CPRA and Healthcare: What Applies Beyond HIPAA Compliance Guide

The California Privacy Rights Act reshapes how health-related data is handled beyond the confines of the Health Insurance Portability and Accountability Act. This CPRA and Healthcare: What Applies Beyond HIPAA Compliance Guide explains where CPRA picks up, what is exempt, and how you can operationalize Consumer Privacy Rights without disrupting care or innovation.

CPRA Exemptions for Health Data

CPRA provides data-level exemptions for information already governed by other health privacy regimes. Protected Health Information processed by HIPAA covered entities and business associates is generally exempt when handled as PHI for treatment, payment, and healthcare operations. Similarly, “medical information” under California’s Confidentiality of Medical Information Act is excluded from CPRA’s scope.

Additional exclusions include deidentified data, aggregate consumer information, and certain research or clinical trial data when managed under applicable standards. Exemptions are narrow: they attach to qualifying datasets, not to an organization as a whole. If a hospital’s patient chart is exempt, its marketing analytics, website cookies, or visitor logs may still be subject to CPRA.

Health-related details that fall outside HIPAA or CMIA—such as wellness app metrics, precise geolocation tied to clinic visits, or device identifiers—may be treated as Sensitive Personal Information under CPRA and trigger added restrictions on use and disclosure.

Applicability to Non-HIPAA Entities

Many digital health companies are not HIPAA covered entities or business associates, yet qualify as “businesses” under CPRA. A for‑profit entity doing business in California is covered if it meets at least one threshold: over $25 million in annual gross revenue; buys, sells, or shares personal information of 100,000 or more consumers or households; or derives 50% or more of annual revenue from selling or sharing personal information.

Examples include direct‑to‑consumer testing services, symptom checkers, wellness platforms, health e‑commerce, and telehealth marketplaces that operate outside the HIPAA framework. Nonprofits are generally excluded, but entities controlled by or sharing branding with a covered “business” can fall within CPRA’s reach. Remote or out‑of‑state enterprises that target California residents may also be in scope.

Vendors can be classified as service providers or contractors when bound by required terms; otherwise they may be “third parties,” which affects whether disclosures qualify as a sale or share for cross‑context behavioral advertising.

Employee and Business Data Compliance

CPRA covers personal information about job applicants, employees, owners, directors, officers, medical staff, and independent contractors. You must provide a clear workforce notice at collection, specify retention periods or criteria, and honor rights to access, correction, deletion, and to limit the use of Sensitive Personal Information where applicable.

Workforce data subject to CPRA can include payroll and benefits records, background checks, badge and network logs, wellness program data, and device telemetry. Some requests may be restricted to protect confidentiality, security, or legal privilege, but you should document the basis for any denial and respond within statutory timelines.

Business‑to‑business contact data (for example, a clinic’s vendor reps or payor contacts) is also in scope. Ensure your systems can locate and action requests across CRMs, ticketing tools, and communication platforms without exposing other people’s information.

Compliance Requirements Overview

Program foundations

• Data mapping: separate PHI/CMIA‑regulated records from CPRA‑regulated personal information; tag Sensitive Personal Information such as precise geolocation, health indicators, or government IDs.
• Purpose and retention: collect only what is necessary; publish retention periods or criteria and honor them through automated deletion or archiving controls.
• Notices: provide a consumer privacy policy and just‑in‑time notices at collection across websites, apps, kiosks, and call centers.

Consumer Privacy Rights operations

• Requests: support access, portability, correction, and deletion with identity verification; respond within 45 days (with one permissible 45‑day extension when reasonably necessary).
• Opt‑outs: display “Do Not Sell or Share” mechanisms, honor Global Privacy Control signals, and offer “Limit the Use of My Sensitive Personal Information” where required.
• Non‑discrimination: do not retaliate against individuals who exercise their rights; structure financial incentives with required disclosures.

Vendors and disclosures

• Contracts: designate service providers or contractors via required CPRA terms (processing instructions, assistance with requests, sub‑processor controls, audit rights, and no secondary use).
• Advertising and analytics: classify cookie and SDK partners correctly; treat cross‑context behavioral advertising as a “share” and provide an opt‑out.

Security and risk management

• Reasonable security: implement access controls, encryption, network monitoring, vulnerability management, and incident response; train staff handling requests and Sensitive Personal Information.
• Data Impact Assessments: conduct assessments for high‑risk processing (such as SPI profiling, automated decision‑making, or large‑scale monitoring) and record mitigations and approvals.
• Recordkeeping: maintain request logs and program documentation to demonstrate compliance.

