HIPAA vs. California CMIA: What Healthcare Organizations Need to Know
For healthcare organizations operating in California, compliance does not stop with HIPAA. While the Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting protected health information (PHI), California's Confidentiality of Medical Information Act (CMIA) imposes additional state-specific privacy requirements that are often more protective of patient information.
The result is a layered compliance environment. Healthcare providers, health plans, medical groups, dental practices, behavioral health organizations, and other regulated entities must understand both laws and, when the standards differ, generally follow the rule that provides greater privacy protection to patients.
Understanding how HIPAA and CMIA interact is essential for developing compliant privacy policies, workforce training programs, disclosure procedures, breach response protocols, and overall compliance programs.
What Is HIPAA?
HIPAA is a federal law that establishes nationwide requirements for protecting health information. HIPAA applies primarily to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as business associates that perform services involving protected health information on behalf of covered entities.
HIPAA consists of several major rules, including:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
- The Enforcement Rule
Together, these rules govern how protected health information may be used, disclosed, safeguarded, and reported when a breach occurs. HIPAA is intended to create a national baseline for health information privacy. However, HIPAA specifically allows more protective state privacy laws to remain in effect.
What Is the California CMIA?
The California Confidentiality of Medical Information Act (CMIA), codified in California Civil Code §§ 56–56.37, is California’s primary medical privacy law.
CMIA regulates how healthcare providers, health care service plans, contractors, and certain other entities collect, maintain, use, and disclose medical information.
At its core, CMIA is designed to preserve the confidentiality of patient medical information unless disclosure is authorized by the patient or specifically permitted or required by law. Although HIPAA and CMIA address many of the same privacy concerns, CMIA frequently imposes stricter requirements and can create legal exposure beyond what exists under HIPAA alone.
Why California Organizations Must Comply With Both
A common misconception is that HIPAA preempts state privacy laws. In reality, HIPAA generally does not preempt state laws that are more protective of patient privacy.
As a result, California healthcare organizations often must comply with both HIPAA and CMIA simultaneously.
When HIPAA permits a disclosure but CMIA is more restrictive, organizations generally should follow the stricter California requirement. Consequently, HIPAA compliance alone does not necessarily mean an organization is compliant under California law.
Key Differences Between HIPAA and CMIA
| Protection / Right | HIPAA (Federal) 45 CFR Part 164 |
California CMIA Cal. Civ. Code §§ 56 et seq. |
|---|---|---|
| Scope and purpose | Establishes nationwide privacy, security, and breach notification standards for protected health information. | Focuses specifically on protecting the confidentiality of medical information within California and imposes additional provider-facing obligations. |
| Authorization requirements | Permits many disclosures without patient authorization for treatment, payment, and healthcare operations (TPO). | Often starts from a more restrictive position and requires organizations to confirm that a disclosure is either specifically authorized by the patient or clearly permitted by statute. |
| Patient rights and protections | Provides important baseline privacy protections for patients. | May limit certain disclosures that HIPAA would otherwise permit and can impose additional restrictions on how authorizations and waivers are used. |
| Condition of treatment restrictions | Does not prohibit providers from conditioning treatment or care on a patient signing an authorization. | Prohibits providers from requiring patients, as a condition of receiving care, to sign authorizations permitting disclosures that would not otherwise be allowed by law. |
| Medical records access timeframe | 30 days, with a possible additional 30-day extension with written notice. 45 CFR § 164.524 |
Inspection: within 5 working days. Copies: transmitted within 15 days. Stricter than HIPAA. Health & Safety Code § 123110 |
| Private right to sue | No private right of action; enforcement is generally through HHS OCR and, in some cases, state attorneys general. | Patients may sue directly for negligent release of medical information. Cal. Civ. Code § 56.36 |
| Penalties for violations | Civil monetary penalties are tiered by culpability and inflation-adjusted annually. As of 2026, penalties generally range from $145 to $73,011 per violation, with annual caps. 45 CFR § 160.404 |
Nominal damages of $1,000 per violation in appropriate cases, actual damages, and reasonable attorney’s fees and costs. Certain violations causing economic loss or personal injury may also be misdemeanors. Cal. Civ. Code § 56.36 |
| Breach notification to patients | Without unreasonable delay and no later than 60 calendar days after discovery of a breach. 45 CFR § 164.404 |
CMIA itself does not prescribe a specific patient notification timeline. For certain licensed facilities, unauthorized access, use, or disclosure of medical information generally requires notification to patients and the California Department of Public Health within 15 business days. General data breach notification requirements apply under Civil Code § 1798.82. Health & Safety Code § 1280.15 |
Enforcement and Penalties
HIPAA Enforcement
HIPAA is primarily enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR investigates complaints, conducts audits, and may impose civil monetary penalties.
Penalty amounts vary based on factors such as the nature of the violation, the level of culpability, and corrective actions taken by the organization.
