California Healthcare Compliance: CMIA + HIPAA — Where They Diverge
9 min read · Last reviewed May 23, 2026
California's Confidentiality of Medical Information Act (Civil Code §§ 56–56.37) imposes stricter consent, broader covered-entity scope, a 15-business-day breach window for licensed facilities, and a private right of action that HIPAA does not. The single biggest divergence: CMIA § 56.36(b) lets a patient sue for $1,000 in nominal damages per violation without proving any actual harm.
What CMIA actually requires
The Confidentiality of Medical Information Act is California's medical-privacy statute, codified at California Civil Code §§ 56–56.37. It applies to three categories: "providers of health care" (defined broader than HIPAA — including unlicensed personal trainers handling injury data and corporate wellness programs in some scenarios), "contractors" who receive medical information from providers, and "health-care service plans."
CMIA's core obligations:
- Authorization for non-treatment disclosures. Civ. Code § 56.10 prohibits disclosure of medical information without patient authorization except for specifically enumerated treatment, payment, and operations uses. The list of "compelled disclosures" at § 56.10(c) is narrower than HIPAA's permitted uses.
- Specific authorization form content. Civ. Code § 56.11 lists nine mandatory elements for a valid CMIA authorization, including handwritten or computer signature, specific identification of disclosing and receiving parties, purpose, and expiration.
- Marketing and sale restrictions. Civ. Code § 56.10(d) and § 56.36 impose separate consent and disclosure rules for any communication that markets a product or service to a patient based on their medical information.
- Patient access: 5 working days for inspection, 15 days for copies. California Health & Safety Code § 123110 requires a provider to permit inspection of records within five working days of receipt of the written request, and to transmit copies within 15 days of receipt of the written request — faster than HIPAA's 30-day window at 45 CFR § 164.524(b)(2).
- Breach notification on a 15-business-day cadence for licensed facilities under Health & Safety Code § 1280.15, with reporting to both CDPH and the affected patient.
- Contractor obligations. Civ. Code § 56.06 binds any vendor receiving medical information to CMIA directly, separate from the HIPAA Business Associate framework.
Where California is stricter than HIPAA
This is the table most California practices need on the wall.
| Topic | HIPAA | CMIA / California | Stricter | |---|---|---|---| | Patient access turnaround | 30 days, +1 extension (45 CFR § 164.524(b)(2)) | 5 working days to inspect / 15 days for copies, from receipt of written request (Health & Safety § 123110) | California | | Breach notice to individual | 60 days from discovery (45 CFR § 164.404(b)) | 15 business days, licensed clinics (Health & Safety § 1280.15) | California | | Private right of action | None | $1,000 nominal + actual damages per violation (Civ. Code § 56.36(b)) | California | | Authorization form | Six required elements (45 CFR § 164.508(c)) | Nine required elements (Civ. Code § 56.11) | California | | Marketing consent | Authorization required (45 CFR § 164.508(a)(3)) | Separate written authorization + financial disclosure (Civ. Code § 56.10(d), § 56.36) | California | | Civil penalty cap | $2,190,294 annual per identical violation (2026 HHS-adjusted; 45 CFR Part 102) | Up to $25,000 per knowing-and-willful violation + up to $250,000 per violation for financial gain (Civ. Code § 56.36(c)) | Tie; California per-violation higher, HIPAA cap higher | | Covered-entity definition | Health plans, clearinghouses, treatment providers | Above + corporate wellness, gym injury data, contractors (Civ. Code § 56.06) | California | | Disclosure to law enforcement | Permitted under multiple safe harbors (45 CFR § 164.512(f)) | Narrower; requires warrant or court order in most cases (Civ. Code § 56.10(c)) | California |
What practices most often miss is that CMIA's definition of "provider of health care" sweeps in some entities HIPAA does not — and CMIA's contractor obligations attach directly to any vendor receiving medical information, not just to vendors holding ePHI under a Business Associate Agreement. The HIPAA BAA template does not, by itself, bind the vendor under CMIA. A CMIA-aware contract is a stacked HIPAA BAA plus a CMIA addendum.
Where HIPAA is stricter than CMIA
The two areas where federal law is the harder rule:
- Security Rule technical safeguards. CMIA is largely a confidentiality and disclosure statute. The HIPAA Security Rule at 45 CFR Part 164 Subpart C prescribes a structured technical, administrative, and physical safeguards program — risk analysis, audit logging, encryption decisions, contingency planning, sanction policy. CMIA assumes safeguards exist but does not prescribe their content.
