California Health Data Privacy Laws: Complete Guide
California protects 39 million residents with the nation's strongest health privacy framework: Constitutional privacy rights, CMIA confidentiality protections, CPRA/CCPA consumer rights, strict app regulations (AB 254, AB 2089, AB 352), EHR segmentation mandates, and the most aggressive enforcement in the United States.
California's leadership in health privacy protection
Quick Summary: CA Health Privacy Laws
Updated October 2025 - Everything you need to know in 2 minutes
Your Legal Protections in California:
- Federal HIPAA Rights: Access records (30 days), amend errors, restrict disclosures, request accounting, receive breach notifications (60 days), confidential communications. Learn more ↗
- California Constitutional Privacy (Article I, § 1): Inalienable right to privacy stronger than HIPAA, underpins all state health data protections
- CMIA (Civ. Code § 56-56.37): 15-day records access (vs HIPAA 30), 5-day inspection, written authorization for ALL disclosures, private right to sue, $1,000-$250,000 penalties. Full text ↗
- CPRA/CCPA Rights: Know, delete, opt-out of sale/sharing for health data (sensitive personal information category), $7,988 per violation enforcement by CPPA
- Health App Regulations: AB 254 (reproductive/sexual health apps) & AB 2089 (mental health apps) must comply with CMIA as healthcare providers
- EHR Segmentation & Anonymous Rx: AB 352 segregates abortion/gender care records; AB 260 allows anonymous abortion medication prescriptions; AB 45 bans clinic geofencing
6 Actionable Steps You Can Take Today:
- 1. Request Medical Records: Submit written request - CA providers must respond within 15 days (faster than HIPAA's 30), 5 days for inspection
- 2. File CMIA Complaints: Report violations to CA Attorney General at 800-952-5225 OR sue directly for $1,000+ damages
- 3. Exercise CPRA Rights: Opt-out of health data "sale" on all apps, wearables using CPPA tools
- 4. Opt-Out of Cal INDEX: Contact CA DHCS to restrict statewide Health Information Exchange. Learn about HIEs →
- 5. Audit Health Apps: Check if mental health, pregnancy, period-tracking apps comply with AB 254/AB 2089 - report to CPPA
- 6. Request EHR Segmentation: For sensitive services under AB 352, request records be segregated from out-of-state access
⚡ Get Automated Privacy Protection
HealthConsent automatically exercises your CMIA & HIPAA rights, enforces CPRA opt-outs, monitors Cal INDEX, audits health app compliance (AB 254/AB 2089), requests EHR segmentation under AB 352, and protects your data across all California providers and platforms.
Section 1: California Health Privacy Landscape
California's National Leadership in Health Privacy
Major Healthcare Ecosystem:
- • Kaiser Permanente: 39 hospitals, 12.7M members, largest integrated system in CA
- • Sutter Health: 24 hospitals, Northern CA network
- • Cedars-Sinai: Academic medical center, Los Angeles
- • UCLA Health: Top-ranked academic medical system
- • Stanford Health Care: Academic medical center, Palo Alto
- • UC Health: 5 academic medical centers statewide
Privacy Law Leadership:
- • Constitutional privacy right (Article I, § 1) - only state with explicit constitutional protection
- • CMIA since 1981 - oldest and strongest state medical privacy law
- • Private right to sue - $1,000-$250,000 damages (HIPAA has none)
- • CPRA/CCPA enforcement by CPPA ($7,988+ per violation)
- • App-specific regulations - AB 254, AB 2089, AB 352 mandate CMIA compliance
- • Model for other states - Many states copy California's approach
Why California Leads the Nation in Health Privacy
As of October 2025, California maintains the STRONGEST health data privacy protections in the United States. The state's comprehensive framework includes:
- • Constitutional privacy right - Only state with explicit privacy in constitution (Article I, § 1)
- • Private right to sue under CMIA - $1,000-$250,000 damages without needing government involvement
- • Comprehensive consumer rights - CPRA/CCPA apply to health data outside HIPAA (apps, wearables, data brokers)
- • App-specific mandates - AB 254 & AB 2089 require health apps to comply with CMIA
- • EHR segmentation - AB 352 protects abortion & gender-affirming care from out-of-state requests
- • Multi-agency enforcement - CA AG, CPPA, HHS OCR all actively enforce violations
California's model has been adopted by other states including Washington, Colorado, and Connecticut.
