Awareness article

California's CMIA: When State Law Is Stricter Than HIPAA

California's Confidentiality of Medical Information Act applies to any business that maintains medical information — not just HIPAA-covered entities. For California clinics, CMIA's broader scope and private right of action change the compliance calculus.

Short answer

California's Confidentiality of Medical Information Act covers more entities and more types of information than HIPAA. It also gives individuals a private right of action — meaning patients can sue directly, without waiting for OCR. California clinics operating under HIPAA still must comply with CMIA wherever it is stricter.

Federal HIPAA compliance is the baseline for healthcare privacy. In California, that baseline does not reach far enough.

The Confidentiality of Medical Information Act — California Civil Code §56 et seq. — predates HIPAA, covers a broader range of entities, defines protected information more broadly, and gives patients a direct legal remedy that HIPAA does not. For any clinic operating in California, CMIA is not a parallel concern. It is frequently the controlling standard.

HIPAA Preemption: The Rule and the Exception

HIPAA includes a preemption provision: federal law generally supersedes contrary state law. But the preemption is not absolute. Under 45 CFR §160.203, states may maintain laws that are more stringent than HIPAA’s requirements — that is, laws that provide greater privacy protections to individuals or that give individuals greater rights with respect to their health information.

California’s CMIA qualifies under this exception. HHS has acknowledged that state laws providing stronger protections than HIPAA are not preempted. California clinics cannot rely on HIPAA compliance alone and must independently assess their CMIA obligations.

Who CMIA Covers: Broader Than You Expect

HIPAA applies to covered entities — health care providers who conduct certain electronic transactions, health plans, and health care clearinghouses — and to business associates who handle PHI on their behalf.

CMIA applies to:

  • Healthcare providers — licensed providers and their staff, which overlaps substantially with HIPAA coverage
  • Health service plans and insurers — including plans not subject to HIPAA
  • Pharmaceutical companies and medical device manufacturers that maintain individually identifiable medical information
  • Employers — any employer in California who receives medical information about employees in the course of employment is subject to CMIA’s confidentiality provisions
  • Any business or person that maintains medical information on individuals in the course of providing services directly to individuals

The employer coverage is the category that most surprises clinics. A clinic that receives return-to-work documentation, disability accommodation requests, or any other employee medical information is operating under CMIA’s obligations for that information — not just HIPAA’s.

What CMIA Protects: A Broader Definition

HIPAA defines protected health information as individually identifiable health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for health care.

CMIA defines “medical information” under California Civil Code §56.05(j) as any individually identifiable information in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor, regarding a patient’s medical history, mental or physical condition, or treatment.

In practice, the CMIA definition is somewhat similar to HIPAA’s PHI but has been interpreted broadly by California courts and applied to contexts where HIPAA’s PHI definition might have produced ambiguous results. CMIA also specifically:

  • Covers genetic test results (Civil Code §56.17) with provisions more restrictive than HIPAA’s baseline
  • Covers mental health records with heightened protections
  • Covers information in the possession of non-covered entities (employers, certain businesses) that HIPAA would not reach

The Private Right of Action: The Practical Difference

HIPAA does not give patients the right to sue a covered entity directly. A patient who believes their medical information was improperly disclosed can file a complaint with OCR — but OCR chooses which complaints to investigate and is not obligated to take action on every complaint it receives.

CMIA is different. California Civil Code §56.35 and §56.36 create a private right of action. Individuals can file lawsuits in California state court without any prior agency complaint or government action.

The statutory remedies:

  • Negligent violation: $1,000 per violation, plus attorney fees and costs
  • Intentional violation: actual damages (which can be substantial if the violation is widely known or causes reputational harm) plus $3,000 per violation, plus attorney fees

Class action lawsuits under CMIA are possible and have been filed in California. A single incident affecting multiple patients can result in multiplied statutory penalties across the entire affected class — even when actual individual harm is difficult to quantify.

For a small clinic with 500 patients affected by a single disclosure incident, a negligent violation finding at $1,000 per patient produces $500,000 in statutory liability before attorney fees. This is not a hypothetical risk; California courts have certified class actions under CMIA.

Employer Medical Information: A Separate Obligation

California Civil Code §56.20 through §56.245 govern employer receipt and handling of employee medical information. The practical implications for a medical clinic:

When a clinic employee requests a disability accommodation, submits a workers’ compensation claim, or provides medical documentation of any kind, the clinic — as employer — receives “medical information” as defined under CMIA. The clinic’s obligations as employer are separate from its obligations as a covered entity.

