Patient health information is governed by robust rules that determine how this data is handled, stored, and accessed. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and various state laws strengthen patient rights. HIPAA set a baseline for regulatory compliance with patient health information. Under the “preemption” language in the rule, no state may create less effective or weaker medical privacy protection for individuals. 

However, states can exceed HIPAA regulations and institute more stringent requirements. One example of this is the California Confidentiality of Medical Information Act (CMIA), which has greater standards of protection of privacy than HIPAA. 

Typically, in conflicts between federal and state rules, the federal rule is the governing requirement. But there is an exception—state laws prevail over federal privacy laws when they are more stringent than federal rules. In this case, CMIA is generally the governing standard for entities that fall under its jurisdiction. 

Understanding how HIPAA and CMIA impact your organization improves the data security at your business and helps maintain a necessary regulatory and ethical standard for your clientele and patients. 

What is HIPAA?

Established in 1996, HIPAA incorporates a multifaceted approach to protect personal health information and medical records. The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Information) defines and creates a national consensus for the protection of patient health data. The HIPAA Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) addresses requirements and safeguards related to covered entities. The rule secures electronic protected health information (e-PHI). 

Both non-technical and technical safeguards are covered under the HIPAA Security Rule. Administration of these provisions falls under the jurisdiction of the U.S. Department of Health and Human Services (HHS), who has the authority to assess and enforce compliance and levy monetary penalties. 

Health care providers must comply with the HIPAA Security Rule. Providers include any entity that electronically transmits, creates, maintains or receives health information—inclusive of business associates, health plans, health care clearinghouses, and insurance providers. 

Basic elements of HIPAA mandate that covered entities ensure confidentiality of all e-PHI, as well as identify and safeguard against security threats, prevent reasonably anticipated disclosure of the information and ensure compliance by the organizational workforce. Risk assessment, physical, technical and administrative safeguards and provisions for organizational breaches or violations are also covered under this law.

How does the CMIA differ from HIPAA?

Like HIPAA, the CMIA has similar goals to protect individuals’ health care information and prevent unauthorized disclosure of medical information. But the California law has additional and more extensive requirements and definitions. 

Under the CMIA, medical information is defined as “individually identifiable health information about a patient’s medical history, mental or physical condition, or treatment.” 

Information that identifies a person, inclusive of a name, email address, physical address, phone number or Social Security number, is considered “individually identifiable” under the CMIA. Additionally, if the information can be combined with publicly available information to reveal a person’s identity, it is also considered “individually identifiable.” 

CMIA covers providers of health care, health care service plans, contractors, as well as “recipients” of that information. 

Employers should note that “recipients” are not defined under the CMIA and may have a broad range of applications. Therefore, it is prudent that providers who fall under CMIA investigate methods by which health care information may be received. They must also manage all possible sources of intake with proper safeguards.

One significant way the two regulations differ is in violations. While HHS can issue fines under HIPAA, the CMIA allows patients to bring legal action for violations, inclusive of compensation, attorney fees, and damages. 

Additionally, the CMIA’s definition of “provider of health care” is more extensive than HIPAA’s language. Under Cal. Civ. Code § 56.06., any business that offers software or hardware, “including a mobile application or related device,” that are designed to maintain medical information, is considered a provider.

Employers who receive employee medical information fall under the CMIA. Employers must assess and apply methods to secure such information, as well as integrate systems that prevent disclosure of employee health information without worker authorizations. 


Organizations, health care providers and covered entities who fall under CMIA and HIPAA should train employees. Instruct them on the specific requirements to ensure end-to-end protection of data, and regularly survey the integrity of the risk management program and reassess systems and policies.

Because CMIA is more stringent than HIPAA, employers should ensure employee compliance, not only to protect the organization, but also to protect patient privacy and to operate ethically. Protecting patient privacy is essential to improving the quality of care and fostering access to care.