Section 2: Your Privacy Rights Under California & Federal Law
California residents benefit from a layered privacy framework combining federal HIPAA protections with stronger state-level rights. Learn more about when state laws override federal HIPAA →
Federal HIPAA Rights (Apply to All CA Providers)
- Right to Access: Request and receive copies of your medical records within 30 days (or 15 days if electronic). Providers may charge reasonable, cost-based fees but cannot charge retrieval fees.
- Right to Amendment: Request corrections to inaccurate or incomplete health information. Provider must respond within 60 days and either make the amendment or provide a written denial with your right to submit a statement of disagreement.
- Right to Restrict Disclosures: Request limitations on how your health information is used or shared. Providers MUST agree to restrict disclosures to health plans for services you paid out-of-pocket in full.
- Right to Accounting of Disclosures: Request a list of who your provider shared your health information with in the past 6 years (excluding treatment, payment, operations). First accounting per 12 months is free.
- Right to Breach Notification: Receive notification within 60 days if your unsecured health information has been improperly accessed or disclosed. Notification must include what happened, what information was involved, and steps you should take.
- Right to Confidential Communications: Request that your provider communicate with you at an alternative address or by alternative means (e.g., call your work phone instead of home). Provider must accommodate reasonable requests.
- Right to File Complaints: File complaints about HIPAA violations with your provider or with HHS Office for Civil Rights. Provider cannot retaliate against you for filing a complaint.
California CMIA Enhanced Protections (Stronger than HIPAA)
- 15-Day Records Access (Civ. Code § 56.10): California providers must provide copies of medical records within 15 business days (vs HIPAA's 30 days). For inspection only: 5 business days. Providers can charge reasonable cost-based fees only ($.25/page for paper copies, actual cost for electronic records). The 21st Century Cures Act prohibits information blocking—providers cannot charge excessive fees or delay access to EHR data. California's DHCS Data Exchange Framework (DxF) (launched 2024) requires all health entities to participate in statewide data sharing, improving interoperability and your ability to aggregate records from multiple providers.
- Written Authorization Required (Civ. Code § 56.10-56.11): CMIA requires written authorization for ALL disclosures of medical information (except for treatment, payment, healthcare operations, and other enumerated exceptions). This is stricter than HIPAA, which allows more flexibility for covered entities. CMIA applies broadly to healthcare providers, insurers, pharmaceutical companies, and any "products, services, or technologies that store, transmit, or process medical information" (AB 658, 2013).
- Private Right to Sue (Civ. Code § 56.35-56.36): Unlike HIPAA, CMIA allows patients to sue directly for unauthorized disclosures. Minimum $1,000 per violation, plus attorney fees. Willful or negligent violations: up to $250,000 per violation. This gives CA patients powerful enforcement tools.
- CPRA Consumer Rights (Civ. Code § 1798.100 et seq.): Health data is "sensitive personal information" under CPRA. Critical distinction: Protected Health Information (PHI) under HIPAA is exempt from CPRA. However, health information outside HIPAA's regime—apps not covered by HIPAA, wearables, fitness trackers, data brokers, marketing data—falls under CPRA rights. Californians can: know what's collected, delete data, opt-out of sale/sharing. CPPA enforces violations at $7,988 per violation (2025 inflation-adjusted).
- Health App Regulations (AB 254 & AB 2089): Reproductive/sexual health apps (period trackers, pregnancy apps) and mental health apps are treated as CMIA-covered healthcare providers. They must obtain written authorization before disclosures, cannot sell data, and are subject to CMIA's $1,000-$250,000 penalties. This closes the "app gap" left by federal HIPAA.
- EHR Segmentation for Sensitive Services (AB 352): Effective July 2024, EHR systems must segregate records of abortion, contraception, and gender-affirming care. These records must be: (1) restricted to authorized personnel only, (2) NOT transmitted outside California, (3) protected from out-of-state subpoenas or legal requests. This protects CA patients from hostile state prosecutions.
- Cal INDEX HIE Opt-Out: California operates Cal INDEX, the statewide Health Information Exchange. You have the RIGHT TO OPT OUT of having your medical records shared across this network. Contact your provider or CA DHCS to restrict participation.
- Anonymous Prescriptions (AB 260, signed Sept 2025): Patients can obtain abortion medication prescriptions (mifepristone) without their name on the prescription. This prevents prescription records from being used to track or target patients seeking reproductive healthcare.
Section 3: Recent Law Updates & Enforcement (2022-2025)
AB 260: Anonymous Abortion Medication Prescriptions
Signed Sept 2025AB 260 allows patients to obtain abortion medication prescriptions (mifepristone) without their name on the prescription. This landmark legislation prevents prescription records from being used to track, target, or prosecute patients seeking reproductive healthcare. State-regulated health insurance plans must cover these medications.
