Mandatory Medical Privacy Regulations in California You Must Comply With

Posted By PJ Murray on Jan 5, 2026

The Confidentiality of Medical Information Act (CMIA) is just one of several state laws and regulations that apply to medical privacy in California and influence how staff handle patient information. Alongside HIPAA and CMIA, healthcare organizations may also have to comply with the Patient Access to Health Records Act (PAHRA), Medi-Cal confidentiality rules, California’s Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), state rules governing artificial intelligence in healthcare (including CCPA’s automated decision-making regulations), and SB81 on patient access and protection. Together, these laws help explain why privacy and security policies in California can look different from those in other states.

• HIPAA as the Federal Baseline
• Confidentiality of Medical Information Act (CMIA)
• Patient Access to Health Records Act (PAHRA)
• Medi-Cal confidentiality rules, California’s Consumer Privacy Act, and California Privacy Rights Act
• SB81, California’s Patient Access and Protection Law
• Training Healthcare Employees to Respect All of California’s Privacy Laws

HIPAA as the Federal Baseline

HIPAA was designed to create a national “floor” of privacy and security standards, but in California that floor is only the starting point. When state law gives patients more rights or stronger protections than HIPAA does in a particular area, the California law takes precedence for that issue, while HIPAA still applies in the background. As a result, California providers often have to reconcile multiple overlapping rules when deciding how to use, disclose, and protect health information.

Confidentiality of Medical Information Act (CMIA)

CMIA is the core California medical privacy statute. It applies broadly to providers, plans, contractors, and many consumer-facing digital health apps when they store or process identifiable medical information. CMIA tightly limits when information can be used or disclosed without authorization, adds extra protections for sensitive services, and requires safeguards for electronic information. A key difference from HIPAA is CMIA’s private right of action, which allows patients to sue for negligent, unauthorized disclosures, even when there was no intent to cause harm. That is a major reason California organizations stress strict access control, “need-to-know” use of records, and zero tolerance for snooping or gossip.

Patient Access to Health Records Act (PAHRA)

PAHRA strengthens and accelerates patient access rights beyond HIPAA. California providers generally must acknowledge or respond to access requests within a few days and provide copies within a much shorter deadline than HIPAA’s. Patients can also submit an addendum to correct or clarify their records, and that addendum must be attached with future relevant disclosures. PAHRA and CMIA together also limit parental access to minors’ sensitive records when the minor has the right to consent to care, so staff must pay close attention to who is entitled to see what.

Medi-Cal confidentiality rules, California’s Consumer Privacy Act, and California Privacy Rights Act

Other important laws fill gaps that HIPAA and CMIA do not fully cover. Medi-Cal regulations protect beneficiary information, including social and economic data used for eligibility and benefits, and restrict its use mainly to treatment, billing, and program administration. CCPA/CPRA applies to eligible businesses for personal information that is not PHI or CMIA “medical information,” such as website tracking data, marketing lists, and some HR records. CCPA/CPRA also gives consumers rights to know, correct, and in some cases delete data. California regulates the use of AI in healthcare through a mix of privacy, consumer, and professional rules that emphasize transparency, security, and maintaining human clinical judgment. In practice, these rules often appear as internal policies: which AI tools may be used, what kind of data may be entered, how outputs must be reviewed, and when patients must be informed.

SB81, California’s Patient Access and Protection Law

SB81, California’s Patient Access and Protection law, adds targeted protections for immigration-related information. It treats a patient’s place of birth and immigration status as protected medical information and prohibits disclosures for immigration enforcement without a valid authorization or court order. It also requires healthcare organizations, including public college health centers, to establish “safe” non-public areas where patients can receive care without fear of immigration agents entering unless they have proper legal authority. This law shapes how front desks, security, and clinical teams respond to requests from law enforcement and why staff should receive specific training on these scenarios.

Training Healthcare Employees to Respect All of California’s Privacy Laws

California’s privacy regulations require training that goes beyond HIPAA and CMIA, and includes PAHRA, Medi-Cal confidentiality, CCPA and CPRA, AI-related rules, and SB81. Employees must learn the simple rule of application: follow HIPAA as the federal baseline, then apply the California requirement that is more protective for the situation at hand. Healthcare privacy training in California must cover who may access records, how to process requests under PAHRA, when authorization is required under CMIA, how to handle non-PHI personal information subject to CCPA and CPRA, how to use approved AI tools with appropriate review, and how to respond to immigration-related requests under SB81. Employees must learn to practice common scenarios with clear steps for identity verification, consent, documentation, timely responses, and escalation to their Privacy or Compliance Office when questions arise. This approach ensures HIPAA-Covered Entities and HIPAA Business Associates comply with all of California’s privacy regulations as they apply to medical records.