California healthcare providers have to follow federal HIPAA and several state privacy laws at the same time. HIPAA sets the federal floor. California adds stricter rules through the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and state breach notice rules.
The simple rule is this: follow the stricter law. If HIPAA gives you 30 days and California gives you 15 business days, use the shorter California deadline. If HIPAA allows a use of PHI but California asks for written consent, get the consent.
Plain-English Summary
California adds real work on top of HIPAA. Patients can get records faster. Some disclosures need written consent. Some breaches must be reported in 5 business days. Health apps may be covered even when HIPAA does not apply. Website tracking tools can create privacy risk. A California HIPAA plan should cover both federal and state rules from the start.
For most California providers, the core work is clear. Run a risk assessment. Keep current BAAs. Train staff. Update policies. Track patient record requests. Review consent forms. Audit website scripts. Build a breach plan that uses the shorter California clock.
Simple Playbook for California Providers
Use this page as a plain work plan. Start with the basics. Do not wait for a breach, audit, or patient complaint. Set up the work now. Keep proof as you go.
Step 1: Know What Data You Have
List where health data lives. Include your EHR, billing tools, phones, email, paper files, websites, forms, and apps. Add each vendor that can see or store that data. Keep the list short and clear. Update it when tools change.
This list helps you see what law may apply. Some data is HIPAA PHI. Some data may be state medical information. Some data may be marketing or website data. Each type can have a different rule.
Step 2: Check Your Vendors
Make sure each PHI vendor has a signed BAA. Do this before the vendor gets access. Store the signed copy. Review the list each year. Remove vendors that no longer need access.
For apps and website tools, ask a second question. Does the vendor get health data, form data, page visit data, or chat data from California users? If yes, review the tool before it goes live.
Step 3: Make Patient Records Easy to Track
Use a simple request log. Record the date the request came in. Record the name of the patient. Record who owns the response. Record the date you sent the records.
The goal is not just speed. The goal is proof. If a patient says the office was late, your log should show what happened.
Step 4: Review Consent Forms
Do not assume a generic HIPAA form is enough. California can ask for more. Review forms used for records release, care coordination, marketing, special data, and third-party sharing.
Use plain words in forms when you can. Staff should know when a form is needed. Patients should know what they are signing.
Step 5: Build a Fast Breach Plan
A slow plan will fail in California. Some reports may be due in 5 business days. Your team should know who makes the call, who contacts counsel, who drafts notices, and who sends reports.
Run a short drill. Pick a sample event. Ask what the team would do on day one, day two, and day three. Fix gaps before a real event.
Step 6: Keep Website Tools Under Control
Make a list of scripts on your site. Include analytics, ads, chat, forms, schedulers, and tracking pixels. Know what each tool collects. Know where the data goes.
Before adding a new tool, ask whether it can collect health-related page data. If it can, pause and review it. A small script can create a large privacy issue.
Step 7: Train Staff on the California Layer
HIPAA training is not enough by itself. Staff also need simple state rules. Teach the 15-business-day records rule. Teach when written consent may be needed. Teach who handles law enforcement requests. Teach staff to report a suspected breach right away.
Training does not need to be long. It does need to be clear. Keep sign-in sheets, quiz results, or course records as proof.
Step 8: Review the Program Each Year
Set a yearly review date. Check the risk assessment. Check BAAs. Check training. Check forms. Check website tools. Check the breach plan. Check the record request log.
Small updates are easier than a full rebuild. A yearly review helps keep the program current and easier to defend.
Staff Cheat Sheet
Use this short list in staff training. It is not a full policy. It is a quick guide for day-to-day work.
If a patient asks for records: write down the request date. Send it to the right owner the same day. Track the due date. Do not let the request sit in email.
If a vendor asks for data: check for a signed BAA first. If there is no BAA, pause. Ask the privacy lead before sharing PHI.
If a staff member sees a privacy mistake: report it right away. Do not wait to see if it gets worse. A fast report gives the team more time to respond.
If law enforcement asks for data: do not send records on the spot. Send the request to the privacy lead or legal contact. Log the request and the response.
If a patient asks what was shared: do not guess. Check the chart, release log, portal log, or vendor record. Give a clear answer based on proof.
If a new website tool is proposed: ask what it collects. Ask where the data goes. Ask whether it can see health-related page visits. Review it before launch.