Impact for Patients: Complete anonymity for abortion medication prescriptions, protecting privacy from government surveillance, data brokers, and out-of-state legal action. No prescription records = no paper trail.
AB 45: Geofencing Ban & Research Protection
Signed Sept 2025AB 45 (1) prohibits geofencing around healthcare facilities - companies cannot use location data to target patients visiting reproductive health clinics, and (2) shields research participants - prohibits releasing identifying research records in response to out-of-state subpoenas based on anti-reproductive-care laws.
Impact for Patients: Complete protection from location tracking at clinics. Apps/advertisers cannot geofence Planned Parenthood or abortion providers. Research participants protected from hostile state investigations.
AB 352: EHR Segmentation for Sensitive Services
Effective July 2024AB 352 requires EHR systems to segregate records of abortion, contraception, and gender-affirming care. These records must be: (1) restricted to authorized personnel only, (2) NOT transmitted outside California, (3) protected from out-of-state subpoenas. EHR vendors must implement by July 2024 and can charge only cost-based fees (aligned with federal information-blocking exceptions).
Impact for Patients: Your abortion/gender-affirming care records are protected from hostile state prosecutions. CA patients can request EHR segmentation to ensure sensitive services remain confidential and cannot be accessed by out-of-state authorities.
AB 254 (2023) treats reproductive/sexual health apps (period trackers, pregnancy apps, fertility apps) as CMIA-covered healthcare providers. AB 2089 (2022) does the same for mental health & substance use disorder apps. Both must obtain written authorization before disclosures, cannot sell user data, and face CMIA's $1,000-$250,000 penalties.
Impact for Patients: Health apps are now regulated like hospitals—period trackers, mental health apps, fertility apps cannot sell your data and must comply with CMIA. Closes the "app gap" left by federal HIPAA.
AB 1697: Electronic Signatures for Medical Authorizations
Effective Jan 2024AB 1697 lifted California's ban on electronic signatures for medical authorizations. Patients can now sign CMIA consent forms electronically (PDF, e-signatures). Standard consents expire in one year unless longer period specified. This modernizes consent procedures while maintaining CMIA protections.
Impact for Patients: Easier to provide medical authorizations digitally without weakening CMIA protections. Electronic signatures have same legal weight as ink signatures.
California AG & CPPA Enforcement Actions
2023-2025 OngoingCalifornia Attorney General and the California Privacy Protection Agency (CPPA) launched comprehensive healthcare privacy enforcement targeting data brokers, health apps, and large healthcare systems for CMIA and CPRA violations. This includes investigating unauthorized data sales, deceptive privacy practices, failure to obtain proper CMIA consent, and violations of AB 254/AB 2089 app regulations. CPPA has issued $7,988+ per violation fines against non-compliant companies.
Impact for Patients: Increased enforcement against entities misusing health data, ability to file complaints that will be actively investigated, and potential for restitution in cases where data was improperly sold or disclosed.
Federal 42 CFR Part 2 Alignment for Substance Use Records
2024California updated its substance abuse treatment regulations to align with revised federal 42 CFR Part 2 rules, clarifying when substance use disorder treatment records can be disclosed for care coordination while maintaining strong consent requirements.
Impact for Patients: Slightly easier care coordination for substance use disorder treatment while maintaining core consent protections. Patients retain the right to restrict disclosures and must provide written consent for most uses beyond direct treatment.
Section 4: How to Exercise Your Rights (Step-by-Step)
Ready to take action? Here's your complete guide to exercising your health privacy rights →
1
Request Your Medical Records
Submit a written request to your healthcare provider's medical records department or privacy officer.
What to Include:
- • Your full name, date of birth, and contact information
- • Specific records requested (date range, type of records)
- • Format preference (paper or electronic)
- • Delivery method (mail, pickup, secure email)
Timeline:
Provider must respond within 30 days (can extend to 60 days with written notice).
2
File CMIA/CPRA Complaints for Unfair Practices
Use California's industry-leading privacy laws (CMIA & CPRA) to challenge deceptive or unfair health data practices.
When to File:
- • Provider sold your data without clear authorization
- • Deceptive privacy policies or practices
- • Unauthorized marketing using your health info
- • Failure to honor opt-out requests
How to File:
Contact California Attorney General's Consumer Protection Section at 800-952-5225 or file online at oag.ca.gov/contact
3
Report Breach Notification Violations
If you discover a breach wasn't properly reported or you weren't notified within legal timeframes.
