California · Compliance overlay

California Healthcare Compliance.

California is the most demanding state for healthcare data. The CMIA imposes its own statutory damages even where HIPAA would not. Health & Safety Code § 1280.15 imposes a 15-business-day breach reporting clock on licensed facilities — the shortest in the United States — and requires direct notice to the California Department of Public Health. Layered on top is the CCPA/CPRA for consumer-health data that falls outside HIPAA's PHI scope. A California practice's compliance program needs CMIA-specific BAAs, a 15-business-day breach playbook, and CCPA mapping for any non-PHI data flows.

At a glance

Breach notice window

15business days

California is the strictest in the country for healthcare. Licensed clinics, health facilities, home-health agencies, and hospices must report unauthorized access, use, or disclosure of patient medical information to the California Department of Public Health and to affected patients within 15 business days of detection under Health & Safety Code § 1280.15. CMIA (Civil Code § 56) imposes separate damages exposure. CCPA/CPRA layer on top for any consumer-health data not covered by HIPAA.

Reporting body

California Department of Public Health (CDPH) + California Attorney General

Key state laws
  • Confidentiality of Medical Information Act (CMIA)Cal. Civ. Code §§ 56 – 56.37

    Restricts use and disclosure of patient medical information by providers, contractors, and corporations. Provides a private right of action with statutory damages up to $1,000 per violation plus actual damages, attorneys' fees, and punitives.

  • Patient Medical Information Breach Notice (Health Facilities)Cal. Health & Safety Code § 1280.15

    Licensed clinics, health facilities, home-health agencies, and hospices must notify CDPH and affected patients of any unlawful or unauthorized access, use, or disclosure of patient medical information within 15 business days of detection.

  • California Data Breach Notification StatuteCal. Civ. Code § 1798.82

    General breach-notification duty for personal information of California residents.

  • California Consumer Privacy Act / Privacy Rights Act (CCPA/CPRA)Cal. Civ. Code §§ 1798.100 – 1798.199.100

    Consumer privacy regime. PHI subject to HIPAA is generally exempt, but consumer-facing health data outside HIPAA's scope (some app data, wellness data, employee health data) is in scope.

  • HIPAA Privacy, Security, and Breach Notification Rules45 CFR Parts 160 & 164

    The federal baseline that all U.S. covered entities and business associates meet. HHS Office for Civil Rights (OCR) enforces.

How California goes further than HIPAA.

The breach window in California is 15 business days — shorter than HIPAA’s federal 60-day individual-notice deadline. Practices serving California residents need a breach playbook tuned to the state clock, not the federal one. Notice flows through California Department of Public Health (CDPH) + California Attorney General in addition to HHS/OCR federally.

Security Risk Analysis

Turn this overlay into a defensible SRA.

California's overlay layers on top of HIPAA's federal floor. The free SRA readiness check walks a small practice through discovery, threat model, controls, and gap analysis, then assembles the review-ready binder — policies, training logs, BAAs, and a breach playbook tuned to the 15-business-day clock and the California Department of Public Health (CDPH) + California Attorney General notification path.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Last reviewed May 23, 2026.

This page is a research aid for compliance teams. It does not certify compliance with any state or federal law, provide legal advice, replace counsel, or guarantee an audit outcome. State statutes are amended frequently — verify citations and links against the cited primary sources before acting. The practice remains responsible for adopting and maintaining its compliance program.