HIPAA Compliance in California: State-Specific Requirements and CMIA Rules

Overview of HIPAA and CMIA Regulations

HIPAA sets the federal baseline for protecting health data nationwide. In California, the Confidentiality of Medical Information Act (CMIA), codified at California Civil Code Section 56 et seq., adds state-specific duties and remedies that frequently exceed HIPAA’s floor. Together, they govern how you collect, use, share, and secure Individually Identifiable Health Information.

CMIA focuses on “medical information” held by or derived from a provider, health care service plan, or contractor, while HIPAA protects “protected health information” maintained by covered entities and business associates. CMIA also supplies a Private Right of Action and targeted Digital Health Record Protections that do not exist under HIPAA in the same form.

Key distinctions at a glance

• Scope: HIPAA is federal and broad; CMIA is state law tailored to California’s delivery system and redisclosure limits.
• Definitions: CMIA’s “medical information” hinges on its source (provider/plan/contractor), while HIPAA’s PHI hinges on coverage status.
• Enforcement: HIPAA relies on regulators; CMIA adds civil remedies for patients and Civil Penalties for Unauthorized Disclosure.
• Technology: CMIA explicitly addresses security and misuse in electronic contexts, strengthening digital health record protections.

Entities Covered under CMIA

CMIA applies to categories of organizations and individuals that handle medical information connected to care delivery in California. Determining your role is foundational to compliance planning.

Who is covered

• Providers of health care: hospitals, clinics, physicians, pharmacies, laboratories, mental and behavioral health professionals, and licensed facilities.
• Health care service plans: HMOs and other plans that arrange, pay for, or manage care in the state.
• Contractors: organizations performing services for a provider or plan, such as billing companies, EHR/cloud vendors, telehealth platforms, analytics firms, data destruction vendors, and pharmacy benefit managers.
• Employers and other recipients: employers or third parties that receive medical information from a provider, plan, or contractor face strict limits on use and redisclosure under CMIA.

Digital health companies may be subject to CMIA if they act as a contractor to a provider or plan. If they are not in that role, other California privacy laws may apply, but CMIA still constrains any medical information they obtain from covered sources.

Definition of Medical Information

Under CMIA, “medical information” is any individually identifiable information, in any form or medium, in the possession of or derived from a provider, health care service plan, or contractor, regarding a patient’s medical history, mental or physical condition, diagnosis, or treatment.

What counts as medical information

• Clinical content: diagnoses, test results, imaging, treatment plans, discharge summaries, and prescriptions.
• Administrative and encounter data: claim details, authorizations, appointment histories, and provider notes tied to an identifiable patient.
• Digital signals tied to care: portal logs, wearables data sent to a provider, device identifiers, and metadata when linked to a specific patient.

What typically falls outside CMIA’s definition

• De-identified or aggregated data that cannot reasonably identify an individual.
• Information not derived from a provider/plan/contractor relationship (for example, consumer app data collected independently), though other laws may regulate it.

Patient Rights under CMIA

CMIA is designed to preserve confidentiality and give you control over how your medical information is used and shared. These rights complement HIPAA and California’s broader patient access laws.

Core rights you can exercise

• Medical Records Inspection Rights: you may request to inspect or obtain copies of your medical records and receive them through reasonable, secure means.
• Amendments and addenda: you can request corrections or add a patient statement to your record when you disagree with content.
• Authorization control: you may authorize disclosures for specified purposes and revoke that authorization going forward.
• Confidential communications: you can request communications to a particular address or channel to protect privacy.
• Breach notifications: you are entitled to notice when unauthorized access, use, or disclosure of your medical information occurs.

Practical tips

• Submit requests in writing, identify the records or dates you need, and specify your preferred delivery method.
• If you appoint a representative, include documentation of authority to streamline fulfillment.

Authorized Disclosure Conditions

CMIA limits when and how medical information may be shared. Many permissions align with HIPAA, but CMIA often narrows redisclosure and marketing-related uses.