Red Flags:
- • You found out about a breach through news, not direct notification
- • Notification came more than 60 days after breach discovery
- • Incomplete information about what data was compromised
- • No offer of credit monitoring or identity protection after major breach
Who to Contact:
- • CA Attorney General: 800-952-5225
- • CA Dept of Health Care Services: 916-445-4171
- • CA Privacy Protection Agency (CPPA): Report CPRA violations online
- • HHS Office for Civil Rights: 800-368-1019
4
Exercise Special HIV/Mental Health Rights
California's CMIA enhanced protections require written authorization for ALL sensitive health information disclosures.
HIV Information (CMIA § 56.10):
- • Demand separate, specific written authorization for HIV disclosures
- • General medical release forms are NOT sufficient under CMIA
- • Unauthorized disclosure: $1,000-$250,000 private right to sue
Mental Health & Substance Abuse Records (CMIA § 56.10):
- • Written authorization required for disclosures beyond treating providers
- • Federal 42 CFR Part 2 protections for substance abuse treatment apply
- • You can revoke authorization at any time under CMIA
5
Understand Public Health & Research Exceptions
California allows certain disclosures without consent for public health, research, and law enforcement purposes. AB 45 (2023) protects reproductive and gender-affirming care research and prohibits geofencing near health facilities.
Public Health Exceptions (HIPAA & CMIA):
- •Disease surveillance: Providers must report certain diseases to CA Dept of Public Health (Cal. Health & Safety Code § 120130-120175)
- •Child/elder abuse: Mandatory reporting to county welfare or law enforcement (Pen. Code § 11165.7)
- •Research: De-identified data may be used for research without consent (45 CFR § 164.514)
- •AB 45 protection: California prohibits geofencing and tracking near health facilities; data from reproductive health research cannot be used in criminal/civil proceedings
- •Court orders: Providers must comply with valid subpoenas/court orders (but can challenge overbroad requests)
Your Rights Against Improper Disclosures:
- •Request an accounting of disclosures to see if your data was shared under public health exceptions
- •Challenge disclosures if they exceed statutory exceptions
- •File complaints with CA AG or HHS OCR if you believe disclosures were improperly justified
HealthConsent files requests, monitors responses, and escalates violations automatically
Section 5: Enforcement Mechanisms & Penalties
California has the nation's strongest enforcement framework with multiple agencies pursuing violations. See major health data breach cases →
Recent Major California Cases
Federal HIPAA Enforcement
Up to $1.92M per violation category/yearHHS Office for Civil Rights enforces HIPAA Privacy and Security Rules with tiered civil penalties based on culpability level:
Civil Penalties (per violation):
- • Tier 1 (unknowing): $127-$63,973
- • Tier 2 (reasonable cause): $1,280-$63,973
- • Tier 3 (willful neglect, corrected): $12,794-$63,973
- • Tier 4 (willful neglect, not corrected): $63,973-$1,919,173
Criminal Penalties:
- • Up to 1 year + $50,000 fine (knowing violations)
- • Up to 5 years + $100,000 (false pretenses)
- • Up to 10 years + $250,000 (intent to sell/profit)
Recent Major CA Cases: Multiple California hospitals and health systems have faced HIPAA investigations and settlements in recent years for impermissible disclosures, inadequate security measures, and delayed breach notifications. Kaiser, Sutter Health, and UC Health have all been subject to federal enforcement actions.
