California Health Data Privacy Laws: Complete Guide

California protects 39 million residents with the nation's strongest health privacy framework: Constitutional privacy rights, CMIA confidentiality protections, CPRA/CCPA consumer rights, strict app regulations (AB 254, AB 2089, AB 352), EHR segmentation mandates, and the most aggressive enforcement in the United States.

Golden Gate Bridge San Francisco California representing state health privacy laws CMIA enforcement and patient rights

California's leadership in health privacy protection

📖 ~15 min read
7 comprehensive sections ✓ Complete Legal Guide Updated June 2026

Quick Summary: CA Health Privacy Laws

Updated October 2025 - Everything you need to know in 2 minutes

Your Legal Protections in California:

  • Federal HIPAA Rights: Access records (30 days), amend errors, restrict disclosures, request accounting, receive breach notifications (60 days), confidential communications. Learn more ↗
  • California Constitutional Privacy (Article I, § 1): Inalienable right to privacy stronger than HIPAA, underpins all state health data protections
  • CMIA (Civ. Code § 56-56.37): 15-day records access (vs HIPAA 30), 5-day inspection, written authorization for ALL disclosures, private right to sue, $1,000-$250,000 penalties. Full text ↗
  • CPRA/CCPA Rights: Know, delete, opt-out of sale/sharing for health data (sensitive personal information category), $7,988 per violation enforcement by CPPA
  • Health App Regulations: AB 254 (reproductive/sexual health apps) & AB 2089 (mental health apps) must comply with CMIA as healthcare providers
  • EHR Segmentation & Anonymous Rx: AB 352 segregates abortion/gender care records; AB 260 allows anonymous abortion medication prescriptions; AB 45 bans clinic geofencing

6 Actionable Steps You Can Take Today:

  1. 1. Request Medical Records: Submit written request - CA providers must respond within 15 days (faster than HIPAA's 30), 5 days for inspection
  2. 2. File CMIA Complaints: Report violations to CA Attorney General at 800-952-5225 OR sue directly for $1,000+ damages
  3. 3. Exercise CPRA Rights: Opt-out of health data "sale" on all apps, wearables using CPPA tools
  4. 4. Opt-Out of Cal INDEX: Contact CA DHCS to restrict statewide Health Information Exchange. Learn about HIEs →
  5. 5. Audit Health Apps: Check if mental health, pregnancy, period-tracking apps comply with AB 254/AB 2089 - report to CPPA
  6. 6. Request EHR Segmentation: For sensitive services under AB 352, request records be segregated from out-of-state access
California Advantage: California has the STRONGEST health data privacy laws in the United States. Unlike other states, CA provides Constitutional privacy rights, CMIA private right to sue ($1,000-$250,000 damages), CPRA enforcement ($7,988+ per violation), app-specific regulations, EHR segmentation mandates, and aggressive multi-agency enforcement by CA AG, CPPA, and HHS OCR.

⚡ Get Automated Privacy Protection

HealthConsent automatically exercises your CMIA & HIPAA rights, enforces CPRA opt-outs, monitors Cal INDEX, audits health app compliance (AB 254/AB 2089), requests EHR segmentation under AB 352, and protects your data across all California providers and platforms.

Start Protecting Your CA Health Data →

Section 1: California Health Privacy Landscape

39.4M
CA Residents Protected
Most populous US state
400+
Hospitals & Health Systems
Including 10+ major networks
15 Days
Records Access Timeline
Faster than 30-day HIPAA
1981
CMIA Enacted
Constitutional Foundation: The California Constitution Article I, Section 1 explicitly recognizes an inalienable right to privacy, providing stronger protection than federal law and underpinning all state health privacy legislation including CMIA, CPRA, and app regulations.