- Annual cap on civil penalties. HIPAA's tiered penalty structure at 45 CFR § 160.404 caps at $2.1 million per calendar year per identical-violation type. CMIA's per-violation $1,000 nominal damages have no statutory annual cap once a class is certified — which is why class actions are the larger financial exposure in California than OCR Civil Monetary Penalties.
- Breach risk assessment methodology. HIPAA at 45 CFR § 164.402 defines the four-factor risk assessment that controls whether a security incident is a reportable breach. CMIA does not impose a comparable methodology; California regulators tend to import the HIPAA framework for the assessment, then apply the stricter California notification timeline.
Breach notification timeline
California has two parallel breach-notification statutes that interact with HIPAA:
- Health & Safety Code § 1280.15 — licensed clinics, health facilities, home health agencies, and hospice agencies must report unlawful or unauthorized access, use, or disclosure of patient medical information to CDPH and the affected patient within 15 business days of detection. Civil penalties under this statute reach up to $25,000 per patient for the unauthorized access, use, or disclosure, with up to $17,500 per subsequent occurrence (not per day). For late reporting beyond the 15-business-day deadline, CDPH may assess $100 per day until the report is made.
- Civil Code § 1798.82 — the broader California breach-notification statute requires notification "in the most expedient time possible and without unreasonable delay" to any California resident whose unencrypted personal information was acquired. The Attorney General publishes notifications received under § 1798.82 in a public registry.
When a breach affects both California and non-California residents, the practice runs a 15-business-day CDPH/patient timeline for CA residents under § 1280.15 and a 60-day HIPAA timeline under 45 CFR § 164.404. The 60-day clock does not reset the 15-business-day clock — the shorter window controls for CA residents.
Substitute notice (media outlets) and AG notice for breaches affecting 500+ California residents apply under § 1798.82(e) and parallel the HHS 500-report posture at 45 CFR § 164.408(b).
Penalties and private right of action
The numbers practices need:
- CMIA civil penalty. Civ. Code § 56.36(c) — up to $2,500 per violation for negligent disclosure; up to $25,000 per violation for knowing and willful disclosure; up to $250,000 per violation for disclosure for financial gain.
- CMIA criminal penalty. Civ. Code § 56.36(a) provides that knowing and willful violations of certain CMIA provisions are punishable as misdemeanors — up to a $1,000 fine, up to one year imprisonment in county jail, or both. (Note: § 56.36(c)(4) only bars duplicate civil penalties under paragraphs (2) and (3); it does not itself define a criminal penalty.)
- Private right of action. Civ. Code § 56.36(b) — any individual whose medical information was disclosed in violation of CMIA may recover $1,000 nominal damages per violation without proof of actual damages, plus actual damages and attorney's fees. This is the litigation engine.
- Health & Safety § 1280.15 penalty. Up to $25,000 per patient affected for the unauthorized access, use, or disclosure, plus up to $17,500 per subsequent occurrence, assessed by CDPH. Separately, $100 per day for late reporting beyond the 15-business-day deadline until the report is made.
- AG enforcement. The California Attorney General brings CMIA actions independently of OCR; the dual-track posture means a single incident can generate parallel OCR and AG investigations on different timelines.
The class-action math is what drives California breach litigation. A breach affecting 50,000 patients at $1,000 nominal damages each is $50 million in baseline exposure before actual damages and fees — far larger than typical OCR Resolution Agreements. The 2019 UCLA Health and 2020 Sutter Health settlements illustrate the scale.
Compliance checklist for California practices
A CA-specific overlay to a HIPAA program:
- CMIA-compliant authorization form with all nine Civil Code § 56.11 elements; stacked with HIPAA § 164.508 authorization for non-treatment, non-payment, non-operations disclosures.
- Patient access within 15 days of copy request, 5 working days for inspection — document the response date and any fee charged under Health & Safety § 123110.
- CMIA contractor addendum layered onto every HIPAA BAA, binding the vendor to Civ. Code § 56.06 and the 15-business-day breach-reporting cadence.
- Breach response protocol that triggers CDPH and patient notice within 15 business days for licensed facilities, alongside HIPAA's 60-day track.
- Marketing review process — any patient communication tied to medical information must clear Civ. Code § 56.10(d) before it goes out.
- Workforce training on CMIA at hire and annually, separately documented from HIPAA training. Generic HIPAA training does not cover § 56.36 private right of action exposure.
