for you. Limited exceptions apply: psychotherapy notes, information that would pose a substantial risk of significant harm if released, and certain minor‑consent or sensitive-service situations. If a full release could be harmful or voluminous, a provider may offer a detailed summary within 10 working days (or up to 30 days with written notice), tailored to the portions you specify.

Authorized and Mandatory Disclosure Exceptions

Both CMIA and HIPAA allow disclosures without your written authorization in defined scenarios. Common categories include:

• Treatment, payment, and health care operations (for example, referral to a specialist, claims adjudication, quality improvement).
• When required by law or court order, including certain public health reporting (communicable disease reporting, abuse/neglect), health oversight, and worker’s compensation.
• Specific law-enforcement or judicial purposes (for example, a valid warrant or subpoena with required protections), and to avert a serious, imminent threat to health or safety.
• Coroners/medical examiners, organ procurement, and limited disclosures to family or others involved in care, consistent with patient preferences and privacy rules.

California adds important limits. For example, CMIA places extra conditions on disclosures involving psychotherapy treatment information. Recent laws strengthen protections for “sensitive services” (such as abortion, contraception, pregnancy loss, and gender‑affirming care) and restrict cross‑jurisdictional sharing of those records. New rules also bar using or disclosing immigration status and place of birth for immigration enforcement, absent patient authorization or a valid legal mandate.

Penalties for Unauthorized Disclosures

Unauthorized disclosures can trigger significant Unauthorized Disclosure Penalties under CMIA and HIPAA. Under CMIA, individuals may seek nominal damages of $1,000 for negligent releases and recover actual damages; where economic loss or personal injury is proven for certain violations, courts may also award compensatory damages, limited punitive damages, attorneys’ fees, and costs. Regulators and courts can impose administrative fines per violation (for example, up to thousands of dollars per negligent or willful act, and substantially higher when done for financial gain). Licensed California health facilities face separate administrative penalties and accelerated reporting duties for breaches.

HIPAA enforcement adds civil money penalties that scale by culpability (from lack of knowledge to uncorrected willful neglect), with inflation‑adjusted caps that can reach seven figures per year for identical violations. The Department of Justice may bring criminal charges for certain knowing violations, with higher penalties for false pretenses or offenses committed for personal gain or malicious harm.

Breach Notification Requirements

Under HIPAA, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI; additional notice to HHS and, in large incidents, to prominent media is required. In California, licensed clinics, health facilities, home health agencies, and hospices must report unlawful or unauthorized access, use, or disclosure of patient medical information to the state and notify patients generally within 15 business days of detection. California’s general data‑breach statutes also require notice when “medical information” or “health insurance information” is breached by businesses that maintain such data.

Interaction Between CMIA and HIPAA

Think of HIPAA as a federal floor. Where California law is more protective or grants you greater rights, the state rule controls and you benefit from the stricter standard. That’s why your California inspection and copy timelines (five working days to inspect; 15 days for copies) can be faster than HIPAA’s 30‑day outer limit, and why sensitive‑service protections and certain disclosure limits are stronger here.

California Consumer Privacy Act Exemptions

The California Consumer Privacy Act (as amended) generally exempts CMIA‑governed “medical information” and HIPAA-governed Protected Health Information from most CCPA obligations. However, the exemption is contextual: non‑PHI personal data a health organization collects (for example, website analytics or marketing data) may remain subject to CCPA/CPRA. California also expressly exempts HIPAA‑deidentified data and certain research data, clarifying how deidentification and research interact with consumer privacy rights.

Recent Legislative Amendments to Medical Privacy Laws

AB 352 (2023; effective July 1, 2024)

AB 352 enhances privacy safeguards for electronic medical records related to abortion, contraception, pregnancy loss, and gender‑affirming care. Among other requirements, it compels developers and operators of health information systems to enable data‑segregation features so sensitive‑service data aren’t readily accessible across state lines unless a California lawfully permitted exception applies.

AB 254 (2023; chaptered Sept. 27, 2023)

AB 254 extends CMIA protections to reproductive or sexual health application information collected by digital services such as menstrual or fertility trackers. Many such app providers are treated as “providers of health care” for CMIA purposes, bringing them within California’s medical privacy framework.

SB 81 (2025; effective Sept. 20, 2025)

Senate Bill 81 amends CMIA to treat a patient’s immigration status and place of birth as protected medical information and prohibits disclosure for immigration enforcement absent patient authorization or a valid court order. It also requires health care entities to designate nonpublic areas and establish visitor and law‑enforcement access procedures to protect patient privacy in care settings.

AB 713 (2020)

AB 713 clarifies California Consumer Privacy Act Exemptions for HIPAA‑deidentified data and certain research uses, confirming that HIPAA‑compliant deidentification and specified research activities are generally outside CCPA’s scope while preserving CMIA/HIPAA protections where applicable.

FAQs.

What rights do patients have under CMIA to access their medical records?

You may inspect your medical records within five working days of a written request and receive copies within 15 days. You can request electronic or paper formats and may designate a representative. Fees are limited by law (for example, per‑page caps), and providers may offer a timely summary if you request specific portions. Limited exceptions apply for psychotherapy notes and situations where release could cause significant harm.

How does CMIA differ from HIPAA in protecting medical information?

HIPAA sets national standards for PHI; CMIA is California’s stricter layer. CMIA covers a defined set of entities (including certain contractors) and imposes additional safeguards, timelines, and remedies—such as nominal damages for negligent releases and facility‑specific breach reporting. Where CMIA is more protective (for example, faster access, sensitive‑service protections, limits on immigration‑related disclosures), California rules govern.

What are the penalties for unauthorized disclosure of medical records in California?

Under CMIA, negligent releases can trigger nominal damages of $1,000 plus actual damages, and regulators may impose administrative fines per violation (with much higher penalties for willful acts or disclosures for financial gain). Licensed facilities face separate state penalties tied to each affected patient and event. HIPAA adds tiered civil penalties that can reach seven figures for identical violations in a year and, in egregious cases, criminal liability.

When is disclosure of medical information allowed without patient authorization?

Disclosures are permitted for treatment, payment, and health care operations; when required by law (for example, public health reporting, certain court orders); for defined law‑enforcement and judicial needs; to coroners/medical examiners or organ‑procurement organizations; and to avert serious threats. California imposes additional limits and safeguards, including heightened protections for sensitive services and restrictions on using or sharing immigration‑related information.