California CMIA vs HIPAA: Complete Comparison (2026)
Understanding the difference between California's Confidentiality of Medical Information Act (CMIA) and federal HIPAA is crucial for protecting your health information in California. CMIA often provides stronger protections than HIPAA.
Quick Answer: Which Law is Stronger?
California CMIA provides STRONGER protections than federal HIPAA in several key areas:
- Faster access: 15 days (vs HIPAA's 30 days)
- Private right to sue: You can sue directly for violations (HIPAA doesn't allow this)
- Higher penalties: Up to $250,000 per violation + $1,000 per patient
- Broader coverage: Applies to all healthcare providers in CA, not just HIPAA "covered entities"
- Stricter marketing rules: Must have explicit written authorization for most marketing
Key Principle: When both laws apply, California providers must follow whichever law is stricter. In most cases, that's CMIA. You have rights under BOTH laws simultaneously.
Side-by-Side Comparison
See exactly how California CMIA and federal HIPAA differ across key privacy protections:
| Protection/Right | HIPAA (Federal) 45 CFR 164 | California CMIA Civ. Code § 56 |
|---|---|---|
| Medical Records Access Timeframe |
30 days (can extend to 60) 45 CFR § 164.524 | 15 days ✓ Faster Civ. Code § 56.11 |
| Private Right to Sue | No - only HHS can enforce Must file complaint with HHS OCR | Yes ✓ Stronger Can sue provider directly in courtCiv. Code § 56.35 |
| Penalties for Violations |
$127 - $1.92M per violation category/year Tiered by culpability | Up to $250,000 + $1,000/patient ✓ Higher Plus punitive damages & attorney feesCiv. Code § 56.36 |
| Who Must Comply |
"Covered entities" only: Health plans, providers, clearinghouses | All healthcare providers in CA ✓ Broader Includes small practices, clinics, contractors |
| Marketing Consent |
Authorization required for most marketing Some treatment/refill reminders allowed | Explicit written authorization required ✓ Stricter Very limited exceptionsCiv. Code § 56.101 |
| Breach Notification to Patients |
Within 60 days of discovery 45 CFR § 164.404 | Within 15 days ✓ Faster Civ. Code § 56.101 |
| Authorization Requirements |
Written or electronic authorization Specific required elements | Written authorization + specific disclosures ✓ More Detail Must specify recipients and purposesCiv. Code § 56.11 |
| Access to Mental Health Records |
General access rights apply Psychotherapy notes have extra protection | Special protections + patient can inspect ✓ More Rights Right to see mental health records with limitsCiv. Code § 56.11 |
8 Key Differences Explained
1. Faster Medical Records Access
CMIA: 15 days vs HIPAA: 30-60 days
California providers must provide your medical records within 15 business days of your written request. This is half the time HIPAA allows (30 days, extendable to 60). If you need your records quickly for a second opinion, CMIA gives you faster access.
2. Private Right to Sue
CMIA: Yes vs HIPAA: No
Under CMIA, you can sue your provider directly for privacy violations and recover damages (including attorney fees). HIPAA doesn't allow private lawsuits - you can only file a complaint with HHS and hope they investigate. This makes CMIA much more powerful for individual enforcement.
3. Higher Penalties
CMIA: Up to $250,000 + $1,000 per patient
CMIA penalties can be much higher than HIPAA, especially for willful or negligent violations. Courts can also award punitive damages and require the provider to pay your attorney fees. This creates stronger incentives for providers to protect your privacy.
4. Broader Coverage
CMIA: All CA healthcare providers
HIPAA only covers "covered entities" (health plans, most providers, clearinghouses). CMIA covers all healthcare providers in California, including small practices, alternative medicine providers, and contractors who might not be HIPAA-covered entities. This closes gaps in protection.
5. Stricter Marketing Rules
CMIA: Explicit written authorization required
CMIA requires providers to get your explicit written authorization before using your health information for marketing. HIPAA has more exceptions. Under CMIA, you have stronger control over who can market to you using your health data.
6. Faster Breach Notification
CMIA: 15 days vs HIPAA: 60 days
If your health information is breached, California providers must notify you within 15 days, not 60 days under HIPAA. This gives you faster warning to protect yourself (change passwords, monitor credit, etc.).
7. More Detailed Authorization Forms
CMIA: Must specify recipients and purposes
CMIA authorization forms must explicitly state who will receive your information and why. This prevents vague "blanket authorizations" and gives you more control over exactly what you're authorizing.
8. Enhanced Mental Health Protections
CMIA: Special rules for mental health records
CMIA provides additional protections for mental health information, including the right to inspect (review) your mental health records even when full copies might be restricted. This gives you more transparency about your mental health treatment.
How to Use CMIA and HIPAA Together
Strategy: Always Cite BOTH Laws
Maximize your rights by invoking California CMIA AND federal HIPAA
Example Request Letter:
[Your Name]
[Date]
[Provider Name & Address]
Re: Request for Medical Records
Dear [Provider],
Pursuant to California Civil Code § 56.11 (CMIA) and 45 CFR § 164.524 (HIPAA), I request access to and copies of all my medical records from [dates].
Under CMIA, you must provide these records within 15 business days. Please send them to: [your address or email].
I understand you may charge reasonable, cost-based fees for copying, but you cannot refuse this request due to unpaid bills.
Thank you,
[Your Signature]
Pro Tip: By citing both CMIA and HIPAA, you ensure the provider knows you understand your rights under both laws. CMIA's 15-day deadline and private right to sue give you stronger leverage.
When to Emphasize CMIA
- You need records within 15 days (faster than HIPAA)
- The provider isn't a HIPAA "covered entity" but is in California
- You're considering suing for a privacy violation
- You want to stop marketing uses of your health data
- A breach occurred and you need faster notification
When to Emphasize HIPAA
- Dealing with an out-of-state provider or health plan
- You want to file a federal complaint with HHS OCR
- The issue involves federal Medicare/Medicaid programs
- You need accounting of disclosures (HIPAA-specific right)
- Pattern of violations affecting multiple states (federal enforcement)
Official Resources & Legal Citations
Authoritative sources for CMIA and HIPAA laws
Automate Your California Privacy Protection
HealthConsent® automatically exercises your rights under BOTH California CMIA and federal HIPAA. We cite the strongest law for each situation, file requests on your behalf, monitor compliance, and escalate violations to the California Attorney General or HHS OCR.
Enforces CMIA + HIPAA simultaneously • Handles all compliance automatically • Cancel anytime