When HIPAA Law California Compliance Gets Complicated
In 2023, a mid-sized California medical group discovered the hard way that complying with federal HIPAA rules wasn't enough. After a breach affecting 12,000 patients, they faced scrutiny not only from the HHS Office for Civil Rights but also from the California Attorney General's office — because California imposes its own, often stricter, health privacy requirements on top of HIPAA. The organization had assumed federal compliance covered all their obligations. It didn't.
If your covered entity or business associate operates in California, understanding HIPAA law California compliance means navigating two overlapping regulatory frameworks simultaneously. Getting one right while ignoring the other creates significant legal and financial exposure.
How Federal HIPAA and California's CMIA Work Together
The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) establishes the federal floor for protecting protected health information (PHI). But HIPAA itself includes a preemption provision — 45 CFR §160.203 — that allows state laws to stand when they are more stringent than federal requirements. California's Confidentiality of Medical Information Act (CMIA) is one of those laws.
The CMIA, codified under California Civil Code §56 et seq., predates HIPAA and covers many of the same areas: use and disclosure of medical information, patient authorization, and breach notification. But it goes further in several critical ways.
Healthcare organizations consistently struggle with the interplay. In my work with covered entities across the state, I've seen compliance officers build entire programs around HIPAA's Privacy and Security Rules while overlooking CMIA provisions that impose additional obligations on their workforce.
Where California Law Is Stricter Than HIPAA
Understanding exactly where California diverges from HIPAA is essential for any organization handling PHI in the state. Here are the key areas where California demands more:
- Authorization requirements: CMIA requires patient authorization for many uses and disclosures of medical information that HIPAA permits without authorization, particularly for marketing communications and certain employer disclosures.
- Breach notification timelines: While HIPAA's Breach Notification Rule (45 CFR §§164.400-414) requires notification within 60 days of discovery, California Health & Safety Code §1280.15 requires hospitals to report breaches to the California Department of Public Health within 15 business days — and can impose penalties of up to $25,000 per patient.
- Private right of action: HIPAA does not give individual patients the right to sue. California's CMIA does. Under Civil Code §56.36, patients can recover nominal damages of $1,000 per violation plus actual damages and attorney's fees — even without proof of harm.
- Scope of covered organizations: The CMIA applies to a broader set of entities than HIPAA's covered entity and business associate definitions, including employers who receive medical information and certain app developers.
This last point became even more significant with California's passage of AB 352 in 2021, which extended CMIA protections to health apps and wearable technology that collect health data — categories that HIPAA typically does not reach.
The CCPA/CPRA Factor: A Third Layer of Complexity
Organizations focused solely on HIPAA law California requirements often overlook a third regulatory layer: the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). While the CCPA broadly exempts medical information governed by the CMIA and PHI governed by HIPAA, the exemption is narrower than most organizations realize.
If your organization collects personal information from California residents that falls outside the strict definition of PHI — think employee data, website analytics, or marketing databases — the CCPA/CPRA may apply in full. OCR enforcement actions address HIPAA violations, but the California Privacy Protection Agency now has independent authority to investigate consumer privacy complaints. Your compliance program must account for both.
The Workforce Training Requirement Most Organizations Underestimate
HIPAA's Security Rule at 45 CFR §164.308(a)(5) requires security awareness and training for your entire workforce. The Privacy Rule at §164.530(b) requires training on your organization's privacy policies and procedures. But in California, your workforce training must go beyond federal minimums.
Staff must understand CMIA-specific obligations: when California requires stricter authorization, how breach reporting timelines differ, and what the private right of action means for their day-to-day handling of patient information. A training program built only around federal HIPAA content leaves your organization exposed.
This is why investing in comprehensive HIPAA training and certification matters — it builds the regulatory foundation your workforce needs. From there, you can layer on California-specific modules that address CMIA and CCPA/CPRA requirements relevant to your operations.
Risk Analysis Must Reflect State-Level Obligations
The HIPAA Security Rule requires a thorough risk analysis under 45 CFR §164.308(a)(1). OCR has made clear — through enforcement actions and published guidance — that this is the single most scrutinized compliance element. But for California organizations, your risk analysis should incorporate state-specific risks.
Consider: What are the financial consequences of a CMIA private lawsuit? What operational risks does the 15-day hospital breach notification window create? How does the broader scope of California-covered entities affect your business associate agreements?
Organizations that treat risk analysis as a purely federal exercise miss threats that are unique to California's regulatory environment. Your risk analysis documentation should explicitly address these state-level exposures.
Notice of Privacy Practices: Meeting Both Standards
HIPAA requires covered entities to maintain and distribute a Notice of Privacy Practices (NPP) under 45 CFR §164.520. California adds requirements around the content of patient-facing privacy disclosures. Your NPP should be reviewed to ensure it addresses both federal and CMIA requirements — particularly around patient rights and the categories of disclosures that require separate authorization under state law.
A compliant NPP under HIPAA may not satisfy California's more granular disclosure expectations. Legal review by someone fluent in both frameworks is not optional — it's a baseline compliance measure.
Building a Dual-Compliance Program That Works
The most effective approach I've seen California healthcare organizations take is building their compliance program on the HIPAA framework — Privacy Rule, Security Rule, Breach Notification Rule — and then systematically identifying every point where California law adds or diverges from federal requirements.
Start with these concrete steps:
- Map your data flows to identify all PHI and medical information handled by your organization, including data that may fall outside HIPAA but within the CMIA or CCPA.
- Update your policies and procedures to reflect the more stringent standard wherever federal and state law overlap.
- Train every workforce member — not just clinical staff — using a program that addresses both HIPAA and California requirements. Platforms like HIPAA Certify for workforce compliance provide scalable training that ensures consistent baseline knowledge across your organization.
- Review and update your business associate agreements to incorporate California-specific breach notification obligations and CMIA references.
- Conduct annual risk analyses that explicitly document state-level regulatory risks alongside federal requirements.
Navigating HIPAA law California compliance is more demanding than in any other state. But the organizations that build integrated programs — rather than treating federal and state requirements as separate projects — are the ones that avoid enforcement surprises and protect their patients effectively.