California's National Leadership in Health Privacy

Major Healthcare Ecosystem:

Privacy Law Leadership:

  • Constitutional privacy right (Article I, § 1) - only state with explicit constitutional protection
  • CMIA since 1981 - oldest and strongest state medical privacy law
  • Private right to sue - $1,000-$250,000 damages (HIPAA has none)
  • CPRA/CCPA enforcement by CPPA ($7,988+ per violation)
  • App-specific regulations - AB 254, AB 2089, AB 352 mandate CMIA compliance
  • Model for other states - Many states copy California's approach

Why California Leads the Nation in Health Privacy

As of October 2025, California maintains the STRONGEST health data privacy protections in the United States. The state's comprehensive framework includes:

  • Constitutional privacy right - Only state with explicit privacy in constitution (Article I, § 1)
  • Private right to sue under CMIA - $1,000-$250,000 damages without needing government involvement
  • Comprehensive consumer rights - CPRA/CCPA apply to health data outside HIPAA (apps, wearables, data brokers)
  • App-specific mandates - AB 254 & AB 2089 require health apps to comply with CMIA
  • EHR segmentation - AB 352 protects abortion & gender-affirming care from out-of-state requests
  • Multi-agency enforcement - CA AG, CPPA, HHS OCR all actively enforce violations

California's model has been adopted by other states including Washington, Colorado, and Connecticut.

Section 2: Your Privacy Rights Under California & Federal Law

California residents benefit from a layered privacy framework combining federal HIPAA protections with stronger state-level rights. Learn more about when state laws override federal HIPAA →

Federal HIPAA Rights (Apply to All CA Providers)

  • Right to Access: Request and receive copies of your medical records within 30 days (or 15 days if electronic). Providers may charge reasonable, cost-based fees but cannot charge retrieval fees.
  • Right to Amendment: Request corrections to inaccurate or incomplete health information. Provider must respond within 60 days and either make the amendment or provide a written denial with your right to submit a statement of disagreement.
  • Right to Restrict Disclosures: Request limitations on how your health information is used or shared. Providers MUST agree to restrict disclosures to health plans for services you paid out-of-pocket in full.
  • Right to Accounting of Disclosures: Request a list of who your provider shared your health information with in the past 6 years (excluding treatment, payment, operations). First accounting per 12 months is free.
  • Right to Breach Notification: Receive notification within 60 days if your unsecured health information has been improperly accessed or disclosed. Notification must include what happened, what information was involved, and steps you should take.
  • Right to Confidential Communications: Request that your provider communicate with you at an alternative address or by alternative means (e.g., call your work phone instead of home). Provider must accommodate reasonable requests.
  • Right to File Complaints: File complaints about HIPAA violations with your provider or with HHS Office for Civil Rights. Provider cannot retaliate against you for filing a complaint.

California CMIA Enhanced Protections (Stronger than HIPAA)

  • 15-Day Records Access (Civ. Code § 56.10): California providers must provide copies of medical records within 15 business days (vs HIPAA's 30 days). For inspection only: 5 business days. Providers can charge reasonable cost-based fees only ($.25/page for paper copies, actual cost for electronic records). The 21st Century Cures Act prohibits information blocking—providers cannot charge excessive fees or delay access to EHR data. California's DHCS Data Exchange Framework (DxF) (launched 2024) requires all health entities to participate in statewide data sharing, improving interoperability and your ability to aggregate records from multiple providers.
  • Written Authorization Required (Civ. Code § 56.10-56.11): CMIA requires written authorization for ALL disclosures of medical information (except for treatment, payment, healthcare operations, and other enumerated exceptions). This is stricter than HIPAA, which allows more flexibility for covered entities. CMIA applies broadly to healthcare providers, insurers, pharmaceutical companies, and any "products, services, or technologies that store, transmit, or process medical information" (AB 658, 2013).
  • Private Right to Sue (Civ. Code § 56.35-56.36): Unlike HIPAA, CMIA allows patients to sue directly for unauthorized disclosures. Minimum $1,000 per violation, plus attorney fees. Willful or negligent violations: up to $250,000 per violation. This gives CA patients powerful enforcement tools.
  • CPRA Consumer Rights (Civ. Code § 1798.100 et seq.): Health data is "sensitive personal information" under CPRA. Critical distinction: Protected Health Information (PHI) under HIPAA is exempt from CPRA. However, health information outside HIPAA's regime—apps not covered by HIPAA, wearables, fitness trackers, data brokers, marketing data—falls under CPRA rights. Californians can: know what's collected, delete data, opt-out of sale/sharing. CPPA enforces violations at $7,988 per violation (2025 inflation-adjusted).
  • Health App Regulations (AB 254 & AB 2089): Reproductive/sexual health apps (period trackers, pregnancy apps) and mental health apps are treated as CMIA-covered healthcare providers. They must obtain written authorization before disclosures, cannot sell data, and are subject to CMIA's $1,000-$250,000 penalties. This closes the "app gap" left by federal HIPAA.
  • EHR Segmentation for Sensitive Services (AB 352): Effective July 2024, EHR systems must segregate records of abortion, contraception, and gender-affirming care. These records must be: (1) restricted to authorized personnel only, (2) NOT transmitted outside California, (3) protected from out-of-state subpoenas or legal requests. This protects CA patients from hostile state prosecutions.
  • Cal INDEX HIE Opt-Out: California operates Cal INDEX, the statewide Health Information Exchange. You have the RIGHT TO OPT OUT of having your medical records shared across this network. Contact your provider or CA DHCS to restrict participation.
  • Anonymous Prescriptions (AB 260, signed Sept 2025): Patients can obtain abortion medication prescriptions (mifepristone) without their name on the prescription. This prevents prescription records from being used to track or target patients seeking reproductive healthcare.
Key Advantage: California's CMIA protections are STRONGER than federal HIPAA in every category: faster access (15 vs 30 days), stricter disclosure requirements (written authorization for ALL uses), private right to sue ($1,000-$250,000 damages), and app coverage (AB 254/AB 2089). Always invoke your CMIA rights—California law applies when it provides greater protection than federal HIPAA.