California Attorney General (CMIA)
$2,500-$250,000 per violationCalifornia AG enforces CMIA (Civ. Code § 56.35-56.37) with broad enforcement authority and significant penalties:
Enforcement Powers & Penalty Structure:
- • Civil penalties: $2,500 per negligent violation; up to $250,000 per willful violation (Civ. Code § 56.36)
- • Injunctive relief: Court orders to stop unauthorized disclosures
- • Consumer restitution: Compensation for damages
- • Attorney fees: Recover costs of enforcement
- • AB 254/AB 2089 enforcement: Health app violations treated as CMIA violations
- • Multi-state coordination: Joint actions with other state AGs
What Constitutes CMIA Violation:
- • Disclosing medical information without written authorization (Civ. Code § 56.10)
- • Selling health data from period trackers/mental health apps (AB 254/AB 2089)
- • Failing to provide records within 15 business days (Civ. Code § 56.10)
- • Using health information for marketing without authorization
- • Inadequate security leading to preventable breaches
- • Violating EHR segmentation requirements (AB 352)
California Privacy Protection Agency (CPPA)
CPRA Enforcement AuthorityCPPA is the nation's first dedicated state privacy agency, enforcing CPRA for consumer health data (apps, wearables, data brokers) NOT covered by HIPAA:
Enforcement Authority:
- Administrative Fines: Up to $7,988 per violation (adjusted annually for inflation)
- Intentional Violations: Up to $23,963 per intentional violation involving minors' data
- Health App Oversight: Enforces AB 254/AB 2089 compliance for health apps alongside CA AG
- Consumer Complaints: Investigates individual complaints about data sale, sharing, deletion failures
- Rulemaking Authority: Issues regulations clarifying CPRA requirements for health data
- Coordination with AG: Joint enforcement actions for large-scale violations
FTC Health Breach Notification Rule (Non-HIPAA Entities)
Federal Enforcement for Apps & WearablesFTC Health Breach Notification Rule applies to health apps, wearables, and other "personal health record" vendors NOT covered by HIPAA. In 2024, the FTC strengthened enforcement, requiring breach notifications within 60 days and imposing penalties for non-compliance.
FTC Enforcement Authority:
- • Covered entities: Health apps (period trackers, mental health, fitness), wearables, PHR platforms, telehealth services not HIPAA-covered
- • Breach notification requirement: Notify FTC, consumers, and media (if 500+ affected) within 60 days of breach discovery
- • Penalties: FTC Act Section 5 violations carry civil penalties up to $50,120 per violation (2024 rate)
- • Coordination with States: FTC works with CA AG and CPPA to enforce against non-HIPAA health tech companies
- • Recent CA enforcement: FTC has targeted period tracking apps, mental health apps, and telehealth companies for improper data sharing
Why This Matters for California Residents:
California's AB 254/AB 2089 regulations work alongside FTC enforcement to create a comprehensive regulatory framework for health apps. If an app violates CMIA, CPRA, or FTC rules, you can file complaints with all three agencies (CA AG, CPPA, FTC) for maximum enforcement.
Private Rights & Civil Remedies (CMIA)
$1,000-$250,000 per violationCalifornia provides the STRONGEST private right to sue for health privacy violations in the nation through CMIA:
CMIA Private Right of Action (Civ. Code § 56.35-56.36):
Patients can sue directly for unauthorized disclosures of medical information. Minimum $1,000 per violation, plus attorney fees. Willful or negligent violations: up to $250,000 per violation. No need to prove actual damages.
Health App Violations (AB 254/AB 2089):
Period trackers, pregnancy apps, mental health apps that sell data are treated as CMIA-covered providers. Patients can sue for same $1,000-$250,000 penalties. This closes the "app gap" left by federal HIPAA.
Common Law Privacy Torts:
California Constitution Article I § 1 explicit right to privacy supports common law claims for public disclosure of private facts, intrusion upon seclusion, and breach of confidentiality beyond CMIA's statutory remedies.
Section 6: Protecting Your Health Data in California
Beyond knowing your rights, take proactive steps to secure your health information. Check out our complete privacy protection checklist →
Proactive Privacy Strategies
Monitor Large Health Systems
California's major integrated health systems handle millions of patient records. Stay vigilant about their data practices.
- •Request privacy notices from Kaiser, Sutter, Cedars-Sinai, UCLA Health, Stanford, UC Health
- •Review data sharing agreements before signing any authorizations—invoke CMIA rights
- •Ask about third-party access and verify written CMIA authorization requirements
- •Check breach notification websites of major systems regularly
- •Exercise restriction rights to limit inter-facility sharing & opt-out of Cal INDEX
- •Request EHR segmentation under AB 352 for sensitive services
Leverage CMIA & CPRA Protection
Use California's industry-leading privacy laws (CMIA + CPRA) as powerful tools against unfair health data practices.
- •File CMIA/CPRA complaints with CA AG (800-952-5225) or CPPA for violations
- •Document all communications about your health data usage
- •Save privacy policies and note when they change—CMIA violations actionable
- •Report data broker activities to CA AG & CPPA
- •Sue directly under CMIA for unauthorized disclosures ($1K-$250K)
- •Exercise CPRA rights to opt-out, delete, and access your data
Engage Enforcement Mechanisms
California has the nation's strongest enforcement—don't hesitate to use it when your privacy rights are violated.
