A $4,350 Fine Per Patient Record — And That's Just the State Penalty
A few years ago, I worked with a behavioral health clinic in Southern California that had suffered a relatively small breach — around 1,200 patient records. They assumed their HIPAA compliance program would shield them from any serious fallout. What they didn't realize was that the California Confidentiality of Medical Information Act (CMIA) carries its own enforcement teeth, entirely separate from federal HIPAA penalties.
The clinic faced investigations on two fronts: the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) on the federal side, and the California Attorney General's office on the state side. That's the reality for any organization handling protected health information in California. You don't just answer to one regulator. You answer to two.
If your organization operates in California — or treats a single California resident — you need to understand the CMIA inside and out. It's stricter than HIPAA in several critical areas, and ignorance of its requirements has cost providers millions.
What Is the California Confidentiality of Medical Information Act?
The California Confidentiality of Medical Information Act, codified under California Civil Code Section 56, governs how healthcare providers, health plans, and their contractors handle medical information. It was originally enacted in 1981 — more than a decade before HIPAA even existed.
The CMIA applies to any "provider of health care," health plan, pharmaceutical company, or contractor that maintains medical information. Notice the language: it says "medical information," not "protected health information." That distinction matters. The CMIA's definition is broader in some respects than HIPAA's definition of PHI.
Under the CMIA, medical information means any individually identifiable information in possession of a provider of health care regarding a patient's medical history, mental or physical condition, or treatment. It doesn't require the information to be transmitted or maintained electronically — paper records count equally.
The Quick Answer: How Is the CMIA Different from HIPAA?
HIPAA sets a federal floor for PHI protection. The CMIA builds a higher ceiling. Where HIPAA allows certain uses and disclosures without patient authorization, the CMIA often demands explicit written authorization. Where HIPAA's civil penalties max out at set tiers, the CMIA allows individual patients to sue for compensatory damages, punitive damages, and attorneys' fees. And where HIPAA doesn't give patients a private right of action, the CMIA absolutely does.
Where the CMIA Goes Further Than HIPAA
I've seen organizations assume that HIPAA compliance automatically equals CMIA compliance. That assumption is dangerous. Here are the areas where the CMIA imposes stricter requirements.
Authorization Requirements That Catch Providers Off Guard
Under HIPAA, covered entities can use and disclose PHI for treatment, payment, and healthcare operations (TPO) without patient authorization. The CMIA takes a narrower view. California law requires that authorizations for the release of medical information contain specific elements — including the specific uses and limitations on the information, the entities authorized to receive it, and a clear expiration date.
The CMIA also restricts how employers can obtain medical information. If your organization provides employer health services, you need to know that the CMIA generally prohibits employers from using medical information for employment decisions unless very narrow exceptions apply.
The Private Right of Action That Keeps Attorneys Busy
HIPAA does not allow individual patients to sue covered entities directly. The CMIA does. Under California Civil Code Section 56.35 and 56.36, any patient whose medical information is improperly disclosed can bring a civil action. Remedies include nominal damages of $1,000 per violation, actual damages, and punitive damages for willful or negligent behavior.
This is where the real financial exposure lives. A class action under the CMIA following a breach can dwarf any OCR settlement. I've watched healthcare organizations fixate on the HHS enforcement process while completely ignoring the class action lawsuit quietly building in state court.
Breach Notification With a California Twist
Both HIPAA and the CMIA require breach notification, but the CMIA adds California-specific requirements. Under California's data breach notification laws, organizations must notify affected individuals and the California Attorney General (for breaches affecting more than 500 California residents). The notification must be written in plain language and include specific details about the breach, types of information involved, and steps individuals can take to protect themselves.
The timeline is also aggressive. Notification must happen "in the most expedient time possible and without unreasonable delay." That language leaves the Attorney General room to argue that anything beyond a few weeks is too slow.