Section 3: Recent Law Updates & Enforcement (2022-2025)

AB 260: Anonymous Abortion Medication Prescriptions

Signed Sept 2025

AB 260 allows patients to obtain abortion medication prescriptions (mifepristone) without their name on the prescription. This landmark legislation prevents prescription records from being used to track, target, or prosecute patients seeking reproductive healthcare. State-regulated health insurance plans must cover these medications.

Impact for Patients: Complete anonymity for abortion medication prescriptions, protecting privacy from government surveillance, data brokers, and out-of-state legal action. No prescription records = no paper trail.

AB 45: Geofencing Ban & Research Protection

Signed Sept 2025

AB 45 (1) prohibits geofencing around healthcare facilities - companies cannot use location data to target patients visiting reproductive health clinics, and (2) shields research participants - prohibits releasing identifying research records in response to out-of-state subpoenas based on anti-reproductive-care laws.

Impact for Patients: Complete protection from location tracking at clinics. Apps/advertisers cannot geofence Planned Parenthood or abortion providers. Research participants protected from hostile state investigations.

AB 352: EHR Segmentation for Sensitive Services

Effective July 2024

AB 352 requires EHR systems to segregate records of abortion, contraception, and gender-affirming care. These records must be: (1) restricted to authorized personnel only, (2) NOT transmitted outside California, (3) protected from out-of-state subpoenas. EHR vendors must implement by July 2024 and can charge only cost-based fees (aligned with federal information-blocking exceptions).

Impact for Patients: Your abortion/gender-affirming care records are protected from hostile state prosecutions. CA patients can request EHR segmentation to ensure sensitive services remain confidential and cannot be accessed by out-of-state authorities.

AB 254 & AB 2089: Health App Privacy Mandates

2022-2023

AB 254 (2023) treats reproductive/sexual health apps (period trackers, pregnancy apps, fertility apps) as CMIA-covered healthcare providers. AB 2089 (2022) does the same for mental health & substance use disorder apps. Both must obtain written authorization before disclosures, cannot sell user data, and face CMIA's $1,000-$250,000 penalties.

Impact for Patients: Health apps are now regulated like hospitals—period trackers, mental health apps, fertility apps cannot sell your data and must comply with CMIA. Closes the "app gap" left by federal HIPAA.

AB 1697: Electronic Signatures for Medical Authorizations

Effective Jan 2024

AB 1697 lifted California's ban on electronic signatures for medical authorizations. Patients can now sign CMIA consent forms electronically (PDF, e-signatures). Standard consents expire in one year unless longer period specified. This modernizes consent procedures while maintaining CMIA protections.

Impact for Patients: Easier to provide medical authorizations digitally without weakening CMIA protections. Electronic signatures have same legal weight as ink signatures.

California AG & CPPA Enforcement Actions

2023-2025 Ongoing

California Attorney General and the California Privacy Protection Agency (CPPA) launched comprehensive healthcare privacy enforcement targeting data brokers, health apps, and large healthcare systems for CMIA and CPRA violations. This includes investigating unauthorized data sales, deceptive privacy practices, failure to obtain proper CMIA consent, and violations of AB 254/AB 2089 app regulations. CPPA has issued $7,988+ per violation fines against non-compliant companies.

