California’s Confidentiality of Information Act

While HIPAA is the federal medical privacy law that protects individually identifiable medical information, many people are not aware that California has its own, stringent medical privacy laws, which are distinct from and in addition to HIPAA. Chief among these is the Confidentiality of Medical Information Act, or CMIA (pronounced “Koh-Mee-Uh”). California set the pace for the nation by being the first state in the U.S. to introduce comprehensive laws about the privacy of medical records. CMIA, which is codified at Section 56 of the California Civil Code, predates HIPAA by more than 15 years. CMIA often sets stricter standards than HIPAA on how medical information can be collected, used, and disclosed in California. While HIPAA and CMIA are separate laws, they both carry varying potential civil and criminal penalties that can be levied against individuals for violations of patient privacy. When California law is more stringent than federal law, we are required to follow those more restrictive state rules. If you are in doubt which rules may apply, please contact Compliance Advisory Services for guidance.