- Annual CMIA disclosure-log review alongside the HIPAA accounting-of-disclosures log at 45 CFR § 164.528.
- CCPA carve-out documentation. Confirm the practice qualifies for the HIPAA-covered-entity exemption under Cal. Civ. Code § 1798.146 for the PHI portion; CMIA still applies on top.
The d3rx compliance binder state-overlay branches on California specifically and produces the stacked HIPAA + CMIA authorization, contractor addendum, and breach-response timeline a California practice runs in addition to the federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for actually executing the controls and the response to any complaint.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — California Healthcare Compliance: CMIA + HIPAA — Where They Diverge. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Do CMIA rules apply if my practice is in Nevada but I treat California residents?
Yes, in most clinical scenarios. CMIA at California Civil Code § 56.10 applies to any 'provider of health care' that creates or maintains medical information about a California patient, and the California Attorney General has asserted jurisdiction over out-of-state providers treating CA residents. Telehealth that touches a CA patient pulls CMIA in alongside HIPAA. The safer posture: treat any encounter with a CA-resident patient as CMIA-covered and use a CMIA-compliant authorization for non-treatment disclosures.
Does CMIA override HIPAA when they conflict?
Neither overrides the other — they layer. HIPAA at [45 CFR § 160.203](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B/section-160.203) preempts contrary state law only when state law is less protective. Because CMIA is generally stricter than HIPAA on consent, marketing, and the private right of action, the CMIA provision controls. The CCPA's HIPAA carve-out at Cal. Civ. Code § 1798.146 does not eliminate CMIA — it only excludes already-covered PHI from CCPA, leaving CMIA in force.
What is the CMIA breach notification window?
For licensed clinics, health facilities, home health, and hospice agencies, California Health & Safety Code § 1280.15 requires reporting unauthorized access to CDPH and to the affected patient within 15 business days of detection. That window is materially shorter than HIPAA's 60-day individual-notice window at [45 CFR § 164.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404). Non-licensed practices follow Civil Code § 1798.82 for resident notification, which uses the same expedited posture.
Does CMIA create a private right of action against my practice?
Yes. California Civil Code § 56.36(b) lets an individual sue for nominal damages of $1,000 per violation plus actual damages, without proving harm. This is the single biggest exposure differentiator from HIPAA. Class actions consolidating thousands of plaintiffs at $1,000 each are the standard CMIA litigation pattern. HIPAA, by contrast, has no individual cause of action — only OCR enforcement under [45 CFR § 160.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404).
Can I use a generic HIPAA authorization to satisfy CMIA?
Not reliably. A HIPAA-compliant authorization under [45 CFR § 164.508](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508) covers HIPAA but does not always satisfy California Civil Code § 56.11's content requirements. CMIA requires a specific format with the patient signature, date, identification of who is authorized to disclose, recipient, purpose, and expiration. Sale-of-information and marketing authorizations under §§ 56.10(d) and 56.36 demand additional disclosures. Use a stacked CMIA + HIPAA authorization form.
Does CMIA apply to my IT vendor or my billing service?
CMIA's 2013 expansion (AB 1755) added 'contractors' as a defined class under Civil Code § 56.06. Any business that receives medical information from a provider for any purpose is bound by CMIA disclosure restrictions. A HIPAA Business Associate Agreement under [45 CFR § 164.504(e)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504) is necessary but not sufficient. Add CMIA-specific addenda that bind the vendor to § 56.06 and obligate breach notification on the same 15-business-day cadence the practice owes.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- California Civil Code §§ 56–56.37https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=1.&title=&part=2.6.&chapter=&article=
- 45 CFR § 164.524(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 45 CFR Part 164 Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
- 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 45 CFR § 164.408(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR § 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceNew York SHIELD Act for Medical Practices: The Reasonable Safeguards StandardNY SHIELD Act (Gen. Bus. Law § 899-bb) vs HIPAA for medical practices: reasonable safeguards, expanded breach scope under § 899-aa, 30-day notice outer bound, $250k AG penalty exposure.
- ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAATexas HB 300 (Health & Safety Chapter 181) vs HIPAA: broader covered entities, mandatory 90-day training, 15-day EHR access, $1.5M/year AG penalty cap.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- ComplianceOCR Investigation Letter: Your 30-Day Response PlaybookReceived an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
- RegulationCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateCalifornia healthcare compliance overlayCalifornia is the most demanding state for healthcare data.