Impact for Patients: Increased enforcement against entities misusing health data, ability to file complaints that will be actively investigated, and potential for restitution in cases where data was improperly sold or disclosed.

Federal 42 CFR Part 2 Alignment for Substance Use Records

2024

California updated its substance abuse treatment regulations to align with revised federal 42 CFR Part 2 rules, clarifying when substance use disorder treatment records can be disclosed for care coordination while maintaining strong consent requirements.

Impact for Patients: Slightly easier care coordination for substance use disorder treatment while maintaining core consent protections. Patients retain the right to restrict disclosures and must provide written consent for most uses beyond direct treatment.

California's Privacy Leadership: Unlike most states, California has ALREADY ENACTED comprehensive health privacy legislation (AB 260, AB 45, AB 352, AB 254, AB 2089) in 2022-2025. California leads the nation—most other states are still considering bills California passed years ago.

Section 4: How to Exercise Your Rights (Step-by-Step)

Ready to take action? Here's your complete guide to exercising your health privacy rights →

1
Request Your Medical Records

Submit a written request to your healthcare provider's medical records department or privacy officer.

What to Include:

  • • Your full name, date of birth, and contact information
  • • Specific records requested (date range, type of records)
  • • Format preference (paper or electronic)
  • • Delivery method (mail, pickup, secure email)

Timeline:

Provider must respond within 30 days (can extend to 60 days with written notice).

2
File CMIA/CPRA Complaints for Unfair Practices

Use California's industry-leading privacy laws (CMIA & CPRA) to challenge deceptive or unfair health data practices.

When to File:

  • • Provider sold your data without clear authorization
  • • Deceptive privacy policies or practices
  • • Unauthorized marketing using your health info
  • • Failure to honor opt-out requests

How to File:

Contact California Attorney General's Consumer Protection Section at 800-952-5225 or file online at oag.ca.gov/contact

3
Report Breach Notification Violations

If you discover a breach wasn't properly reported or you weren't notified within legal timeframes.

Red Flags:

  • • You found out about a breach through news, not direct notification
  • • Notification came more than 60 days after breach discovery
  • • Incomplete information about what data was compromised
  • • No offer of credit monitoring or identity protection after major breach

Who to Contact:

4
Exercise Special HIV/Mental Health Rights

California's CMIA enhanced protections require written authorization for ALL sensitive health information disclosures.

HIV Information (CMIA § 56.10):

  • • Demand separate, specific written authorization for HIV disclosures
  • • General medical release forms are NOT sufficient under CMIA
  • • Unauthorized disclosure: $1,000-$250,000 private right to sue

Mental Health & Substance Abuse Records (CMIA § 56.10):

  • • Written authorization required for disclosures beyond treating providers
  • • Federal 42 CFR Part 2 protections for substance abuse treatment apply
  • • You can revoke authorization at any time under CMIA

5
Understand Public Health & Research Exceptions

California allows certain disclosures without consent for public health, research, and law enforcement purposes. AB 45 (2023) protects reproductive and gender-affirming care research and prohibits geofencing near health facilities.

Public Health Exceptions (HIPAA & CMIA):

  • Disease surveillance: Providers must report certain diseases to CA Dept of Public Health (Cal. Health & Safety Code § 120130-120175)
  • Child/elder abuse: Mandatory reporting to county welfare or law enforcement (Pen. Code § 11165.7)
  • Research: De-identified data may be used for research without consent (45 CFR § 164.514)
  • AB 45 protection: California prohibits geofencing and tracking near health facilities; data from reproductive health research cannot be used in criminal/civil proceedings
  • Court orders: Providers must comply with valid subpoenas/court orders (but can challenge overbroad requests)

Your Rights Against Improper Disclosures:

  • Request an accounting of disclosures to see if your data was shared under public health exceptions
  • Challenge disclosures if they exceed statutory exceptions
  • File complaints with CA AG or HHS OCR if you believe disclosures were improperly justified
Automate These Actions with HealthConsent →

HealthConsent files requests, monitors responses, and escalates violations automatically