If a form looks old: flag it. Old forms can miss California rules. The privacy lead should review release forms, consent forms, and marketing forms on a set schedule.
If staff are not sure: stop and ask. A short delay is better than an improper disclosure. Clear questions help prevent bigger problems later.
What to Fix First
If the work feels large, start with five items. First, finish the risk assessment. Second, update the vendor BAA list. Third, set up the 15-business-day records log. Fourth, review website scripts. Fifth, test the breach plan.
These five items reduce the most common gaps. They also create proof. Proof matters because regulators and patients do not just ask what your policy says. They ask what you did.
How HIPAA and California Rules Interact
HIPAA protects health information at the federal level. California does not replace HIPAA. It adds more rules.
For example, HIPAA gives many providers up to 30 days to answer a patient records request. California CMIA generally requires access within 15 business days. A provider that only follows the HIPAA timeline can still miss the California rule.
California also reaches some digital health companies that may fall outside HIPAA. A wellness app, telehealth startup, or consumer health platform may not be a HIPAA covered entity. But it can still have duties under CMIA if it handles medical information for California users.
Who Qualifies as a Covered Entity in California
The federal HIPAA definition still applies. A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that sends health information electronically for a HIPAA-covered transaction.
In California, this includes large systems, hospitals, physician groups, dental offices, outpatient clinics, and many specialty practices. Examples include large health systems and academic medical centers, as well as small practices.
Who Qualifies as a Business Associate in California
A vendor is a business associate when it handles PHI for a covered entity. Under HIPAA, that vendor needs a Business Associate Agreement (BAA).
California does not create a separate HIPAA business associate category. But CMIA and CCPA/CPRA can still affect vendors that hold California health data. Do not assume a vendor is clear just because one federal definition does not apply.
California State Health Privacy Laws That Add to HIPAA
California has several state laws that matter for healthcare privacy. Each one affects a different part of the compliance program.
California Confidentiality of Medical Information Act (CMIA)
CMIA is California's main health privacy law. It is stricter than HIPAA in several areas.
- Written consent: CMIA often requires written authorization for disclosures that HIPAA may allow.
- Faster records access: Patients generally must receive records within 15 business days.
- Private lawsuits: Patients can sue under CMIA for certain improper disclosures.
- Health app coverage: CMIA can cover apps and platforms that handle medical information for California users.
- Employer limits: Employers face limits on use and disclosure of medical information from workers or job applicants.
CMIA matters because it creates state risk in addition to federal HIPAA risk. A practice may pass a federal HIPAA review and still have a California problem.
CCPA / CPRA Health Data Rules
CCPA and CPRA create a broader privacy framework in California. HIPAA-covered PHI is often exempt, but the exemption is narrow. It does not cover every piece of data a healthcare organization holds.
California healthcare teams should review these data types:
- Employee and HR data
- Website analytics data
- Marketing data
- Business contact data
- Health app data that is not HIPAA PHI
- De-identified or aggregate data that falls outside HIPAA
Website tracking is a key risk. Tools like ad pixels and analytics tags can send health-related browsing data to third parties. California providers should keep a list of website scripts and review them before use.
SB 81 (2025): California also limits certain disclosures to immigration enforcement agencies unless there is a court order. Providers should log law enforcement requests and get legal review before responding.
California HIV/AIDS Confidentiality Rules
California gives extra protection to HIV/AIDS-related health information. HIV test results and AIDS diagnoses often need specific written consent before disclosure. Providers should not rely on a general medical consent form for this type of information without review.
California Department of Public Health Breach Reports
Licensed healthcare facilities may need to report certain breaches to the California Department of Public Health (CDPH). This is separate from federal HIPAA breach reporting to HHS OCR.
A breach can therefore create two tracks: one federal and one state. The response plan should name both.
CMIA vs. HIPAA: Where California Is Stricter
| Requirement | Federal HIPAA | California CMIA |
|---|---|---|
| Patient records access | 30 calendar days, with possible extension | 15 business days |
| Treatment disclosures | Often allowed for treatment, payment, and operations | Written authorization may be required |
| Private lawsuits | No private right of action | Patients may sue under CMIA |
| Health app coverage | Covered entities and BAs only | Can reach entities handling California medical information |
| Breach notice | Up to 60 days for individuals | Can be 5 business days for certain large electronic breaches |
| Employer medical data | Not the main HIPAA focus | Limits use without specific written authorization |
California Breach Notification Requirements
California has strict breach notice rules. Providers must track the HIPAA clock and the California clock. Use the deadline that comes first.