Disclosures generally permitted

• With valid, specific, and time-bounded written patient authorization.
• For treatment, payment, and health care operations necessary to run the practice or plan.
• As required by law, including certain public health reporting, oversight, or mandated reporting obligations.
• For law enforcement or legal proceedings when specific legal standards are met.
• To family or caregivers with the patient’s permission or when consistent with applicable law and patient preferences.
• For research when permitted by law and subject to safeguards, de-identification, or appropriate approvals.

Rules of the road

• Minimum necessary: disclose only what is needed for the purpose.
• Security: protect transmissions and storage, emphasizing Digital Health Record Protections such as encryption and access controls.
• Contractor management: use written agreements to restrict use, require safeguards, and prohibit unauthorized redisclosure.

Enforcement and Penalties

CMIA pairs privacy requirements with strong remedies. Unlike HIPAA, CMIA provides a Private Right of Action, allowing patients to sue for violations tied to unauthorized access, use, or disclosure of medical information.

Consequences you should anticipate

• Civil Penalties for Unauthorized Disclosure, which can apply per patient and per incident, with higher exposure for willful or repeated misconduct.
• Damages in private lawsuits, including actual damages, statutory or nominal damages where provided, injunctive relief, and potential attorney’s fees.
• Regulatory enforcement by state or local authorities, which may seek additional civil penalties and compliance orders.
• Licensing and contractual repercussions, including board discipline, payer actions, and vendor sanctions.

Risk reducers

• Maintain tight access controls and audit logs for electronic systems; monitor for anomalous activity.
• Train your workforce on CMIA/HIPAA do’s and don’ts and enforce sanctions for violations.
• Use role-based permissions, data minimization, and encryption at rest and in transit.
• Test incident response and breach-notification workflows so notices are timely and accurate.

Interaction between Federal and State Laws

HIPAA preempts conflicting state laws unless the state rule is more protective. In California, CMIA is often “more stringent,” so you must apply CMIA’s tighter rules alongside HIPAA’s baseline. When both apply, follow the stricter provision.

How the laws align in practice

• Redisclosure: HIPAA may permit certain downstream uses; CMIA can prohibit them without fresh authorization.
• Marketing and sale of data: HIPAA requires authorization; CMIA can impose even narrower conditions and remedies.
• Employer context: HIPAA generally does not cover employer-held records; CMIA restricts employer use of medical information they receive from covered sources.
• Consumer apps: if an app is a contractor to a provider/plan, CMIA applies; otherwise, other California privacy laws usually govern, but CMIA still limits use of medical information obtained from covered sources.

Compliance roadmap: inventory data flows, confirm whether you are a provider, plan, contractor, or business associate, and map each disclosure to both HIPAA and CMIA. Standardize authorizations, adopt minimum-necessary and Digital Health Record Protections, align vendor contracts with California Civil Code Section 56 requirements, and rehearse your incident response. The result is a defensible program that meets HIPAA’s floor and CMIA’s more protective standards.

FAQs

What are the key differences between HIPAA and CMIA?

HIPAA is a federal baseline for covered entities and business associates, while CMIA is a California statute—Confidentiality of Medical Information Act—found in California Civil Code Section 56 et seq. CMIA often goes further by restricting redisclosure, tightening marketing rules, and adding a Private Right of Action and civil penalties. In short, HIPAA sets the floor; CMIA frequently raises the bar in California.

How does CMIA affect patient access to medical records?

CMIA reinforces your Medical Records Inspection Rights by requiring providers, plans, and contractors to maintain confidentiality while facilitating access and copies through secure, reasonable processes. You can also request amendments or addenda and direct how you want to receive communications, enhancing control over your records.

What penalties exist for unauthorized disclosure under CMIA?

CMIA allows regulators to seek Civil Penalties for Unauthorized Disclosure and gives patients a Private Right of Action for negligent, reckless, or willful violations. Remedies can include actual and statutory or nominal damages, injunctive relief, and potential attorney’s fees, with higher exposure for repeated or intentional misconduct.

How do HIPAA and CMIA work together in California compliance?

You must comply with both. Apply HIPAA’s national standards for privacy and security, then layer on CMIA’s stricter provisions where they are more protective. Practically, that means using California-compliant authorizations, honoring tighter redisclosure limits, enforcing Digital Health Record Protections, and ensuring vendors meet California Civil Code Section 56 obligations.