Complying with HIPAA California Law

Posted By Steve Alder on Jan 20, 2026

The difficulty in complying with HIPAA California law is that there are several significant Acts of state privacy legislation that healthcare organizations and their Business Associates have to comply with that overlay provisions of the Health Insurance Portability and Accountability Act (HIPAA). In the context of complying with HIPAA California law as a healthcare organization – or as a Business Associate of a healthcare organization – one of the primary areas of difficulty is understanding the differences between the Acts and where overlaying provisions apply.

HIPAA

HIPAA provides a federal floor of privacy protections that applies to healthcare organizations who conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. Under HIPAA, “Covered Entities” are required to protect the privacy of individually identifiable health information (“Protected Health Information” or “PHI”) and safeguard the confidentiality, integrity, and availability of electronic PHI.

HIPAA also applies to Business Associates who receive, create, maintain, or transmit PHI (in any format) for or on behalf of a Covered Entity. All Business Associates are required to comply with the HIPAA Security and Breach Notification Rules, while compliance with the Privacy Rule (or sections thereof) and the Administrative Requirements are subject to the service being provided for or on behalf of the Covered Entity.

The Confidentiality of Medical Information Act (CMIA)

The Confidentiality of Medical Information Act – or CMIA – applies to more types of healthcare providers than HIPAA, and to most types of businesses in California who maintain medical information. It limits how healthcare providers, healthcare service plans, and contractors can use and disclose individually identifiable medical information, and mandates patient authorizations for those not specifically permitted.

All CMIA-covered organizations must comply with the Act’s stricter requirements for disclosures of medical information and implement measures to preserve the integrity of electronic medical information. Importantly, CMIA allows for a private right of action when medical information is disclosed negligently and impermissibly by a healthcare organization, a contractor, or a workforce member – even when the disclosure is not intentional.

The Patient Access to Health Records Act (PAHRA)

The Patient Access to Health Records Act – PAHRA – differs from HIPAA’s right of access inasmuch as HIPAA limits patient access requests to Protected Health Information maintained in a designated record set. Under PAHRA, patients have the right to request access to all the information maintained about them by a healthcare organization – unless an exception exists.

The timeframe for complying with patient access requests under PAHRA is much shorter than the timeframe permitted by HIPAA – healthcare organizations in California must respond to patient access requests within five days – and The Act restricts parental access to minors’ sensitive medical records when a minor has consented to care that falls within CMIA’s definition of a sensitive service.

Medi-Cal Regulations

Healthcare organizations that participate in California’s Medicaid program are required to comply with all applicable Medi-Cal regulations in addition to the applicable regulations of HIPAA and CMIA. These include stricter controls on uses and disclosures of Protected Health Information, with exceptions only permitted when they are authorized by the California Department of Health Care Services.

Importantly, personally identifiable information under Medi-Cal includes information not necessarily protected by HIPAA or CMIA when it is maintained separately from Protected Health Information. Examples include social conditions, economic circumstances, and agency evaluations of personal information. It is important these elements are considered when organization applying access controls and assign user permissions.

California’s Consumer Privacy and Privacy Rights Acts (CCPA/CPRA)

CCPA/CPRA exempts healthcare organizations that qualify as HIPAA Covered Entities within California – but only in respect of individually identifiable health information protected by the Privacy Rule. Individually identifiable health information collected by a HIPAA Covered Entity in its role as an employer for HR, legal, payroll or other non-protected purposes is subject to CCPA/CPRA. (Note: The definition of medical information in CMIA is similar to the definition of PHI in HIPAA).

Importantly, CCPA/CPRA does not exempt healthcare organizations that do not qualify as HIPAA Covered Entities nor Business Associates, despite the fact that the Act exempts PHI from requiring more stringent controls than HIPAA. The reason this lack of exemption is important is that victims of data breaches have a private right of action under CCPA/CPRA depending on the nature of the breach, the information breached, and the efforts made by the business to resolve the breach.

SB81 – Patient Access and Protection

SB81 was signed into law in 2025 with the objective of protecting patients from immigration enforcement activities when they seek healthcare services. The legislation was prompted by concerns that patients were missing or cancelling appointments due to fears about their safety, and that this would lead to delayed diagnoses, inadequate management of chronic conditions, and missed preventive care.

The bill extends the definition of medical information in the Confidentiality of Medical Information Act to include patients’ place of birth and immigration statuses when known or recorded. As a result, healthcare organizations must establish procedures for responding to access requests by immigration agents and train workforce members on the procedures for obtaining a valid authorization from patients before their place of birth or immigration status is disclosed for immigration enforcement activities.

How to Comply with HIPAA California Law

The way to comply with HIPAA California law is to first determine which law(s) your organization is subject to. This is not always straightforward. For example:

• HIPAA provides a “federal floor” of privacy protections, but the Act doesn´t apply to every healthcare organization.
• CMIA applies to all healthcare providers within California and has more stringent requirements than HIPAA in many areas.
• CCPA/CPRA exempts HIPAA Covered Entities, but not HIPAA Business Associates. It also extends privacy protections to healthcare data not protected by HIPAA.

Consequently, if a healthcare organization qualifies as a HIPAA Covered Entity, HIPAA applies to PHI except where CMIA requires greater protection of medical information or provides more patients’ rights. Additionally, under CPPA/CPRA, HIPAA Covered Entities must protect medical information collected from an employee in the role as an employer in the same way as if it was collected from a patient.

If a healthcare organization does not qualify as a HIPAA Covered Entity, CMIA applies to medical information created, received, maintained, or transmitted in respect of the past, present, or future condition of a patient, treatment for the condition, or payment for the treatment. Additionally, CPPA/CPRA applies to all medical information collected in the role of an employer.

For Business Associates, in most cases HIPAA applies to PHI and CPPA/CPRA applies to all other data. There are a handful of scenarios in which a healthcare organization will be subject to CMIA but not HIPAA. In such cases, the healthcare provider should establish how medical information is protected from unauthorized and impermissible uses and disclosures in the Business Associate Agreement.

Once it has been determined which laws apply to your oganization, it will be necessary to develop policies and procedures that accommodate provisions which overlay HIPAA, adjust and distribute revised Notices of Privacy Practices so patients are aware of where the overlays apply, and train workforce members on the policies and procedures. In the context of complying with HIPAA California law, it is particularly important that workforce members who have been recruited from organizations where some state laws do not apply receive policy and procedure training at the earliest possible opportunity.

How to Provide Workforce HIPAA Training in California

Because different state laws can apply to different healthcare organizations depending on the nature of their activities and the ways in which personally identifying information is collected and maintained, there is no one-size-fits-all framework for workforce HIPAA training in California.

One of the easiest ways to overcome this challenge is to provide HIPAA awareness training to all members of the workforce and, when staff perform functions governed by California state laws, overlay the HIPAA training with policy and procedure training relevant to their roles.

The HIPAA Journal provides HIPAA training programs specifically designed for workforces in California, ensuring they receive comprehensive and up-to-date information that can help them better understand, absorb, and apply California-specific policy and procedure training.

To ensure workforce members are actively engaging with training materials, the training includes assessments and certification upon successful completion. This not only verifies understanding but also provides documented proof of compliance in the event of a compliance investigation or audit.

California-specific training modules are available in addition to modules designed to support small medical practices, learning institutions, and business associate workforces. Organizations can also subscribe to an employee-focused cybersecurity training course to help workforce members avoid common pitfalls that can lead to HIPAA violations.