California CMIA 5-Business-Day Rule
For some electronic breaches involving 500 or more patients, CMIA requires notice to affected patients within 5 business days of discovery. This is much faster than HIPAA's 60-day outer limit.
For smaller breaches, California still expects notice without unreasonable delay. In practice, this often means faster than a standard HIPAA-only timeline.
Licensed Facility Breaches
Licensed healthcare facilities may need to report unauthorized access to patient medical information to CDPH within 5 business days. CDPH can investigate and impose penalties separate from HHS OCR.
How to Coordinate Timelines
Use the shorter California deadline as the default. A 5-business-day clock leaves little room for slow review. Legal counsel, notification vendors, and leaders should know their roles before an incident happens.
HIPAA Penalties in California
California providers can face federal HIPAA penalties, state enforcement, and private lawsuits. The risk is higher because more than one law may apply.
Federal OCR Enforcement
Federal HIPAA penalties depend on the facts, the level of fault, and whether the issue was fixed. OCR has used enforcement actions for missing risk assessments, encryption failures, weak access controls, and late breach notices.
California AG and CPPA Enforcement
The California Attorney General can enforce CCPA. The California Privacy Protection Agency (CPPA) also has authority under CPRA. For CMIA, individual patients may bring private claims. This mix makes California one of the most active states for privacy risk.
HIPAA Compliance for California Healthcare Providers
California Hospitals and Health Systems
Large health systems must manage HIPAA, CMIA, CCPA/CPRA, and CDPH rules. Research teams should review consent language. Marketing teams should audit tracking pixels, CRM tools, and email platforms.
California Dental Practices
Dental practices are HIPAA covered entities. They also need to follow CMIA. Watch the 15-business-day records rule. X-rays and treatment records should be tracked through a request log.
Dental offices should also review patient authorization forms. A standard HIPAA form may not be enough for all California disclosures.
California Behavioral Health Providers
Mental health and substance use providers face layered rules. These may include HIPAA, CMIA, and 42 CFR Part 2. CMIA can limit some sharing that HIPAA might otherwise allow. Behavioral health providers should review daily disclosure scenarios with California counsel.
California Digital Health and Consumer Health Apps
California has many health apps, wellness platforms, telehealth startups, and digital health companies. Some do not bill insurance and may not be HIPAA covered entities. Still, CMIA may apply if they handle medical information for California users.
Digital health companies should run a CMIA coverage review as a baseline step. Do this separately from any HIPAA review.
California HIPAA Compliance Checklist
| Requirement | Federal or State | Deadline / Frequency | Proof to Keep |
|---|---|---|---|
| Security risk assessment | Federal HIPAA | At least yearly | Signed risk report |
| HIPAA staff training | Federal HIPAA | At hire, after major changes, and yearly | Training records |
| BAAs with PHI vendors | Federal HIPAA | Before vendor access | Signed BAA per vendor |
| Patient records access | California CMIA | Within 15 business days | Request log and response date |
| Written authorization | California CMIA | Before covered disclosures | Signed form |
| Large electronic breach notice | HIPAA + CMIA | Use the shorter deadline | Notice records |
| CDPH breach report | California state rule | Within 5 business days when required | Submission proof |
| Website script audit | CCPA/CPRA | Before adding scripts and at least yearly | Script list and review notes |
| HIV/AIDS consent | California state rule | Before testing or disclosure when required | Written consent |
| Notice of Privacy Practices | Federal HIPAA | At first service and posted publicly | Acknowledgment or delivery attempt |
| Law enforcement request log | California SB 81 | When a request arrives | Request, response, and legal review notes |
| CCPA rights process | CCPA/CPRA | Within required response windows | Request and response records |
Practical Steps for California Providers
Start with a clear inventory. List where PHI and California medical information live. Include EHRs, billing tools, phones, websites, email systems, apps, vendors, and paper files.
Next, check the key forms and logs. Make sure record requests can be answered in 15 business days. Make sure disclosure forms meet California needs. Make sure each PHI vendor has a signed BAA.
Then test breach readiness. Your team should know who decides whether CDPH, OCR, patients, or other parties must be notified. The plan should work under a 5-business-day clock.
