California CMIA Compliance Guide for Healthcare Practices

Complete guide to California's Confidentiality of Medical Information Act (CMIA). Covers Cal. Civ. Code §§ 56-56.37, how CMIA differs from HIPAA, private right of action, penalties, authorization requirements, and compliance steps for California healthcare practices.

What Is the California Confidentiality of Medical Information Act (CMIA)?

The Confidentiality of Medical Information Act (CMIA) is California's state-level medical privacy law, codified at Cal. Civ. Code §§ 56-56.37. Enacted in 1981 — fifteen years before HIPAA — the CMIA was one of the first comprehensive medical privacy statutes in the United States.

For healthcare practices operating in California, the CMIA creates obligations that go beyond federal HIPAA requirements. Understanding where these laws overlap and where the CMIA imposes additional burdens is essential for compliance.

Key principle: When HIPAA and the CMIA conflict, the stricter standard applies. In most areas, that is the CMIA.

Who Must Comply with the CMIA

The CMIA applies to three categories of entities:

1. Providers of Health Care (§ 56.05(m))

Any person licensed or certified under Division 2 of the Business and Professions Code, including physicians, dentists, chiropractors, psychologists, optometrists, nurses, pharmacists, physical therapists, and any clinic, hospital, or other healthcare facility.

2. Health Care Service Plans (§ 56.05(g))

Any entity licensed under the Knox-Keene Health Care Service Plan Act, including HMOs and managed care organizations operating in California.

3. Contractors (§ 56.05(d))

Any person or entity that is a business associate of a provider or health plan and receives medical information for the purpose of administering a function on behalf of a provider or plan. This is similar to HIPAA's business associate concept but has independent obligations.

Telehealth and Out-of-State Providers

If you treat California patients via telehealth from another state, the CMIA applies to you. California courts have consistently held that the law follows the patient, not the provider's physical location.

CMIA vs. HIPAA: Key Differences

CMIA Authorization Requirements (§ 56.11)

One of the most practically important CMIA provisions is the authorization requirement. Every authorization for the release of medical information must contain all of the following:

1. Specific providers authorized to disclose the information
2. Nature of the information to be disclosed (cannot be blanket)
3. Name and institutional affiliation of persons receiving the information
4. Purpose of the disclosure
5. Expiration date or event
6. Signature and date of the patient
7. Statement that the patient may refuse to sign and that refusal will not affect treatment
8. Statement that the patient may inspect and copy the information

Common Authorization Mistakes

California healthcare practices frequently make these errors:

• Combined consent/authorization forms — CMIA prohibits combining treatment consent with authorization to disclose (unlike HIPAA which allows some combined forms)
• Blanket authorizations — "Any and all medical records" is not specific enough under the CMIA
• Missing expiration — Every CMIA authorization must have an expiration date; open-ended authorizations are invalid
• No refusal notice — Failing to tell patients they can refuse without affecting care voids the authorization

The Private Right of Action: Why This Changes Everything

The single most significant difference between HIPAA and the CMIA is that patients can sue you directly.

How Lawsuits Work Under the CMIA

Under Cal. Civ. Code § 56.35 and § 56.36:

• Negligent disclosure: $1,000 per violation in nominal (statutory) damages, plus actual damages, plus reasonable attorney's fees and costs
• Willful or reckless disclosure: Up to $5,000 per violation, plus actual damages, plus punitive damages, plus reasonable attorney's fees and costs
• Class actions: Multiple patients can bring a class action for systematic CMIA violations

Real-World Exposure

A practice that negligently discloses the medical information of 500 patients faces:

• Statutory damages alone: $500,000 (500 × $1,000)
• With actual damages and attorneys' fees: Potentially millions
• HIPAA penalties on top: Federal fines are additive, not alternative

This dual exposure — federal HIPAA penalties plus state CMIA lawsuits — makes California the highest-risk state for healthcare privacy violations.

Breach Notification Under the CMIA

California has its own breach notification requirements that are more aggressive than HIPAA's:

Notification Timeline

• Individuals: Notification must be made "in the most expedient time possible and without unreasonable delay" (Cal. Civ. Code § 1798.82)
• California Attorney General: If 500+ California residents are affected, you must notify the AG within 15 business days (compared to HIPAA's 60-day window to HHS)

What Constitutes a Breach

The CMIA uses a broader definition of breach than HIPAA. Any unauthorized access to, or disclosure of, medical information triggers notification obligations — there is no equivalent to HIPAA's risk assessment exception that allows you to determine a breach is unlikely to cause harm.

Required Notification Content

California breach notifications must include:

• Description of the incident
• Types of information involved
• Steps taken in response
• Contact information for the reporting entity
• Contact for the California AG and FTC
• Toll-free numbers for credit reporting agencies (if financial data involved)

CMIA and Employer Medical Information (§ 56.20)

California has strict rules about employer access to employee medical information:

• Employers cannot receive employee medical information from providers without a valid CMIA authorization
• Workers' compensation claims have specific carve-outs but are still restricted
• Return-to-work forms should contain only fitness determination, not diagnosis details
• Drug test results are subject to CMIA protections

Healthcare practices that employ staff and also treat patients must maintain strict separation between HR and clinical operations.