Section 5: Enforcement Mechanisms & Penalties

California has the nation's strongest enforcement framework with multiple agencies pursuing violations. See major health data breach cases →

Recent Major California Cases

Federal HIPAA Enforcement

Up to $1.92M per violation category/year

HHS Office for Civil Rights enforces HIPAA Privacy and Security Rules with tiered civil penalties based on culpability level:

Civil Penalties (per violation):

  • • Tier 1 (unknowing): $127-$63,973
  • • Tier 2 (reasonable cause): $1,280-$63,973
  • • Tier 3 (willful neglect, corrected): $12,794-$63,973
  • • Tier 4 (willful neglect, not corrected): $63,973-$1,919,173

Criminal Penalties:

  • • Up to 1 year + $50,000 fine (knowing violations)
  • • Up to 5 years + $100,000 (false pretenses)
  • • Up to 10 years + $250,000 (intent to sell/profit)

Recent Major CA Cases: Multiple California hospitals and health systems have faced HIPAA investigations and settlements in recent years for impermissible disclosures, inadequate security measures, and delayed breach notifications. Kaiser, Sutter Health, and UC Health have all been subject to federal enforcement actions.

California Attorney General (CMIA)

$2,500-$250,000 per violation

California AG enforces CMIA (Civ. Code § 56.35-56.37) with broad enforcement authority and significant penalties:

Enforcement Powers & Penalty Structure:

  • Civil penalties: $2,500 per negligent violation; up to $250,000 per willful violation (Civ. Code § 56.36)
  • Injunctive relief: Court orders to stop unauthorized disclosures
  • Consumer restitution: Compensation for damages
  • Attorney fees: Recover costs of enforcement
  • AB 254/AB 2089 enforcement: Health app violations treated as CMIA violations
  • Multi-state coordination: Joint actions with other state AGs

What Constitutes CMIA Violation:

  • • Disclosing medical information without written authorization (Civ. Code § 56.10)
  • • Selling health data from period trackers/mental health apps (AB 254/AB 2089)
  • • Failing to provide records within 15 business days (Civ. Code § 56.10)
  • • Using health information for marketing without authorization
  • • Inadequate security leading to preventable breaches
  • • Violating EHR segmentation requirements (AB 352)

California Privacy Protection Agency (CPPA)

CPRA Enforcement Authority

CPPA is the nation's first dedicated state privacy agency, enforcing CPRA for consumer health data (apps, wearables, data brokers) NOT covered by HIPAA:

Enforcement Authority:

  • Administrative Fines: Up to $7,988 per violation (adjusted annually for inflation)
  • Intentional Violations: Up to $23,963 per intentional violation involving minors' data
  • Health App Oversight: Enforces AB 254/AB 2089 compliance for health apps alongside CA AG
  • Consumer Complaints: Investigates individual complaints about data sale, sharing, deletion failures
  • Rulemaking Authority: Issues regulations clarifying CPRA requirements for health data
  • Coordination with AG: Joint enforcement actions for large-scale violations

FTC Health Breach Notification Rule (Non-HIPAA Entities)

Federal Enforcement for Apps & Wearables

FTC Health Breach Notification Rule applies to health apps, wearables, and other "personal health record" vendors NOT covered by HIPAA. In 2024, the FTC strengthened enforcement, requiring breach notifications within 60 days and imposing penalties for non-compliance.

FTC Enforcement Authority:

  • Covered entities: Health apps (period trackers, mental health, fitness), wearables, PHR platforms, telehealth services not HIPAA-covered
  • Breach notification requirement: Notify FTC, consumers, and media (if 500+ affected) within 60 days of breach discovery
  • Penalties: FTC Act Section 5 violations carry civil penalties up to $50,120 per violation (2024 rate)
  • Coordination with States: FTC works with CA AG and CPPA to enforce against non-HIPAA health tech companies
  • Recent CA enforcement: FTC has targeted period tracking apps, mental health apps, and telehealth companies for improper data sharing

Why This Matters for California Residents:

California's AB 254/AB 2089 regulations work alongside FTC enforcement to create a comprehensive regulatory framework for health apps. If an app violates CMIA, CPRA, or FTC rules, you can file complaints with all three agencies (CA AG, CPPA, FTC) for maximum enforcement.