Finally, review websites and marketing tools. Tracking pixels, chat tools, forms, and analytics scripts can create data sharing risk. Keep a list of scripts and review it before adding new tools.
Quick Terms in Plain English
PHI means protected health information. It is health data that can identify a person.
CMIA is the main California health privacy law. It can be stricter than HIPAA.
CCPA/CPRA are California privacy laws. They may apply to data that is not HIPAA PHI.
BAA means Business Associate Agreement. It is the contract you need with vendors that handle PHI.
CDPH means California Department of Public Health. Some licensed facilities must report certain breaches to CDPH.
OCR means Office for Civil Rights. OCR enforces HIPAA at the federal level.
Disclosure means sharing data with another person, vendor, agency, or company.
Authorization means written permission. California may require it in more cases than HIPAA.
Fast Self-Check
Ask these questions each quarter. Can we find every signed BAA? Can we answer a records request in 15 business days? Do staff know who handles consent forms? Do staff know how to report a suspected breach? Do we know every tracking script on the website? Do we know who reviews law enforcement requests?
If the answer is no, fix that item first. You do not need a huge project to start. Pick one gap. Assign one owner. Set one due date. Save proof when the work is done. Then move to the next gap.
Frequently Asked Questions
What is the CMIA and how does it differ from HIPAA?
CMIA is California's health privacy law. It is broader than HIPAA in some areas. It can cover health apps, require written authorization for more disclosures, allow patient lawsuits, and require records access within 15 business days. California providers must follow both HIPAA and CMIA. When the rules differ, use the more protective rule.
Does the CCPA apply to California healthcare providers?
Sometimes. PHI covered by HIPAA is often exempt from CCPA/CPRA. But the exemption is narrow. Employee data, website analytics, marketing data, and some app data may still be covered. Map your data so you know what is HIPAA PHI and what is not.
What are California's breach notification requirements for healthcare providers?
California providers must follow HIPAA and California breach rules. Some large electronic breaches require notice within 5 business days. Licensed facilities may also need to notify CDPH within 5 business days. Use the shorter deadline as your planning rule.
Can California patients sue their healthcare provider for HIPAA violations?
Patients cannot sue directly under federal HIPAA. But California CMIA does allow some private lawsuits for improper disclosure of medical information. This creates extra legal risk for California providers.
Do California health privacy laws cover consumer health apps?
Yes. CMIA can cover mobile health apps, wellness platforms, and digital health companies that handle medical information for California users. This can apply even when the company is not a HIPAA covered entity.
How quickly must California healthcare providers respond to patient records requests?
California CMIA generally requires medical records within 15 business days of a written request. HIPAA's federal window is longer. Keep a request log so you can prove the date received and the date fulfilled.
Conclusion
California is one of the toughest states for healthcare privacy compliance. CMIA, CCPA/CPRA, CDPH reporting, HIV/AIDS confidentiality rules, and SB 81 all add duties on top of HIPAA.
The best approach is practical. Build the federal HIPAA base first: risk assessment, BAAs, training, policies, and breach response. Then add the California layer: CMIA consent forms, a 15-business-day records process, CDPH breach reporting, website script review, and a law enforcement request log.
One Guy Consulting helps California healthcare providers build audit-ready HIPAA programs that also account for California state rules. Book a consultation to review your current posture or get California-specific help with CMIA forms, breach response planning, or BAA audits.
Sources
- HHS: HIPAA for Professionals
- California CMIA - Health & Safety Code §56
- California H&S Code §1280.15 - Licensed Facility Breach Reporting
- California HIV/AIDS Confidentiality Act - H&S Code §120975
- California AG: CCPA Overview
- California Privacy Protection Agency (CPPA)
- HHS: HIPAA Breach Notification Rule
- CDPH: Medical Information Breach Reporting
Related Reading:
How state privacy laws interact with federal HIPAA requirements ·
HIPAA Breach Notification Rule: complete compliance guide ·
HIPAA compliance requirements in Illinois
About the Author
Chuck Weiselberg is a C.H.P. (Certified HIPAA Professional) and Founder of One Guy Consulting. He has 20+ years of customer support experience, including 10 years in HIPAA compliance.
He helps healthcare teams use practical policies, clear work flows, and compliance software that does not require deep technical skill.