HIPAA can also involve criminal penalties in certain cases involving intentional misuse of protected health information.
CMIA Enforcement
CMIA creates additional enforcement exposure under California law.
Unlike HIPAA, which generally does not provide a private right of action for patients, CMIA provides a private right of action for individuals in cases involving negligent release of medical information. Organizations may face regulatory penalties, civil damages including nominal damages, actual damages, and attorney’s fees.
Why CMIA Often Creates Greater Practical Risk
Many healthcare organizations focus heavily on HIPAA because it is the most widely known healthcare privacy law.
However, CMIA often creates greater practical risk because violations may lead not only to regulatory scrutiny but also to private lawsuits.
A privacy incident that results in an OCR investigation under HIPAA may simultaneously create state-law exposure under CMIA.
For California healthcare organizations, this means privacy incidents can have both regulatory and litigation consequences.
HIPAA Training vs. CMIA Training
Many organizations ask whether HIPAA training alone is sufficient to satisfy California privacy obligations.
The answer is generally no.
HIPAA Training Requirements
HIPAA requires covered entities to train workforce members on privacy policies and procedures as necessary and appropriate for their job responsibilities.
Training should occur for new workforce members and whenever material changes are made to privacy policies or procedures.
Although HIPAA does not impose a universal annual training requirement, annual refresher training is widely considered a compliance best practice.
CMIA Training Considerations
Although CMIA does not contain a standalone annual training mandate, organizations must ensure workforce members understand California-specific confidentiality obligations, including patient authorization requirements, disclosure restrictions, access controls, incident reporting, and California-specific patient rights.
Organizations should document training attendance, training dates, training materials, and completion records.
Best Practice: Provide integrated HIPAA and CMIA privacy training rather than treating CMIA as a separate topic. Document all training completion records.
Compliance Best Practices for California Healthcare Organizations
- Written Policies and Procedures: Maintain written privacy policies that address both HIPAA and CMIA requirements. Review and update them annually and after significant regulatory changes.
- Role-Based Access Controls: Limit access to medical information based on job responsibilities.
- Workforce Training: Provide integrated training on both frameworks and document completion.
- Vendor and Contractor Oversight: Review vendor agreements to ensure CMIA obligations, including redisclosure limits, are addressed.
- Incident Response Planning: Maintain clear procedures for identifying, investigating, documenting, and responding to privacy incidents.
Example: When HIPAA Compliance Alone Is Not Enough
Consider a healthcare organization that determines a disclosure is permissible under HIPAA because it relates to healthcare operations. A California provider cannot stop the analysis there. The organization must also determine whether CMIA independently permits the disclosure or whether patient authorization is required. If California law is more protective, the organization generally must follow the stricter CMIA standard. This is one of the most common areas where organizations mistakenly assume HIPAA compliance automatically satisfies California privacy requirements.
Conclusion
HIPAA and California's Confidentiality of Medical Information Act are best understood as overlapping frameworks rather than competing alternatives.
HIPAA establishes the national baseline for healthcare privacy and security. CMIA adds California-specific confidentiality requirements that can be more restrictive and may create additional litigation exposure.
For California healthcare organizations, compliance should not be viewed as a HIPAA-only exercise. Effective compliance programs should incorporate both HIPAA and CMIA requirements through written policies, workforce training, access controls, vendor oversight, risk assessments, and incident response planning.
Organizations that proactively address both laws will be better positioned to reduce regulatory risk, minimize litigation exposure, strengthen patient trust, and maintain compliance in California's increasingly complex privacy environment.
How Gamma Can Help
California healthcare organizations face a unique compliance challenge: understanding and complying with both HIPAA and CMIA. While HIPAA establishes the federal baseline for protecting patient information, CMIA adds California-specific requirements that can be more restrictive and may create additional legal exposure when privacy incidents occur.
Effective compliance requires more than simply understanding the differences between the two laws. Organizations should maintain written privacy policies, train workforce members on both federal and California-specific requirements, implement appropriate access controls, and establish clear procedures for responding to privacy incidents.
Gamma Compliance Solutions helps healthcare organizations simplify privacy compliance through practical training and compliance resources designed specifically for healthcare environments.
Gamma's HIPAA training program includes coverage of California-specific privacy requirements, including key CMIA concepts such as patient authorization requirements, disclosure restrictions, confidentiality obligations, privacy incident reporting, and patient rights. This integrated approach helps California healthcare employers address both federal and state privacy expectations through a single training experience.
In addition to training, Gamma's HIPAA documentation packages provide organizations with customizable policies, forms, procedures, and supporting resources designed to help establish and maintain an effective privacy compliance program. Together, these training and documentation resources help organizations educate their workforce, document compliance efforts, and maintain a structured approach to protecting patient information.
Whether you operate a medical practice, dental office, behavioral health organization, veterinary practice, or multi-location healthcare group, Gamma provides practical tools and resources to help support ongoing HIPAA and CMIA compliance efforts.
