Comparison · Privacy

CMIA vs HIPAA (California)

HIPAA is the federal baseline. CMIA is California's stricter overlay — broader provider definition, stronger consent requirements, and a private right of action for patients.

Last reviewed May 24, 2026

Side by side

Option A

CMIA (California)

California Confidentiality of Medical Information Act — state statute regulating use and disclosure of medical information by providers, contractors, employers, and others in California.

Cal. Civ. Code § 56 et seq.
  • Cal. Civ. Code §§ 56–56.37.
  • Broader "provider" definition than HIPAA — includes employers and certain non-CE handlers.
  • Private right of action — patients can sue directly for nominal damages of $1,000 plus actual damages.
Option B

HIPAA (Federal)

Federal baseline for protection of PHI held by covered entities and business associates.

45 CFR Parts 160 & 164
  • Enforced administratively by HHS OCR.
  • No private right of action.
Provider definition scope
CMIABroader — includes employers, certain contractors, app developers handling medical info
HIPAANarrower — covered entities and business associates
Patient private right of action
CMIAYes — $1,000 nominal + actual damages
HIPAANo — OCR enforcement only
Authorization specificity
CMIAStrict — separate authorization required for each disclosure purpose
HIPAAStandard HIPAA authorization elements apply
Preemption
CMIAStricter than HIPAA; not preempted
HIPAAFederal floor

When to use CMIA (California)

  • Any practice operating in California — CMIA applies in addition to HIPAA, and is more stringent in several areas.

When to use HIPAA (Federal)

  • All practices nationwide — HIPAA is the federal floor.

Common mistakes

  • Assuming HIPAA compliance satisfies CMIA — CMIA's broader scope and private right of action create independent exposure.
  • Using a HIPAA Authorization form for a disclosure that requires CMIA-specific consent elements.

Sources

Take it into the workspace

Track state overlay in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.