Required employer practices under CMIA:

  • Keep employee medical information in files separate from general personnel records
  • Disclose that information only to supervisors or managers who need it to manage the employee’s accommodation or modified duties
  • Disclose only to first aid and safety personnel if the condition might require emergency treatment
  • Do not use the information to make employment decisions in any manner that violates California law

Violating the employer medical information provisions carries the same private right of action as other CMIA violations.

HIPAA permits covered entities to use and disclose PHI for treatment, payment, and healthcare operations (TPO) without patient authorization. CMIA imposes a different consent framework in some contexts.

California Civil Code §56.10 requires a healthcare provider to obtain written authorization to disclose medical information. The statute includes a list of specific disclosures permitted without authorization that partially overlaps with HIPAA’s TPO exception — but not entirely. Some disclosures permitted by HIPAA require written authorization under CMIA.

One area of practical divergence: marketing. HIPAA permits some communications about health-related products and services under limited circumstances without authorization. CMIA generally requires written authorization for any use of medical information for marketing purposes. California clinics sending any marketing communications that might touch on patient medical information should apply the CMIA standard.

Breach Notification Under CMIA

HIPAA requires breach notification to affected individuals within 60 days of discovery of a breach involving unsecured PHI. California Civil Code §56.36 requires providers to notify patients of any unlawful or unauthorized access to, or disclosure of, their medical information — without a carve-out for information that is “secured” in the HIPAA sense. California law also requires notification to the California Attorney General for breaches affecting 500 or more Californians.

For a California clinic, a breach that HIPAA would treat as “secured” (and therefore not requiring individual notification) may still require notification under CMIA if the information was accessed or disclosed without authorization.

Operating Under Both Frameworks

A California clinic’s compliance program must account for both HIPAA and CMIA. The practical approach:

Where the standards align — authorization requirements for treatment disclosures, security safeguards for electronic records, breach notification for large incidents — one set of policies can address both simultaneously if drafted to meet the stricter standard.

Where they diverge — marketing uses, employer medical information, private right of action implications — CMIA requires separate analysis and often separate policy provisions.

Documenting which standard you are applying and why is important. If a patient complaint or lawsuit arises, demonstrating that your clinic reviewed both frameworks and applied the stricter one is a meaningful defense.

Compliance Operations

Audit trails, access controls, policy acknowledgements, evidence handling, and vendor workflows for clinics that need defensible follow-through.

The Anti-Kickback Statute: What Clinic Owners Need to Know

Anti-kickback statute explained for small clinics: what it prohibits, what 'remuneration' covers, safe harbor regulations, and how it differs from the Stark...

Gramm-Leach-Bliley Act vs HIPAA: When Both Apply to Your Practice

Gramm-Leach-Bliley Act vs HIPAA: which clinics are subject to GLBA, what the Safeguards Rule requires, and how GLBA and HIPAA overlap for clinics with...

Sources

FAQ

Questions related to this topic

Does CMIA replace HIPAA for California clinics?

No. CMIA and HIPAA are separate legal obligations that run concurrently. California clinics must comply with both. Where CMIA is stricter — broader scope, private right of action, more expansive definition of protected information — the CMIA standard controls.

Can a patient sue my clinic directly under CMIA?

Yes. CMIA provides a private right of action under California Civil Code §56.35 and §56.36. A negligent violation of CMIA carries a minimum $1,000 statutory penalty per violation plus attorney fees. An intentional violation carries actual damages plus a $3,000 penalty plus attorney fees. Patients do not need to file a complaint with a government agency first.

Does CMIA apply to employers who learn about employee medical conditions?

Yes. California Civil Code §56.20 through §56.245 governs employers who receive medical information about employees — for example, through workers' compensation claims, disability accommodation requests, or fitness-for-duty examinations. This information must be kept in separate files from personnel records and disclosed only to persons who need it.

Is genetic information covered by CMIA?

Yes. California Civil Code §56.17 provides specific protections for genetic test results. CMIA covers genetic information more broadly than HIPAA's base Privacy Rule, though GINA (the Genetic Information Nondiscrimination Act) provides some federal overlap for employment contexts.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.