Private Rights & Civil Remedies (CMIA)

$1,000-$250,000 per violation

California provides the STRONGEST private right to sue for health privacy violations in the nation through CMIA:

CMIA Private Right of Action (Civ. Code § 56.35-56.36):

Patients can sue directly for unauthorized disclosures of medical information. Minimum $1,000 per violation, plus attorney fees. Willful or negligent violations: up to $250,000 per violation. No need to prove actual damages.

Health App Violations (AB 254/AB 2089):

Period trackers, pregnancy apps, mental health apps that sell data are treated as CMIA-covered providers. Patients can sue for same $1,000-$250,000 penalties. This closes the "app gap" left by federal HIPAA.

Common Law Privacy Torts:

California Constitution Article I § 1 explicit right to privacy supports common law claims for public disclosure of private facts, intrusion upon seclusion, and breach of confidentiality beyond CMIA's statutory remedies.

California Advantage: Unlike most states (including those without private rights of action), California patients can sue directly under CMIA WITHOUT needing Attorney General involvement. This gives patients powerful enforcement tools unavailable in other states.

Section 6: Protecting Your Health Data in California

Beyond knowing your rights, take proactive steps to secure your health information. Check out our complete privacy protection checklist →

Proactive Privacy Strategies

Monitor Large Health Systems

California's major integrated health systems handle millions of patient records. Stay vigilant about their data practices.

  • Request privacy notices from Kaiser, Sutter, Cedars-Sinai, UCLA Health, Stanford, UC Health
  • Review data sharing agreements before signing any authorizations—invoke CMIA rights
  • Ask about third-party access and verify written CMIA authorization requirements
  • Check breach notification websites of major systems regularly
  • Exercise restriction rights to limit inter-facility sharing & opt-out of Cal INDEX
  • Request EHR segmentation under AB 352 for sensitive services

Leverage CMIA & CPRA Protection

Use California's industry-leading privacy laws (CMIA + CPRA) as powerful tools against unfair health data practices.

  • File CMIA/CPRA complaints with CA AG (800-952-5225) or CPPA for violations
  • Document all communications about your health data usage
  • Save privacy policies and note when they change—CMIA violations actionable
  • Report data broker activities to CA AG & CPPA
  • Sue directly under CMIA for unauthorized disclosures ($1K-$250K)
  • Exercise CPRA rights to opt-out, delete, and access your data

Engage Enforcement Mechanisms

California has the nation's strongest enforcement—don't hesitate to use it when your privacy rights are violated.

  • Report privacy violations to CA Attorney General (800-952-5225) immediately
  • Document breach delays beyond HIPAA 60-day or CA 15-day requirements
  • File HHS OCR complaints for HIPAA violations
  • Contact CA DHCS (916-445-4171) for facility-specific issues
  • Support enforcement actions by providing evidence/testimony
  • Request AG investigation of systemic privacy problems

California Delete Act (SB 362, 2023)

Starting in 2026, California will launch a centralized data broker deletion system allowing residents to delete personal information from ALL registered data brokers with one request.

What the Delete Act Does:

  • One-stop deletion: Submit ONE request to California Privacy Protection Agency (CPPA), and it applies to ALL data brokers
  • Data broker registry: All data brokers must register with CPPA and comply with centralized deletion requests
  • Health data included: Non-HIPAA health information sold by data brokers (e.g., pharmacy discount cards, health marketing data) can be deleted
  • Annual renewals: California residents can renew their deletion request annually to maintain privacy
  • Penalties: Data brokers that fail to comply face CPRA penalties ($7,988 per violation)

🚀 Coming in 2026: This is the FIRST system of its kind in the nation. California is building the infrastructure now. Once live, you'll be able to opt-out of the entire data broker ecosystem with a single click at the CPPA website.

🔒 Modern Technology Protections

FTC Health Breach Rule (2024): Health apps, fitness trackers, and wearables that fall OUTSIDE HIPAA are now covered by the FTC's Health Breach Notification Rule. If your fitness app or wellness platform experiences a data breach, they must notify you and the FTC. This fills the gap where HIPAA doesn't apply to consumer health technologies.
Cal INDEX & Health Data Exchange: California operates Cal INDEX, a secure HIPAA-compliant statewide Health Information Exchange connecting state health registries (immunizations, lab reporting, cancer registry). All PHG connections use encryption, access controls, and data use agreements to protect patient data during mandatory public health reporting. Your providers report required health data securely through this system.