Special Protections for Sensitive Categories

The CMIA provides heightened protections for certain types of medical information:

Substance Use Disorder (§ 56.30)

Records related to substance use treatment have additional confidentiality protections beyond both HIPAA and standard CMIA rules. These align with federal 42 CFR Part 2 but add California-specific requirements.

Mental Health Records

Psychotherapy notes have near-absolute protection under the CMIA. Disclosure without specific, separate authorization is prohibited regardless of HIPAA exceptions.

Reproductive Health (§ 56.109)

Following recent legislative amendments, the CMIA now provides enhanced protections for reproductive health information, restricting disclosure to out-of-state law enforcement in reproductive health cases.

Genetic Information (§ 56.182)

Genetic test results cannot be disclosed to employers or insurers. The CMIA goes beyond GINA (Genetic Information Nondiscrimination Act) in restricting how genetic information can be used and shared.

Minor Patients (§ 56.10(b)(8))

Minors aged 12 and older who consent to certain treatments (mental health, substance use, sexual health, reproductive health) have independent CMIA rights — their records for those treatments cannot be disclosed to parents without the minor's authorization.

CCPA, CPRA, and Healthcare Data

California's Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), generally exempt medical information that is already protected by HIPAA or the CMIA. However, the exemption is narrow:

• Clinical data handled by a HIPAA-covered entity is exempt from CCPA/CPRA
• Non-clinical data (website analytics, marketing data, appointment booking data) collected by a healthcare practice is not exempt and must comply with CCPA/CPRA
• Health apps and wearables that collect health data but are not HIPAA-covered entities may fall under CCPA/CPRA rather than CMIA
• Consumer health data collected through patient portals for marketing purposes is subject to CCPA/CPRA

Healthcare practices must distinguish between data governed by CMIA/HIPAA and data governed by CCPA/CPRA.

CMIA Compliance Checklist for California Practices

Authorization and Consent

• Authorization forms include all 8 CMIA-required elements (§ 56.11)
• Treatment consent and disclosure authorization are on separate forms
• No blanket or open-ended authorizations in use
• Minor consent protocols in place for patients 12+
• Marketing authorizations are separate and specific (§ 56.10(d))

Policies and Procedures

• Written CMIA-specific policies (not just HIPAA policies)
• Staff trained on CMIA differences from HIPAA
• Incident response plan includes California AG notification (15 business days for 500+ records)
• Employer medical information segregated from clinical records (§ 56.20)

Technical Safeguards

• Access controls prevent unauthorized disclosure
• Audit logs track all access to medical information
• Encryption implemented for medical information in transit and at rest
• Business associate/contractor agreements include CMIA obligations

Breach Response

• California-specific breach notification templates prepared
• AG notification process documented and tested
• Individual notification process meets "most expedient time possible" standard
• Legal counsel identified for CMIA litigation response

Penalties and Enforcement

State Attorney General

The California AG can bring enforcement actions for CMIA violations, seeking:

• Injunctive relief
• Civil penalties
• Restitution to affected individuals

Private Lawsuits

As detailed above, individuals can sue for $1,000-$5,000 per violation plus actual and punitive damages.

Federal Penalties (Additive)

HIPAA penalties are imposed separately by HHS OCR:

• Tier 1 (no knowledge): $141-$71,162 per violation
• Tier 2 (reasonable cause): $1,424-$71,162 per violation
• Tier 3 (willful neglect, corrected): $14,232-$71,162 per violation
• Tier 4 (willful neglect, not corrected): $71,162-$2,134,831 per violation

A single incident can result in both CMIA litigation damages and HIPAA federal penalties.

Getting Started with CMIA Compliance

For California healthcare practices, CMIA compliance starts with understanding your current gaps:

1. Audit your authorization forms — Most practices use HIPAA-only forms that don't meet CMIA's stricter requirements
2. Review your breach response plan — Ensure it includes the 15-business-day AG notification requirement
3. Train staff on the differences — Staff trained only on HIPAA will miss CMIA-specific obligations
4. Get your HIPAA Agent Compliance Score™ — Our scan evaluates your practice against both federal HIPAA and California-specific requirements

Start your free compliance check at hipaaagent.ai/check — see where your practice stands on both HIPAA and California CMIA requirements.

This guide covers the California Confidentiality of Medical Information Act as codified at Cal. Civ. Code §§ 56-56.37, including amendments through 2026. For legal advice specific to your practice, consult a California healthcare attorney.

Regulatory references: Cal. Civ. Code §§ 56-56.37, Cal. Civ. Code § 1798.82 (breach notification), CCPA (Cal. Civ. Code § 1798.100 et seq.), CPRA amendments.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Related Guides