Real Enforcement: What Happens When You Get It Wrong
The California Attorney General has not been shy about enforcing the CMIA. In 2023, the office reached a series of enforcement actions across the healthcare sector, and the trend has only intensified.
On the federal side, OCR has settled with California-based covered entities for significant sums. UCLA Health System agreed to a $865,500 settlement with OCR in 2011 following allegations that unauthorized employees repeatedly accessed celebrity patient records — a violation of both HIPAA and the CMIA. The state investigation ran in parallel.
Dignity Health (now CommonSpirit Health), one of the largest health systems in California, faced both OCR scrutiny and state-level CMIA complaints following multiple breach incidents. When you operate at scale in California, the dual-enforcement model isn't theoretical. It's your Tuesday morning.
Who Exactly Does the CMIA Cover?
The CMIA's scope overlaps with but extends beyond HIPAA's definition of a covered entity. Here's who falls under the CMIA:
- Providers of health care: Any licensed healthcare professional, clinic, hospital, or healthcare facility.
- Health plans and insurers: Including HMOs, disability insurers, and self-insured employer health plans.
- Pharmaceutical companies: A category HIPAA doesn't directly regulate as covered entities.
- Contractors and third parties: Anyone who maintains, stores, or processes medical information on behalf of a provider or plan — similar to HIPAA's business associate concept, but with differences in the specific obligations.
If your organization touches medical information for California residents, the CMIA likely applies to you. Even if you're headquartered in another state.
How to Build a Compliance Program That Covers Both Laws
In my experience, the organizations that get this right treat HIPAA as the foundation and the CMIA as the additional layer. Here's what that looks like in practice.
Train Your Workforce on Both Frameworks
Most HIPAA workforce training programs barely mention state law. That's a gap you can't afford in California. Your training must cover the CMIA's authorization requirements, its private right of action, and its breach notification rules — all areas where employee mistakes create direct liability.
Our HIPAA training catalog includes content designed for organizations navigating both federal and state privacy requirements. If your staff doesn't know the difference between what HIPAA permits and what the CMIA restricts, you're operating on borrowed time.
Audit Your Authorization Forms
Pull your current authorization forms. Do they meet the CMIA's specific requirements under Civil Code 56.11? Many HIPAA-compliant authorization forms fall short of California's standards. The CMIA requires authorizations to specify the particular information to be disclosed, the parties authorized to make and receive the disclosure, and a specific expiration date or event. Generic language like "for healthcare operations" won't survive scrutiny.
Update Your Breach Response Plan
Your breach notification procedures need a California-specific workflow. This means identifying California residents in your patient population, preparing templates that comply with the CMIA and California's breach notification statute, and establishing a process to notify the California Attorney General when thresholds are met.
I recommend running a tabletop exercise at least annually that simulates a breach involving California patient data. Walk through both the HIPAA breach notification rule and the CMIA requirements simultaneously. You'll find the gaps fast.
Revisit Your Vendor Agreements
HIPAA requires business associate agreements. The CMIA requires that any contractor receiving medical information agree in writing to protect that information in compliance with the Act. These are overlapping but not identical obligations. Make sure your contracts address both. A standard BAA template may not contain the CMIA-specific language your organization needs.
The Compliance Gap Most Organizations Don't See
Here's what I tell every California-based client: your biggest risk isn't an OCR audit. It's a state court class action filed by a plaintiffs' attorney who knows the CMIA inside out. HIPAA doesn't give patients a private right of action. The CMIA does. And plaintiffs' attorneys in California are exceptionally good at leveraging that difference.
The organizations that avoid this outcome share a common trait — they invest in comprehensive workforce training that covers both HIPAA and state-level privacy requirements. They audit their authorization practices. They run breach drills. And they treat the California Confidentiality of Medical Information Act not as an afterthought, but as a core compliance obligation.
If you handle ePHI or medical information for California patients, you owe it to your organization to understand this law as well as you understand HIPAA. The penalties for getting it wrong come from two directions at once — and neither regulator waits for the other to go first.