HIPAA Laws in California: What You Need to Know About Compliance, Patient Rights, and Penalties

Compliance Requirements for Healthcare Providers

Who must comply

If you are a Covered Entity (healthcare provider, health plan, or clearinghouse) or a Business Associate handling Protected Health Information (PHI), HIPAA applies to you nationwide. In California, the Confidentiality of Medical Information Act (CMIA) also applies to providers of health care, health care service plans, contractors, and certain related entities that handle “medical information.”

Core HIPAA obligations

• Adopt Privacy Rule policies, issue a Notice of Privacy Practices, designate privacy and security officers, train your workforce, and enforce a sanctions policy.
• Conduct an enterprise-wide security risk analysis and implement risk management under the Security Rule (administrative, physical, and technical safeguards).
• Limit uses and disclosures to the minimum necessary and maintain written Business Associate Agreements with vendors that create, receive, maintain, or transmit PHI.
• Maintain processes for Patient Access Rights, Medical Records Amendments, and Disclosure Accounting, tracking deadlines and responses.
• Prepare and test an incident response and breach notification plan that meets both HIPAA and California timelines.

California-specific overlays

• Licensed facilities (e.g., hospitals, certain clinics) must safeguard medical information and, when a breach occurs, notify the California Department of Public Health (CDPH) and affected patients within 15 business days, apart from HIPAA’s federal timelines.
• Providers must meet California’s access deadlines and fee limits for medical records while honoring HIPAA’s cost-based fee rules for electronic copies.

Patient Rights Under HIPAA and CMIA

Patient Access Rights

Under HIPAA, you must provide access to a patient’s PHI in a designated record set within 30 calendar days of the request, with one 30-day extension if needed and explained in writing. Fees must be reasonable and cost-based (labor, supplies, postage); per-page fees are not permitted for electronic copies. A flat fee of up to $6.50 for electronic copies is an optional safe harbor, not a universal cap.

California’s Health and Safety Code gives faster access: patients may inspect records within 5 business days and receive copies within 15 days. State law allows up to $0.25 per page for paper copies ($0.50 from microfilm) and prohibits withholding records due to unpaid bills. Where HIPAA provides stronger protections for electronic records, follow HIPAA’s more stringent standards.

Medical Records Amendments

HIPAA allows patients to request amendments to PHI; you must act within 60 days (with one 30-day extension). If you grant the request, append or link the amendment and notify relevant recipients. If you deny it, provide written reasons and allow the patient to submit a statement of disagreement to be appended going forward.

California gives patients the right to submit an addendum to their records—up to 250 words per disputed item—which you must attach and include whenever you disclose the disputed portion.

Disclosure Accounting

Under HIPAA, patients may request an accounting of disclosures from the past 6 years (excluding most treatment, payment, and health care operations). Provide it within 60 days, with one 30-day extension if necessary. The first accounting in any 12-month period is free; subsequent requests may incur a reasonable, cost-based fee.

Protected Health Information Safeguards

Administrative safeguards

• Perform and update a risk analysis; maintain a risk management plan with ownership, timelines, and verification of fixes.
• Train your workforce on privacy, security, phishing, and minimum necessary; document attendance and competency.
• Manage vendors with due diligence, Business Associate Agreements, and ongoing monitoring.
• Plan for contingencies: backups, disaster recovery, emergency operations, and periodic tabletop exercises.

Technical safeguards

• Enforce role-based access, unique IDs, multi-factor authentication, and automatic session timeouts.
• Encrypt ePHI in transit and at rest; use modern TLS for transmission and validated encryption for storage.
• Enable audit logging and centralized monitoring; routinely review logs and alerts for anomalous activity.
• Harden endpoints with patching, malware protection, mobile device management, and remote wipe.

Physical safeguards and lifecycle controls

• Secure facilities and workstations; restrict media removal; sanitize or destroy media per recognized guidelines when retiring systems.

Breach risk reduction

• Use strong encryption and secure destruction to qualify for HIPAA’s breach “safe harbor,” reducing notification obligations when properly applied.
• Document the four-factor breach risk assessment for suspected incidents and retain evidence of decisions.

Penalties for HIPAA Violations

Civil money penalties (CMPs)

HIPAA uses four tiers based on culpability, adjusted annually for inflation. As of 2026, minimum and maximum per‑violation amounts range approximately from $145 (Tier 1: lack of knowledge) up to $73,011, with annual caps around $2,190,294 for identical provisions. Willful neglect not corrected within 30 days carries a minimum of $73,011 per violation, and corrective action plans and multi‑year monitoring are common in settlements.

Criminal penalties

• Knowing wrongful disclosure or obtaining PHI: up to $50,000 and 1 year in prison.
• Under false pretenses: up to $100,000 and 5 years.
• With intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm: up to $250,000 and 10 years.

Breach notification timelines

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. For incidents affecting 500+ individuals, notify HHS contemporaneously and, when required, local media. For fewer than 500 individuals, report to HHS within 60 days after the end of the calendar year.

