California Law ⚖️ Federal Law

California CMIA vs HIPAA: Complete Comparison (2026)

Understanding the difference between California's Confidentiality of Medical Information Act (CMIA) and federal HIPAA is crucial for protecting your health information in California. CMIA often provides stronger protections than HIPAA.

Quick Answer: Which Law is Stronger?

California CMIA provides STRONGER protections than federal HIPAA in several key areas:

  • Faster access: 15 days (vs HIPAA's 30 days)
  • Private right to sue: You can sue directly for violations (HIPAA doesn't allow this)
  • Higher penalties: Up to $250,000 per violation + $1,000 per patient
  • Broader coverage: Applies to all healthcare providers in CA, not just HIPAA "covered entities"
  • Stricter marketing rules: Must have explicit written authorization for most marketing

Key Principle: When both laws apply, California providers must follow whichever law is stricter. In most cases, that's CMIA. You have rights under BOTH laws simultaneously.

Side-by-Side Comparison

See exactly how California CMIA and federal HIPAA differ across key privacy protections:

Protection/Right
HIPAA (Federal) 45 CFR 164
California CMIA Civ. Code § 56
Medical Records Access Timeframe 30 days (can extend to 60)
45 CFR § 164.524
15 days ✓ Faster
Civ. Code § 56.11
Private Right to Sue No - only HHS can enforce
Must file complaint with HHS OCR
Yes ✓ Stronger
Can sue provider directly in court
Civ. Code § 56.35
Penalties for Violations $127 - $1.92M per violation category/year
Tiered by culpability
Up to $250,000 + $1,000/patient ✓ Higher
Plus punitive damages & attorney fees
Civ. Code § 56.36
Who Must Comply "Covered entities" only:
Health plans, providers, clearinghouses
All healthcare providers in CA ✓ Broader
Includes small practices, clinics, contractors
Marketing Consent Authorization required for most marketing
Some treatment/refill reminders allowed
Explicit written authorization required ✓ Stricter
Very limited exceptions
Civ. Code § 56.101
Breach Notification to Patients Within 60 days of discovery
45 CFR § 164.404
Within 15 days ✓ Faster
Civ. Code § 56.101
Authorization Requirements Written or electronic authorization
Specific required elements
Written authorization + specific disclosures ✓ More Detail
Must specify recipients and purposes
Civ. Code § 56.11
Access to Mental Health Records General access rights apply
Psychotherapy notes have extra protection
Special protections + patient can inspect ✓ More Rights
Right to see mental health records with limits
Civ. Code § 56.11

8 Key Differences Explained

1. Faster Medical Records Access

CMIA: 15 days vs HIPAA: 30-60 days

California providers must provide your medical records within 15 business days of your written request. This is half the time HIPAA allows (30 days, extendable to 60). If you need your records quickly for a second opinion, CMIA gives you faster access.

2. Private Right to Sue

CMIA: Yes vs HIPAA: No

Under CMIA, you can sue your provider directly for privacy violations and recover damages (including attorney fees). HIPAA doesn't allow private lawsuits - you can only file a complaint with HHS and hope they investigate. This makes CMIA much more powerful for individual enforcement.

3. Higher Penalties

CMIA: Up to $250,000 + $1,000 per patient

CMIA penalties can be much higher than HIPAA, especially for willful or negligent violations. Courts can also award punitive damages and require the provider to pay your attorney fees. This creates stronger incentives for providers to protect your privacy.

4. Broader Coverage

CMIA: All CA healthcare providers

HIPAA only covers "covered entities" (health plans, most providers, clearinghouses). CMIA covers all healthcare providers in California, including small practices, alternative medicine providers, and contractors who might not be HIPAA-covered entities. This closes gaps in protection.

5. Stricter Marketing Rules

CMIA: Explicit written authorization required

CMIA requires providers to get your explicit written authorization before using your health information for marketing. HIPAA has more exceptions. Under CMIA, you have stronger control over who can market to you using your health data.

6. Faster Breach Notification

CMIA: 15 days vs HIPAA: 60 days

If your health information is breached, California providers must notify you within 15 days, not 60 days under HIPAA. This gives you faster warning to protect yourself (change passwords, monitor credit, etc.).

7. More Detailed Authorization Forms

CMIA: Must specify recipients and purposes

CMIA authorization forms must explicitly state who will receive your information and why. This prevents vague "blanket authorizations" and gives you more control over exactly what you're authorizing.

8. Enhanced Mental Health Protections

CMIA: Special rules for mental health records

CMIA provides additional protections for mental health information, including the right to inspect (review) your mental health records even when full copies might be restricted. This gives you more transparency about your mental health treatment.

How to Use CMIA and HIPAA Together

Strategy: Always Cite BOTH Laws

Maximize your rights by invoking California CMIA AND federal HIPAA

Example Request Letter:

[Your Name]

[Date]

[Provider Name & Address]

Re: Request for Medical Records

Dear [Provider],

Pursuant to California Civil Code § 56.11 (CMIA) and 45 CFR § 164.524 (HIPAA), I request access to and copies of all my medical records from [dates].

Under CMIA, you must provide these records within 15 business days. Please send them to: [your address or email].

I understand you may charge reasonable, cost-based fees for copying, but you cannot refuse this request due to unpaid bills.

Thank you,

[Your Signature]

Pro Tip: By citing both CMIA and HIPAA, you ensure the provider knows you understand your rights under both laws. CMIA's 15-day deadline and private right to sue give you stronger leverage.

When to Emphasize CMIA

  • You need records within 15 days (faster than HIPAA)
  • The provider isn't a HIPAA "covered entity" but is in California
  • You're considering suing for a privacy violation
  • You want to stop marketing uses of your health data
  • A breach occurred and you need faster notification

When to Emphasize HIPAA

  • Dealing with an out-of-state provider or health plan
  • You want to file a federal complaint with HHS OCR
  • The issue involves federal Medicare/Medicaid programs
  • You need accounting of disclosures (HIPAA-specific right)
  • Pattern of violations affecting multiple states (federal enforcement)

Automate Your California Privacy Protection

HealthConsent® automatically exercises your rights under BOTH California CMIA and federal HIPAA. We cite the strongest law for each situation, file requests on your behalf, monitor compliance, and escalate violations to the California Attorney General or HHS OCR.

Enforces CMIA + HIPAA simultaneously • Handles all compliance automatically • Cancel anytime