California Mental Health Record Privacy Laws Explained: HIPAA, CMIA, and Your Rights

Overview of HIPAA and CMIA

If you receive mental health care in California, two core frameworks shape how your information is protected: the federal Health Insurance Portability and Accountability Act (HIPAA) and California’s Confidentiality of Medical Information Act (CMIA). Together they govern what is collected, how it is used, and when it can be shared.

HIPAA sets a nationwide baseline for privacy and security. It applies to health plans, most providers, and their business associates, and it protects “protected health information” in any form. HIPAA also adds extra safeguards for psychotherapy notes and requires the “minimum necessary” rule for most non-treatment disclosures.

CMIA is California’s state law that focuses on “medical information” maintained by providers, health plans, and their contractors. In many areas it goes further than HIPAA, adding stronger consent rules and remedies. When state versus federal privacy standards differ, the rule that gives you more protection generally controls in California.

This guide offers general information to help you understand the landscape; it is not legal advice for any specific situation.

Patient Rights Under CMIA

CMIA, working alongside HIPAA and California’s health-record statutes, gives you practical control over mental health records. You have the right to see and get copies of your records, to request corrections or addenda, and to decide when your information can be shared beyond routine care and billing.

• Access and copies: California law sets medical record access timelines that are typically faster than HIPAA’s 30‑day federal baseline. You can request inspection and copies, including electronic formats when readily producible.
• Corrections: You may request corrections or addenda to clarify information. Providers must review and either make the change or include your addendum in the record.
• Restrictions and confidential communication: You can ask providers to limit certain disclosures and to communicate with you at alternative addresses or via secure channels.

Patient authorization requirements

Beyond treatment, payment, and health care operations, CMIA generally requires a valid, written authorization to disclose medical information. A strong authorization should include:

• A clear description of the information to be disclosed (for example, therapy progress notes but not psychotherapy notes).
• The name or role of who may disclose and who may receive the information.
• The purpose of the disclosure and an expiration date or event.
• Your signature and date, plus a statement explaining your right to revoke and the potential for re-disclosure by the recipient.

Providers cannot condition treatment on signing an unnecessary authorization, and you can revoke authorization prospectively at any time.

Exceptions to Disclosure

Both HIPAA and CMIA recognize limited situations where disclosure is allowed or required without your written authorization. Even then, data disclosure limitations—such as the minimum necessary standard—apply to most non-treatment disclosures.

• Treatment, payment, and health care operations to coordinate your care, get paid, or run the practice.
• Public health reporting exceptions, such as reporting certain communicable diseases or adverse events when mandated by law.
• Mandatory reports of abuse, neglect, or imminent harm as required by California statutes.
• Health oversight activities, audits, or investigations by authorized agencies.
• Law enforcement or court orders that meet specific legal safeguards (for example, a valid subpoena or warrant).
• Coroner or medical examiner purposes, and certain worker’s compensation contexts.
• To prevent or lessen a serious and imminent threat to health or safety, consistent with professional judgment and California law.
• Use of de-identified data that does not identify you and cannot reasonably be used to do so.

Recent CMIA Amendments

California updates the CMIA to keep pace with technology and care delivery. Recent changes have emphasized clearer protections for digital and behavioral health data, stronger security expectations, and more precise consent rules.

• Digital health scope: Clarification that vendors acting as contractors to providers or health plans are bound by CMIA when they handle medical information, including mental health application information.
• Marketing and analytics: Tighter guardrails on using medical information for advertising, profiling, or sale without explicit authorization.
• Security and breach response: Reinforced expectations for administrative, technical, and physical safeguards, plus robust breach notification practices.
• Authorization clarity: More specific content and formatting expectations to avoid blanket or open-ended consents.
• Telehealth parity: Confirmation that confidentiality applies equally across in‑person, telehealth, and asynchronous care modalities.

Although details evolve, the direction is consistent: clearer boundaries on secondary uses, heightened accountability for contractors, and stronger remedies for unauthorized disclosures.

Mental Health Application Information

Mental health application information includes data created or collected by apps you use for therapy, mood tracking, journaling, telehealth sessions, or symptom check-ins. It may encompass messages with your clinician, intake forms, mood scores, usage patterns, and device metadata.

Whether this information is protected by HIPAA, CMIA, or both depends on who offers the app and why it collects data. If the app is provided by—or on behalf of—your clinician or health plan, CMIA likely treats the data as medical information, and HIPAA may also apply. If it is a stand‑alone consumer app not tied to a provider or plan, HIPAA and CMIA may not apply, though other California consumer privacy laws might.