Penalties Under California CMIA

Private right of action and statutory damages

• Patients may sue for negligent release of medical information and recover nominal damages of $1,000 per person without proving actual harm, and seek actual damages when harm is shown.
• Court-awarded remedies can include injunctive relief and, in many cases, attorney’s fees and costs.

Administrative fines for licensed facilities

• CDPH may assess up to $25,000 per patient for an unlawful or unauthorized access, use, or disclosure, plus up to $17,500 for each subsequent occurrence involving the same patient, capped at $250,000 per reported event.
• Failure to report to CDPH and notify affected patients within 15 business days can add $100 per day in penalties.

Criminal exposure

CMIA classifies certain violations that cause economic loss or personal injury as misdemeanors, and imposes higher civil penalties for knowing and willful misconduct, particularly where medical information is obtained or used for financial gain.

Differences Between HIPAA and CMIA

• Scope and entities: HIPAA applies to Covered Entities and Business Associates nationwide; CMIA applies within California to providers, health care service plans, contractors, and certain related entities handling “medical information.”
• Preemption: HIPAA sets a federal floor. Where CMIA is more protective (e.g., faster access deadlines), California rules control.
• Enforcement: HIPAA is enforced by HHS OCR with civil and criminal penalties; CMIA adds private lawsuits, CDPH administrative penalties for licensed facilities, and potential professional discipline.
• Access timelines and fees: HIPAA allows up to 30 days (plus one 30-day extension) with cost-based fees for copies; California requires inspection within 5 business days and copies within 15 days, with per‑page caps for paper and special rules for free copies in certain public‑benefit contexts.
• Remedies: HIPAA offers no private right of action; CMIA provides statutory damages (including $1,000 nominal damages per person) and actual damages, plus administrative penalties.

Best Practices for Regulatory Compliance

A unified California compliance blueprint

• Map PHI and “medical information” flows, then align HIPAA and CMIA obligations across intake, treatment, billing, patient portals, and vendors.
• Operationalize patient rights: build standard operating procedures that meet California’s 5‑/15‑day access deadlines while satisfying HIPAA’s 30‑day rule and fee limits for electronic copies.
• Strengthen security controls: enforce MFA, role-based access, network segmentation, encryption in transit and at rest, vulnerability management, and continuous logging with alerting.
• Vendor governance: inventory Business Associates, execute BAAs, verify safeguards, and set breach reporting SLAs that meet 60‑day HIPAA and 15‑business‑day California timelines where applicable.
• Breach readiness: maintain incident playbooks, complete the four‑factor risk assessment for suspected breaches, preserve evidence, and rehearse cross‑functional response.
• Document everything: keep risk analyses, risk treatment records, policies, training logs, amendments, access logs, and Disclosure Accounting artifacts for audit readiness.
• Continuous improvement: audit against recognized security practices and update controls after incidents, regulatory changes, or technology shifts.

Conclusion

In California, HIPAA sets the privacy and security baseline while CMIA adds faster access deadlines, a private right of action, and state administrative penalties. Build processes that meet the strictest rule at each step—patient access, amendments, safeguards, and breach response—to protect patients, demonstrate accountability, and reduce civil and criminal penalties risk.

FAQs.

What are the main differences between HIPAA and CMIA in California?

HIPAA is a federal law that applies to Covered Entities and Business Associates and is enforced by HHS OCR; it provides no private right of action. CMIA is a California statute covering providers, health care service plans, contractors, and related entities handling medical information; it allows patients to sue for statutory and actual damages and empowers CDPH to levy administrative fines against licensed facilities. CMIA also imposes faster access deadlines and specific state reporting duties after breaches.

How can patients request amendments to their medical records?

Under HIPAA, patients submit a written amendment request; you must act within 60 days (one 30‑day extension allowed). If approved, append or link the amendment and notify relevant recipients. If denied, provide written reasons and allow a patient statement of disagreement to be appended. Under California law, patients may submit an addendum—up to 250 words per disputed item—which you must attach and include with future disclosures of the disputed portion.

What penalties apply for willful HIPAA violations?

Willful neglect corrected within 30 days carries higher civil penalties than unknowing violations; willful neglect not corrected has the highest tier, with minimum per‑violation amounts in 2026 of approximately $73,011 and annual caps around $2,190,294 for identical provisions. Criminal penalties can reach up to $250,000 and 10 years’ imprisonment when PHI is misused for commercial advantage, personal gain, or malicious harm.

How does CMIA enhance patient privacy protections beyond HIPAA?

CMIA offers additional remedies and stricter timelines: patients can obtain inspection within 5 business days and copies within 15 days, sue for $1,000 statutory damages without proving actual harm, and recover actual damages when harm exists. For licensed facilities, CMIA-linked rules require breach notices to CDPH and patients within 15 business days and authorize substantial state administrative penalties, independent of HIPAA enforcement.