California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)
California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
Primary source
Cal. Civ. Code §§ 56-56.37 — California Legislative Information →https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=1.&title=&part=2.6.&chapter=&article=
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
The California Confidentiality of Medical Information Act (CMIA) — codified at California Civil Code §§ 56-56.37 — provides patient confidentiality protections broader than HIPAA in several respects:
- Scope: applies to providers of health care, health care service plans, contractors, and certain employers and corporations that receive medical information.
- Patient authorization: required for most disclosures of medical information; the required authorization elements include specific items the CMIA prescribes by statute.
- Private right of action: individuals may sue for actual damages, attorney's fees, and statutory damages of $1,000 per violation regardless of whether actual damage is proven (Civ. Code § 56.36).
- Marketing restrictions: stricter than HIPAA in several specific contexts.
- Mental health and substance use: layered with the Lanterman-Petris-Short Act and Welfare & Institutions Code provisions.
When CMIA and HIPAA conflict, the more protective standard applies under the Privacy Rule's preemption framework at 45 CFR 160.203. For California covered entities, the practical posture is to track both — CMIA controls more often than not.
The California Attorney General publishes ongoing enforcement and guidance through the OAG Health Privacy hub.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
HIPAA Privacy Rule: General Rules for Uses and Disclosures (45 CFR 164.502)
state-AG · State OverlayNew York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-bb)
state-leg · State OverlayTexas Medical Records Privacy Act (Texas HIPAA, Tex. Health & Safety Code Ch. 181)
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationNew York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-bb)New York data breach and information security law requiring reasonable administrative, technical, and physical safeguards for private information of NY residents, with expanded breach notification.
- RegulationTexas Medical Records Privacy Act (Texas HIPAA, Tex. Health & Safety Code Ch. 181)Often called 'Texas HIPAA,' this state law extends HIPAA-like protections to a broader class of 'covered entities,' adds Texas-specific training requirements, and provides for state enforcement.
- RegulationHIPAA Privacy Rule: General Rules for Uses and Disclosures (45 CFR 164.502)The general rules covered entities follow for any use or disclosure of protected health information, including the minimum necessary standard and treatment, payment, and operations exceptions.
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- SRAHIPAA Risk Analysis for a Mental Health PracticeWhat therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- ComplianceAccounting of Disclosures (45 CFR § 164.528): Tracker + ProcedureA 2026 HIPAA Accounting of Disclosures procedure citing 45 CFR § 164.528 — the six-year lookback, what to log, exclusions, and a copy-ready tracker template.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.