- •Report privacy violations to CA Attorney General (800-952-5225) immediately
- •Document breach delays beyond HIPAA 60-day or CA 15-day requirements
- •File HHS OCR complaints for HIPAA violations
- •Contact CA DHCS (916-445-4171) for facility-specific issues
- •Support enforcement actions by providing evidence/testimony
- •Request AG investigation of systemic privacy problems
California Delete Act (SB 362, 2023)
Starting in 2026, California will launch a centralized data broker deletion system allowing residents to delete personal information from ALL registered data brokers with one request.
What the Delete Act Does:
- •One-stop deletion: Submit ONE request to California Privacy Protection Agency (CPPA), and it applies to ALL data brokers
- •Data broker registry: All data brokers must register with CPPA and comply with centralized deletion requests
- •Health data included: Non-HIPAA health information sold by data brokers (e.g., pharmacy discount cards, health marketing data) can be deleted
- •Annual renewals: California residents can renew their deletion request annually to maintain privacy
- •Penalties: Data brokers that fail to comply face CPRA penalties ($7,988 per violation)
🚀 Coming in 2026: This is the FIRST system of its kind in the nation. California is building the infrastructure now. Once live, you'll be able to opt-out of the entire data broker ecosystem with a single click at the CPPA website.
🔒 Modern Technology Protections
Specific Actions for HIV & Mental Health Privacy
HIV-Related Information (CMIA § 56.10):
- ✓ Insist on separate authorization forms for any HIV-related disclosure
- ✓ Never sign blanket releases for HIV information under CMIA
- ✓ Review who has access to your HIV test results
- ✓ Ask about EHR access controls and request AB 352 segmentation if needed
- ✓ Sue directly under CMIA for unauthorized HIV disclosure ($1K-$250K)
- ✓ Request audit logs showing who viewed your HIV information (HIPAA right)
Mental Health Records (CMIA § 56.10 + AB 2089):
- ✓ Understand CMIA protections require written authorization for ALL disclosures
- ✓ Confirm written consent requirements before any mental health disclosure
- ✓ Keep psychotherapy notes separate from general medical records
- ✓ Revoke authorizations if you change your mind about sharing
- ✓ Mental health apps covered by AB 2089 - they can't sell your data
- ✓ Verify provider understands California's CMIA stricter confidentiality rules
Automate Your California Privacy Protection
HealthConsent® monitors your providers, files requests, reports violations, and enforces your CA privacy rights automatically— including HIPAA, CMIA ($1K-$250K penalties), CPRA opt-outs, AB 254/AB 2089 app audits, AB 352 EHR segmentation, and Cal INDEX opt-out.
Start Comprehensive CA Privacy Protection →Covers all California providers & health apps • Handles all CMIA/CPRA compliance automatically • Cancel anytime
Section 7: California Privacy Resources & Official Contacts
Need more information? Browse our complete collection of privacy resources →
California Attorney General
CMIA Enforcement & Consumer Protection
File CMIA complaints online, view enforcement actions, data breach notifications
California Dept of Health Care Services (DHCS)
Healthcare Facility Oversight & Medi-Cal Administration
Healthcare facility licensing, Cal INDEX HIE, Medi-Cal administration, regulatory guidance
What They Handle: Healthcare facility violations, hospital/nursing home complaints, medical records management issues, facility licensing enforcement, patient confidentiality at licensed facilities, Cal INDEX opt-out
Medical Board of California
Physician Licensing & Disciplinary Actions
File CMIA complaints about physicians, check licensure status, disciplinary actions
What They Handle: Physician misconduct including privacy violations, inappropriate disclosure of patient information, licensing discipline, professional standards enforcement
HHS Office for Civil Rights
Federal HIPAA Enforcement (San Francisco Region)
File HIPAA complaints online, access HIPAA guidance, breach reporting
What They Handle: HIPAA Privacy Rule violations, HIPAA Security Rule violations, breach notification failures, patient access denials, federal healthcare privacy enforcement
Let HealthConsent® Secure Your California Privacy Rights
California protects 39+ million residents with the nation's strongest privacy framework: Constitutional privacy, CMIA confidentiality ($1,000-$250,000 penalties), CPRA/CCPA rights, app regulations (AB 254/AB 2089/AB 352), EHR segmentation, and aggressive enforcement. HealthConsent® automates enforcement of ALL your CA privacy rights across every provider, app, platform, and data broker.
Start Protecting Your DataTake advantage of California's unmatched privacy protections—Constitutional rights, CMIA private right to sue, CPRA opt-outs, app audits (AB 254/AB 2089), EHR segmentation (AB 352), anonymous prescriptions (AB 260), and multi-agency enforcement—all automated through one platform