California Privacy Laws and Your Healthcare Practice
We break down California’s state-specific privacy laws and their newest updates.

The privacy and data protection laws in healthcare can feel intimidating to any provider. HIPAA alone includes a long, headache-inducing list of requirements. But for healthcare professionals in California, HIPAA is just one of several major privacy laws in force. Here, we review the state-specific privacy laws and their updates.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is California’s law controlling the general privacy rights of California residents. The CCPA applies to certain businesses that collect “personal information” about California residents, which includes identifying information.
Notably, the CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Most independent healthcare practices do not meet such criteria on their own, and California designed the CCPA with exclusions for information governed by the CMIA and HIPAA.
However, healthcare technology companies or those who profit from online data should pay special attention to the CCPA and incorporate CCPA policies into their website terms & conditions. Specifically, under the CCPA, California residents have the right to:
- know about the personal information a business collects about them and how it is used and shared;
- delete personal information collected from them (with some exceptions);
- opt out of the sale of their personal information; and
- exercise their CCPA rights without penalty or discrimination
The California Privacy Rights Act (CRPA)
Effective January 1, 2023, a change to the CCPA also confers rights to California workers. The California Privacy Rights Act (CRPA) amendment requires businesses subject to the CCPA to extend the personal information privacy rights above to past and present workers, officers, directors, medical staff members, independent contractors, and job applicants. CCPA businesses should check with an attorney to understand how the CRPA might impact their compliance and policies.
Though the CCPA and CPRA may not apply to all healthcare providers, they demonstrate California’s commitment to regulating privacy and informing California residents about how businesses use their data.
All California businesses that collect identifying information about their patients, prospective patients, or website visitors should be mindful of the CCPA and watch for any future changes to its scope, even if they’re not currently subject to CCPA requirements.
Moreover, determining whether the CCPA and CRPA rules apply to a particular business can be tricky. Businesses that have CCPA concerns should consult an experienced California attorney for guidance.
Confidentiality of Medical Information Act (CMIA)
The Confidentiality of Medical Information Act (CMIA) operates much more similarly to the federal Health Insurance Portability and Accountability Act (HIPAA). It defines who may release a patient’s confidential medical information and when. Generally, the CMIA prohibits a health care provider, health care service plan, or contractor (i.e., business associate) from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining authorization. It also requires covered healthcare providers that create, maintain, store, or destroy medical information to do so in a way that preserves the confidentiality of that information.
You may be thinking, “How is CMIA different from HIPAA?” Most notably, the CMIA includes a private right of action for violations. HIPAA allows patients to make complaints, but only the federal government can issue and collect fines based on those complaints. In contrast, CMIA allows patients to initiate lawsuits and recover damages.
Moreover, the CMIA’s definitions of “medical information” and “provider” are more inclusive than HIPAA’s definitions of “PHI” and “covered entity.” Thus, the CMIA may provide rights and protections even in circumstances where HIPAA does not.
Sensitive Services
California has developed several new updates to the CMIA in recent years to increase privacy rights for California residents.
Effective in July of 2022, the state amended CMIA to prohibit the disclosure of medical information related to “sensitive services” such as
- mental or behavioral health services;
- sexual and reproductive health services;
- substance use disorder care;
- gender-affirming care; and
- intimate partner violence care.
Importantly, the CMIA amendment prohibits the disclosure of sensitive services medical information to anyone other than the patient or the parent of a minor patient without express written authorization. (Note, however, that if the minor can give legal consent, parents may be restricted from obtaining information about sensitive services without the minor’s authorization).
The CMIA also allows patients to request “confidential communications” for all interactions regarding their medical information, essentially giving patients more control over the transmission of their information. Under the CMIA, providers must accommodate requests for confidential communications whenever a patient’s requested form and format for transmitting the information is available. Thus, California providers should be careful about how they share patient information and keep track of whether or not the patient has requested alternative confidential communication methods.
Mental Health Digital Services
Another recent change to the CMIA is its application in the mental health and mobile application sphere. California’s Assembly Bill 2089, signed in 2022, aims to bring mobile or internet-based applications that collect mental health information into the fold of the CMIA. In this new amendment, any business that offers a “mental health digital service” is deemed a provider of healthcare under the CMIA and is subject to the CMIA’s provisions. Mental health digital services include any mobile-based application or Internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services, and uses such information to provide these services to the consumer.
Get Legal Support
California’s commitment to healthcare privacy (and data privacy in general) is often considered unmatched by other states. And remember, these state laws layer on top of federal laws, meaning that providers in California need to be aware of both sets of requirements. While staying on top of an ever-changing legal landscape is difficult, an experienced healthcare attorney can help you update your practice policies to comply.
If you operate a healthcare practice in California, reach out to us. We offer free consultations to help you determine how well we fit your needs.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.