Specific Actions for HIV & Mental Health Privacy

HIV-Related Information (CMIA § 56.10):

  • Insist on separate authorization forms for any HIV-related disclosure
  • Never sign blanket releases for HIV information under CMIA
  • Review who has access to your HIV test results
  • Ask about EHR access controls and request AB 352 segmentation if needed
  • Sue directly under CMIA for unauthorized HIV disclosure ($1K-$250K)
  • Request audit logs showing who viewed your HIV information (HIPAA right)

Mental Health Records (CMIA § 56.10 + AB 2089):

  • Understand CMIA protections require written authorization for ALL disclosures
  • Confirm written consent requirements before any mental health disclosure
  • Keep psychotherapy notes separate from general medical records
  • Revoke authorizations if you change your mind about sharing
  • Mental health apps covered by AB 2089 - they can't sell your data
  • Verify provider understands California's CMIA stricter confidentiality rules

Automate Your California Privacy Protection

HealthConsent® monitors your providers, files requests, reports violations, and enforces your CA privacy rights automatically— including HIPAA, CMIA ($1K-$250K penalties), CPRA opt-outs, AB 254/AB 2089 app audits, AB 352 EHR segmentation, and Cal INDEX opt-out.

Start Comprehensive CA Privacy Protection →

Covers all California providers & health apps • Handles all CMIA/CPRA compliance automatically • Cancel anytime

Section 7: California Privacy Resources & Official Contacts

Need more information? Browse our complete collection of privacy resources →

California Attorney General

CMIA Enforcement & Consumer Protection

Main: 800-952-5225 (CMIA complaints)
Consumer Protection: 800-952-5225 (toll-free)
oag.ca.gov

File CMIA complaints online, view enforcement actions, data breach notifications

What They Handle: CMIA violations, deceptive health data practices, data broker complaints, AB 254/AB 2089 app violations, breach notification violations, multi-state healthcare privacy investigations

California Dept of Health Care Services (DHCS)

Healthcare Facility Oversight & Medi-Cal Administration

Main: 916-445-4171
Facility Complaints: 916-445-4171
dhcs.ca.gov

Healthcare facility licensing, Cal INDEX HIE, Medi-Cal administration, regulatory guidance

What They Handle: Healthcare facility violations, hospital/nursing home complaints, medical records management issues, facility licensing enforcement, patient confidentiality at licensed facilities, Cal INDEX opt-out

Medical Board of California

Physician Licensing & Disciplinary Actions

Main: 800-633-2322
Complaints: 800-633-2322
mbc.ca.gov

File CMIA complaints about physicians, check licensure status, disciplinary actions

What They Handle: Physician misconduct including privacy violations, inappropriate disclosure of patient information, licensing discipline, professional standards enforcement

HHS Office for Civil Rights

Federal HIPAA Enforcement (San Francisco Region)

National: 800-368-1019 (toll-free)
Region IX (CA): 415-437-8310
hhs.gov/ocr

File HIPAA complaints online, access HIPAA guidance, breach reporting

What They Handle: HIPAA Privacy Rule violations, HIPAA Security Rule violations, breach notification failures, patient access denials, federal healthcare privacy enforcement

Pro Tip: File complaints with MULTIPLE agencies when appropriate. For example, a hospital privacy violation could be reported to: (1) HHS OCR for HIPAA violation, (2) CA Attorney General for CMIA violation, (3) CA DHCS for facility violation, (4) CPPA for CPRA violation if applicable. Multi-agency complaints increase chances of enforcement action and higher penalties.

Let HealthConsent® Secure Your California Privacy Rights

California protects 39+ million residents with the nation's strongest privacy framework: Constitutional privacy, CMIA confidentiality ($1,000-$250,000 penalties), CPRA/CCPA rights, app regulations (AB 254/AB 2089/AB 352), EHR segmentation, and aggressive enforcement. HealthConsent® automates enforcement of ALL your CA privacy rights across every provider, app, platform, and data broker.

Start Protecting Your Data

Take advantage of California's unmatched privacy protections—Constitutional rights, CMIA private right to sue, CPRA opt-outs, app audits (AB 254/AB 2089), EHR segmentation (AB 352), anonymous prescriptions (AB 260), and multi-agency enforcement—all automated through one platform