Awareness article

California CMIA vs. HIPAA: What Clinics Need to Know

How California's Confidentiality of Medical Information Act differs from HIPAA in scope, definitions, breach notice timelines, and enforcement — and what small California clinics must do beyond HIPAA compliance.

Short answer

The California Confidentiality of Medical Information Act (CMIA) applies to providers, employers, and other entities that create, maintain, or possess medical information. It operates alongside HIPAA, not instead of it. CMIA is often stricter: it covers more entity types, extends to employer wellness programs, and gives patients a private right of action that HIPAA does not. California clinics must comply with both frameworks and apply whichever is more protective in a given situation.

California’s Confidentiality of Medical Information Act (CMIA), codified at California Civil Code sections 56 through 56.37, predates HIPAA and operates independently of it. A California clinic subject to HIPAA must comply with both. Where the two frameworks conflict or differ in stringency, the clinic applies whichever standard is more protective of patient rights.

Entity scope

HIPAA’s Privacy Rule applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with covered transactions. Business associates have direct liability under HITECH.

CMIA covers providers of health care, health care service plans, pharmaceutical companies, contractors who create or maintain medical information on behalf of any of the above, and employers who receive medical information about employees. The employer scope is a meaningful difference: an employer receiving a fitness-for-duty evaluation or operating a wellness program that collects health data may be subject to CMIA even if it is not a HIPAA covered entity.

Definition of medical information

HIPAA protects individually identifiable health information — information that relates to a person’s physical or mental health, the provision of health care to that person, or the payment for health care, and that could identify the person.

CMIA defines medical information broadly as any individually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment. California law also includes additional protections for genetic information and imposes stricter restrictions on mental health records, including psychiatric records, which may not be disclosed without specific authorization in circumstances where a general HIPAA authorization would suffice.

Breach notification timelines

HIPAA requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach.

California Civil Code § 56.06 — the CMIA-specific provision — requires a healthcare provider that suffers an unauthorized disclosure of medical information to notify each affected patient in the most expedient time possible and no later than 5 business days after the provider reasonably determines that the disclosure occurred. When a breach affects more than 500 Californians, the California AG must be notified within 15 business days (Civil Code § 1798.29).

California’s general data breach statute (Civil Code § 1798.82) sets a separate 30-day ceiling for certain categories of personal information but the 5-business-day CMIA deadline is stricter and applies to medical records specifically. For a California clinic subject to both HIPAA and CMIA, the 5-business-day CMIA deadline governs for healthcare provider notifications.

Enforcement and private right of action

OCR enforces HIPAA through civil monetary penalties and resolution agreements. Patients cannot sue directly under HIPAA.

Under CMIA, a patient whose medical information was negligently released may bring a private civil action for actual damages, plus exemplary damages of no less than $1,000 per negligent release, plus attorney’s fees. Unauthorized disclosure made with malice or oppression supports higher exemplary damages. This private right of action is a material difference from HIPAA that makes California medical information litigation a realistic risk for clinics that mishandle records.

What California clinics must do beyond HIPAA

A California clinic that already maintains a HIPAA-compliant program needs to:

  • Set its breach notification procedure to the 5-business-day CMIA deadline (Civil Code § 56.06), not the 60-day HIPAA ceiling. Include a process for notifying the California AG within 15 business days when a breach affects more than 500 Californians.
  • Ensure that its Notice of Privacy Practices accurately reflects California’s additional disclosure restrictions.
  • Review any employer-related health information handling for CMIA applicability, including occupational health services or return-to-work programs.
  • Train staff on CMIA’s additional restrictions on mental health and genetic information disclosures.

Related: HIPAA administrative safeguards and HIPAA audit log requirements for small clinics.

PHIGuard tracks policy documentation and incident response for clinics subject to both HIPAA and state law requirements. Plans start at $99 per clinic. See HIPAA compliance for more.

Compliance Operations

Audit trails, access controls, policy acknowledgements, evidence handling, and vendor workflows for clinics that need defensible follow-through.

The Anti-Kickback Statute: What Clinic Owners Need to Know

Anti-kickback statute explained for small clinics: what it prohibits, what 'remuneration' covers, safe harbor regulations, and how it differs from the Stark...

California's CMIA: When State Law Is Stricter Than HIPAA

California CMIA vs HIPAA: key differences in scope, enforcement, and liability. California clinics must comply with both — the stricter standard controls.

Sources

FAQ

Questions related to this topic

Does CMIA replace HIPAA for California providers?

No. California providers subject to HIPAA must comply with both laws. Where CMIA is stricter than HIPAA, the clinic must meet the CMIA standard. Where HIPAA is stricter, HIPAA controls. The frameworks run concurrently.

What is the private right of action under CMIA?

Under California Civil Code 56.35, a patient whose medical information is negligently released may sue for actual damages, exemplary damages of at least $1,000 for each violation, and attorney's fees. HIPAA has no equivalent private cause of action — only OCR can pursue civil monetary penalties under HIPAA.

How does California's breach notice deadline compare to HIPAA?

California Civil Code §56.06 — the CMIA-specific breach notification provision — requires healthcare providers to notify affected patients within 5 business days of discovering an unauthorized disclosure of medical information. When a breach affects more than 500 Californians, the California AG must also be notified within 15 business days. HIPAA's Breach Notification Rule allows up to 60 days from discovery. California's tighter deadline controls for HIPAA-covered providers who also operate under CMIA.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.