HIPAA Compliance in California: Federal Law + CMIA

California healthcare providers must satisfy both federal HIPAA rules and the California Confidentiality of Medical Information Act (CMIA), one of the strongest medical privacy laws in the country. The CMIA extends protections beyond HIPAA to employer-sponsored health programs and other entities not classified as covered entities under federal law. OCR and the California Department of Public Health (CDPH) both have independent enforcement authority — meaning a single breach can trigger two parallel investigations.

State Enforcement Agency: California Department of Public Health (CDPH) — Office of Health Information Integrity (CalOHII)
Enforces CMIA; investigates complaints; issues administrative fines; coordinates with OCR on federal HIPAA investigations

State Penalties: CMIA civil penalties: up to $25,000 per negligent violation, up to $250,000 per intentional violation, plus actual damages and attorneys' fees. Patients also have a private right of action.
Federal Penalties: $145–$2,190,294 per violation category per year under HIPAA (2026 adjusted)

How Federal + California Law Overlap

HIPAA sets the federal floor. California's CMIA raises that floor. Where CMIA is stricter — such as broader entity coverage, shorter breach notification timelines, and higher per-violation penalties — CMIA governs. Covered entities operating in California must satisfy both laws simultaneously.

Additional California Requirements Beyond Federal Law

CMIA requires patient authorization before any disclosure, with fewer exceptions than HIPAA
Employers with self-insured health plans must comply with CMIA even if not HIPAA covered entities
Breach notification required within 15 business days to CDPH for breaches affecting 500+ CA residents
CMIA §56.36 creates a private right of action — patients can sue providers directly for $1,000–$25,000 per violation
Social media policies must explicitly prohibit posting patient images without written CMIA authorization
CalOHII audit program conducts periodic compliance reviews of CA healthcare organizations

Key Compliance Requirements for California

Conduct and document an enterprise-wide HIPAA Security Risk Analysis covering all CA locations
Execute CMIA-compliant authorizations for any PHI disclosure beyond HIPAA's standard exceptions
Implement breach notification within 15 business days to CDPH (500+ patients) and 60 days to OCR
Train staff annually on both HIPAA and CMIA requirements — combined training must cover state-law distinctions
Encrypt all portable devices and electronic media containing PHI (CMIA and OCR guidance align)
Maintain a Business Associate Agreement inventory covering all CA vendors with PHI access

Common Violations in California

Celebrity patient snooping — unauthorized workforce member access to VIP/high-profile patient records
Sharing PHI via consumer messaging apps (iMessage, WhatsApp) without CMIA-compliant authorization
Failing to notify CDPH within 15 business days for large breaches (shorter window than federal 60 days)
Failing to honor patient requests to restrict disclosures to payers when patient pays out of pocket
Using PHI for marketing or fundraising without explicit CMIA written authorization

Recent HIPAA Enforcement in California

2024 — UCLA Health

Ongoing OCR monitoring for 2015 breach affecting 4.5 million patients; CDPH investigation of PHI access by employees snooping on celebrity patients

Penalty: OCR settlement terms; CDPH fined multiple employees under CMIA

Source: OCR / CDPH

2018 — Anthem Blue Cross (California)

2015 breach of 78.8 million records including California residents; inadequate risk analysis and access controls

Penalty: $16,000,000 OCR settlement; California AG separately investigated

Source: OCR

2017 — Cottage Health (Santa Barbara, CA)

Misconfigured server exposed patient records to internet twice (2013 and 2015); failed to implement adequate security measures

Penalty: $3,000,000 OCR resolution agreement

Source: OCR

Check Your HIPAA Readiness in California

Take our free compliance quiz to see how your organization stacks up against HIPAA requirements in California.

Take the Free Quiz → Risk Calculator →

Frequently Asked Questions

Does HIPAA or CMIA apply to my California healthcare practice?

Both apply. HIPAA applies if you are a covered entity (healthcare provider, health plan, or clearinghouse). CMIA applies to those entities plus employers with self-funded health plans and others who receive patient medical information. Where CMIA is stricter, it governs. Consult healthcare counsel to map both frameworks to your operations.

What are HIPAA fines in California?

Federal HIPAA fines range from $145 to $2,190,294 per violation category per year. Under CMIA, California adds civil penalties of up to $25,000 per negligent violation and up to $250,000 per intentional violation, plus patients can sue directly for actual damages.

How quickly must I report a data breach in California?

Under HIPAA, you must notify OCR within 60 days for breaches affecting 500+ patients. Under California law, you must notify CDPH within 15 business days for breaches affecting 500+ California residents — a significantly shorter window. Patient notification must also occur in the most expedient time possible.

What is CalOHII and what does it do?

CalOHII is the California Office of Health Information Integrity within CDPH. It enforces the CMIA, investigates patient complaints, conducts healthcare organization audits, and coordinates with OCR on joint investigations. A complaint to CalOHII can trigger an independent state investigation separate from any OCR action.

Does California have stricter HIPAA requirements than other states?

Yes. California's CMIA is one of the strongest state medical privacy laws in the US. It covers more entities than HIPAA, provides a private right of action for patients, imposes stricter breach notification timelines, and carries higher per-violation penalties. California healthcare organizations effectively operate under dual compliance obligations.