California Healthcare Compliance.
California is the most demanding state for healthcare data. The CMIA imposes its own statutory damages even where HIPAA would not. Health & Safety Code § 1280.15 imposes a 15-business-day breach reporting clock on licensed facilities — the shortest in the United States — and requires direct notice to the California Department of Public Health. Layered on top is the CCPA/CPRA for consumer-health data that falls outside HIPAA's PHI scope. A California practice's compliance program needs CMIA-specific BAAs, a 15-business-day breach playbook, and CCPA mapping for any non-PHI data flows.
At a glance
15business days
California is the strictest in the country for healthcare. Licensed clinics, health facilities, home-health agencies, and hospices must report unauthorized access, use, or disclosure of patient medical information to the California Department of Public Health and to affected patients within 15 business days of detection under Health & Safety Code § 1280.15. CMIA (Civil Code § 56) imposes separate damages exposure. CCPA/CPRA layer on top for any consumer-health data not covered by HIPAA.
California Department of Public Health (CDPH) + California Attorney General
- Confidentiality of Medical Information Act (CMIA)Cal. Civ. Code §§ 56 – 56.37
Restricts use and disclosure of patient medical information by providers, contractors, and corporations. Provides a private right of action with statutory damages up to $1,000 per violation plus actual damages, attorneys' fees, and punitives.
- Patient Medical Information Breach Notice (Health Facilities)Cal. Health & Safety Code § 1280.15
Licensed clinics, health facilities, home-health agencies, and hospices must notify CDPH and affected patients of any unlawful or unauthorized access, use, or disclosure of patient medical information within 15 business days of detection.
- California Data Breach Notification StatuteCal. Civ. Code § 1798.82
General breach-notification duty for personal information of California residents.
- California Consumer Privacy Act / Privacy Rights Act (CCPA/CPRA)Cal. Civ. Code §§ 1798.100 – 1798.199.100
Consumer privacy regime. PHI subject to HIPAA is generally exempt, but consumer-facing health data outside HIPAA's scope (some app data, wellness data, employee health data) is in scope.
- HIPAA Privacy, Security, and Breach Notification Rules45 CFR Parts 160 & 164
The federal baseline that all U.S. covered entities and business associates meet. HHS Office for Civil Rights (OCR) enforces.
How California goes further than HIPAA.
The breach window in California is 15 business days — shorter than HIPAA’s federal 60-day individual-notice deadline. Practices serving California residents need a breach playbook tuned to the state clock, not the federal one. Notice flows through California Department of Public Health (CDPH) + California Attorney General in addition to HHS/OCR federally.
Related compliance guides
Turn this overlay into a defensible SRA.
California's overlay layers on top of HIPAA's federal floor. The free SRA readiness check walks a small practice through discovery, threat model, controls, and gap analysis, then assembles the review-ready binder — policies, training logs, BAAs, and a breach playbook tuned to the 15-business-day clock and the California Department of Public Health (CDPH) + California Attorney General notification path.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- ComplianceHIPAA Breach Notification: The 60-Day Window Step-by-StepFrom discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.
- RegulationCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
- RegulationColorado Privacy Act (CPA, C.R.S. § 6-1-1301 et seq.)Colorado comprehensive consumer privacy law with consumer rights, controller/processor obligations, universal opt-out mechanism requirement, and an AG enforcement framework with HIPAA carve-outs.
- RegulationConnecticut Data Privacy Act (CTDPA, Public Act 22-15)Connecticut comprehensive consumer data privacy law with consumer rights, controller/processor obligations, and an AG enforcement framework — with substantial healthcare carve-outs.
- RegulationFlorida Information Protection Act (FIPA, Fla. Stat. § 501.171)Florida data breach notification and information security law requiring covered entities to maintain reasonable security and to notify affected individuals and the AG of breaches within 30 days.
- RegulationIllinois Biometric Information Privacy Act (BIPA, 740 ILCS 14)Illinois state law regulating the collection, retention, use, and destruction of biometric identifiers, with a private right of action and statutory damages per violation.
Last reviewed May 23, 2026.
This page is a research aid for compliance teams. It does not certify compliance with any state or federal law, provide legal advice, replace counsel, or guarantee an audit outcome. State statutes are amended frequently — verify citations and links against the cited primary sources before acting. The practice remains responsible for adopting and maintaining its compliance program.