Children and teens

• For consumers under 16, obtain opt‑in for selling or sharing personal information, and implement age‑appropriate notices and safeguards.

Enforcement and Penalties

The California Privacy Protection Agency and the Attorney General may investigate and impose Administrative Fines, corrective orders, and other remedies. Penalties can reach $2,500 per violation or $7,500 per intentional violation or those involving minors, quickly multiplying across affected individuals and datasets.

There is no automatic 30‑day cure period. Demonstrating timely remediation and strong governance can mitigate exposure but will not erase violations. In addition, consumers have a limited private right of action for certain security breaches, with statutory damages per affected consumer or actual damages, whichever is greater.

Common healthcare risk drivers include ungoverned tracking technologies on patient‑facing sites, insufficient vendor contracts, over‑collection of Sensitive Personal Information, and failure to recognize or honor opt‑out preference signals.

Interaction with HIPAA

HIPAA and CPRA protect different but sometimes adjacent data. PHI processed for HIPAA purposes is typically exempt from CPRA, but data outside HIPAA—such as marketing analytics, prospective patient leads not yet in the medical record, or consumer wellness data—can be regulated by CPRA.

Do not assume equivalence between HIPAA deidentification and CPRA deidentification. To be deidentified under CPRA, data must be technically and contractually safeguarded against reidentification, including public commitments and controls that prevent the recipient from re‑linking records.

Where legal obligations require retention or disclosure (for example, medical recordkeeping or fraud prevention), CPRA provides exceptions. Maintain documentation that ties each processing activity to its legal basis, whether HIPAA, CMIA, or CPRA.

Covered entities and business associates may need both a Business Associate Agreement and CPRA‑compliant service provider terms with the same vendor if that vendor processes both PHI and non‑PHI personal information.

Best Practices for Compliance

• Establish a data inventory that distinguishes PHI/CMIA data from CPRA personal information and flags Sensitive Personal Information for strict handling.
• Deploy a consent and preference platform that supports Global Privacy Control, “Do Not Sell or Share,” and “Limit SPI” choices across web and mobile.
• Stand up a rights request workflow with identity verification, redaction, and secure delivery; test edge cases like mixed employee‑consumer identities.
• Harden security with least privilege, key management, endpoint protection, and tabletop breach exercises focused on health‑adjacent datasets.
• Standardize vendor due diligence and CPRA contractual terms, including sub‑processor approvals and auditability.
• Run Data Impact Assessments for high‑risk features (geofencing clinics, AI triage, or cross‑platform tracking) and document mitigation decisions.
• Publish and enforce retention schedules; automate deletion for expired records across backups and data lakes.
• Train workforce and product teams on the differences among the California Privacy Rights Act, HIPAA, and the Confidentiality of Medical Information Act.

Conclusion

CPRA extends modern privacy obligations to health‑adjacent data that HIPAA does not fully capture. By mapping data, honoring Consumer Privacy Rights, tightening vendor terms, and assessing high‑risk uses, you can meet California’s expectations while protecting patients and consumers.

FAQs.

How does CPRA differ from HIPAA in healthcare data protection?

HIPAA governs Protected Health Information held by covered entities and business associates for care, payment, and operations. CPRA regulates consumer personal information—including Sensitive Personal Information—outside HIPAA’s scope, such as marketing analytics, wellness app data, or prospective patient leads. CPRA adds rights to access, delete, correct, opt out of sale/share, and limit SPI use, and it imposes vendor contracting and transparency duties.

What health data is exempt under CPRA?

PHI processed under HIPAA, “medical information” under the Confidentiality of Medical Information Act, deidentified and aggregate data, and certain research or clinical trial records are generally exempt. The exemption is data‑specific: if information does not meet those definitions—like precise geolocation tied to a clinic visit collected via a non‑HIPAA app—CPRA may apply.

How do healthcare apps comply with CPRA?

Determine whether you qualify as a CPRA “business,” then provide notices at collection, minimize and classify data (especially SPI), honor rights requests within 45 days, recognize Global Privacy Control signals, and offer “Do Not Sell or Share” and “Limit SPI” choices. Execute CPRA‑compliant service provider contracts, run Data Impact Assessments for high‑risk features, and publish retention periods or criteria.

What penalties apply for CPRA violations in healthcare?

Regulators can issue Administrative Fines up to $2,500 per violation or $7,500 for intentional violations or those involving minors, along with orders to remedy noncompliance. Consumers may also sue for certain security breaches. Penalties can scale quickly when violations affect large numbers of patients, employees, or app users.