Practical tips for app privacy

• Check who offers the app and whether it is part of your provider’s system or patient portal.
• Review disclosures about data sharing, analytics, and targeted advertising; look for clear data disclosure limitations.
• Use in‑app privacy controls to limit sharing, disable cross‑app tracking when possible, and prefer secure in‑app messaging over SMS or email.
• Exercise access or deletion options offered by the app and keep copies of your requests for your records.

Differences Between HIPAA and CMIA

• Who is covered: HIPAA applies to covered entities and their business associates. CMIA applies to providers, health plans, and their contractors handling medical information in California.
• What is protected: HIPAA protects PHI; CMIA protects “medical information,” which in practice captures similar categories while expressly covering data held by contractors. This is important for mental health application information.
• Authorizations: CMIA often imposes more detailed patient authorization requirements for non‑routine disclosures and marketing uses.
• Access timelines and fees: California’s medical record access timelines are generally faster than HIPAA’s and limit charges to reasonable, cost‑based amounts; inability to pay does not justify delay.
• Remedies and enforcement: HIPAA is enforced by regulators and does not create a general private right of action. CMIA allows individuals to seek remedies in court for unauthorized disclosures.
• Preemption: HIPAA sets a federal floor. Where CMIA is more protective, California’s state versus federal privacy standards mean CMIA typically controls.
• Special protections: HIPAA gives extra protection to psychotherapy notes. California law also recognizes strong confidentiality for therapeutic communications under separate evidentiary privileges that interact with CMIA.

Compliance Requirements for Providers

Providers in California must operationalize both HIPAA and CMIA. Effective compliance reduces risk, supports patient trust, and ensures smooth access to care.

• Data mapping: Inventory what mental health data you hold, where it lives, how it flows, and which vendors (contractors/business associates) touch it—including telehealth and app platforms.
• Policies and procedures: Document minimum necessary rules, data disclosure limitations, and clear pathways for public health reporting exceptions and other lawful disclosures.
• Authorizations: Use standardized forms that meet CMIA’s patient authorization requirements, support electronic signatures, track expirations, and log revocations.
• Access workflow: Build processes that reliably meet California’s medical record access timelines, offer electronic copies, and transparently disclose reasonable, cost‑based fees.
• Training and role‑based access: Train staff on mental health privacy nuances (e.g., separating psychotherapy notes, handling sensitive communications) and enforce need‑to‑know access.
• Security controls: Implement encryption, multi‑factor authentication, audit logging, device management, and vendor risk management; test your incident response and breach notification plan.
• Vendor contracts: Ensure BAAs and CMIA‑compliant contractor agreements clearly define permitted uses, safeguards, breach duties, and data return or deletion.
• Continuous monitoring: Periodically audit disclosures, review app integrations, and remediate gaps revealed by risk assessments.

Conclusion

HIPAA sets the national baseline, while California’s Confidentiality of Medical Information Act adds stronger, state‑specific protections for mental health records and mental health application information. Know your rights, understand the limited exceptions, and pay attention to authorizations and access timelines. Providers that align policies, security, and vendor practices with both laws can protect patients and reduce legal risk.

FAQs.

What protections does the CMIA provide for mental health records?

CMIA requires providers, health plans, and their contractors to keep your medical information confidential, limit non‑routine sharing without a valid authorization, and maintain safeguards to prevent unauthorized access. It works with HIPAA to enforce minimum necessary disclosures, strengthens consent rules for marketing or analytics, and provides remedies if your information is improperly disclosed.

How does California law differ from HIPAA for mental health data?

HIPAA is a federal floor; CMIA often goes further. California generally requires more specific authorizations, offers faster medical record access timelines, extends duties to contractors handling data for providers or plans, and permits individuals to seek remedies for unauthorized disclosures. In short, where CMIA is stricter, it usually governs in California.

When can mental health information be disclosed without patient consent?

Disclosure without written authorization is allowed for treatment, payment, and health care operations; mandated public health reporting exceptions; certain reports of abuse or imminent harm; health oversight; valid court orders; and similar situations defined by law. Even then, providers must apply data disclosure limitations and share only what is necessary.

What rights do patients have to access their mental health records under CMIA?

You have the right to inspect and obtain copies of your records in a timely manner, typically on faster timelines than HIPAA’s 30‑day baseline. You can request corrections or addenda, ask for reasonable restrictions, and choose confidential communication methods. Providers must provide access promptly and may charge only reasonable, cost‑based fees.