Back to Blog
Healthcare & HIPAA

"HIPAA Compliance for California Healthcare Practices"

"HIPAA Privacy Rule, Security Rule, Breach Notification, Security Risk Assessments, BAA management, and California's CMIA additions — what healthcare practices must do."

Protekon Compliance Team

April 13, 2026

"HIPAA Compliance for California Healthcare Practices"

Let me tell you something that should make every healthcare practice owner in California sit up straight in their chair and pay attention.

The Office for Civil Rights — that's OCR, the enforcement arm of the Department of Health and Human Services — collected over $4.1 million in HIPAA penalties in the first quarter of 2024 alone. And those are just the ones that made the news. The smaller settlements, the corrective action plans, the practices quietly writing six-figure checks to make investigations go away — those don't get press releases.

Here is the brutal, uncomfortable truth: **most healthcare practices in California are not compliant.** They think they are. They have a binder on a shelf somewhere. They did a training video three years ago. They signed something. And they are sitting on a ticking time bomb.

This guide is going to walk you through exactly what HIPAA requires, what California adds on top of it, and what you need to do about it — not in theory, but in practice. No jargon fog. No legal hedging. Just the facts, the risks, and the fix.

HIPAA: The Law That Changed Everything (And Keeps Changing)

The Health Insurance Portability and Accountability Act was signed into law in 1996. Most people think of it as a privacy law. It is. But it started as a portability law — making sure people could keep their health insurance when they changed jobs. The privacy and security provisions were bolted on because Congress realized that as healthcare went digital, someone needed to set the rules for protecting patient information.

For the first decade, HIPAA had teeth on paper but not much bite in practice. That changed dramatically in 2009 with the HITECH Act — the Health Information Technology for Economic and Clinical Health Act. HITECH did three critical things:

  1. **It created mandatory breach notification requirements.** Before HITECH, breaches were embarrassing. After HITECH, they were reportable events with hard deadlines.
  2. **It extended HIPAA requirements directly to business associates.** Before, only covered entities were on the hook. After, every vendor touching patient data had direct liability.
  3. **It dramatically increased penalties.** The old penalty structure was a joke — $100 per violation with a $25,000 annual cap. HITECH created a tiered penalty system that goes up to $1.5 million per violation category per year.

If you are running a healthcare practice in California and you have not updated your HIPAA compliance program since before 2009, you are operating with a compliance framework that is legally obsolete.

The Privacy Rule: What You Cannot Do With Patient Information

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) governs the use and disclosure of Protected Health Information — PHI. And the first thing you need to understand is that the definition of PHI is broader than most people think.

What Counts as PHI

PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It includes 18 specific identifiers defined in 45 CFR 164.514(b)(2):

  • Names
  • Geographic data smaller than a state
  • Dates (birth, admission, discharge, death) — except year
  • Phone numbers, fax numbers, email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs and IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs
  • Any other unique identifying number or code

That last one is the catch-all, and it is intentionally broad. If the information can be used to identify a patient and it relates to their health condition, treatment, or payment for treatment — it is PHI. Period.

The Minimum Necessary Standard

Under 45 CFR 164.502(b), covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. This means your front desk staff should not have the same level of access to patient records as your physicians. Your billing department needs billing information, not clinical notes.

Most small practices fail this test completely. Everyone has access to everything because it is easier to set up that way. Easier is not a defense when OCR comes knocking.

Patient Rights Under the Privacy Rule

The Privacy Rule grants patients six specific rights regarding their PHI:

  1. **Right to access** (45 CFR 164.524) — Patients can request copies of their records, and you must provide them within 30 days. You can charge a reasonable cost-based fee, but you cannot refuse.
  2. **Right to amend** (45 CFR 164.526) — Patients can request corrections to their records. You can deny the request, but you must explain why in writing.
  3. **Right to an accounting of disclosures** (45 CFR 164.528) — Patients can ask who you have shared their information with, going back six years.
  4. **Right to request restrictions** (45 CFR 164.522) — Patients can ask you to limit how you use or disclose their PHI. You do not have to agree — with one exception: if a patient pays out of pocket in full, they can restrict disclosure to their health plan, and you must comply.
  5. **Right to confidential communications** (45 CFR 164.522) — Patients can request that you communicate with them by alternative means or at alternative locations.
  6. **Right to a copy of the Notice of Privacy Practices** — Which brings us to the NPP.

Notice of Privacy Practices

Every covered entity must maintain and distribute a Notice of Privacy Practices (45 CFR 164.520). This is not optional. It is not a formality. It must describe your uses and disclosures of PHI, the patient's rights, and your legal duties. It must be provided to every patient at their first encounter, posted in your facility, and available on your website if you have one.

The number of practices operating without a current, compliant NPP is staggering. And "current" is the operative word — if your NPP does not reflect the Omnibus Rule changes from 2013, it is out of date.

The Security Rule: Protecting Electronic PHI

While the Privacy Rule covers all PHI in any form, the Security Rule (45 CFR Part 164, Subpart C) focuses specifically on electronic PHI — ePHI. It requires three categories of safeguards.

Administrative Safeguards (45 CFR 164.308)

These are the policies and procedures that govern your workforce:

  • **Security Management Process** — risk analysis, risk management, sanction policies, information system activity review
  • **Assigned Security Responsibility** — a designated security officer (this cannot be "nobody" or "everybody")
  • **Workforce Security** — authorization and supervision procedures, termination procedures, access clearance
  • **Information Access Management** — access authorization, access establishment and modification
  • **Security Awareness and Training** — security reminders, login monitoring, password management, protection from malicious software
  • **Security Incident Procedures** — response and reporting
  • **Contingency Plan** — data backup, disaster recovery, emergency mode operations, testing and revision
  • **Evaluation** — periodic technical and non-technical evaluation of security policies and procedures

Physical Safeguards (45 CFR 164.310)

  • **Facility Access Controls** — who can physically access areas where ePHI is stored or accessible
  • **Workstation Use** — policies governing how workstations that access ePHI are used
  • **Workstation Security** — physical safeguards for workstations (screen locks, positioning, clean desk)
  • **Device and Media Controls** — disposal, media re-use, accountability, data backup and storage

Technical Safeguards (45 CFR 164.312)

  • **Access Control** — unique user identification, emergency access procedures, automatic logoff, encryption and decryption
  • **Audit Controls** — hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI
  • **Integrity** — mechanisms to authenticate ePHI and protect it from improper alteration or destruction
  • **Person or Entity Authentication** — verify that a person or entity seeking access to ePHI is who they claim to be
  • **Transmission Security** — integrity controls and encryption for ePHI transmitted over electronic networks

The Security Risk Assessment: The Requirement Everyone Ignores

Here is the single most commonly cited deficiency in OCR enforcement actions: **failure to conduct a Security Risk Assessment (SRA).**

Under 45 CFR 164.308(a)(1)(ii)(A), every covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This is not optional. This is not a one-time exercise. It must be conducted regularly — OCR expects at least annually — and it must be documented.

The SRA is not a checklist. It is an analysis. It requires you to identify every system that creates, receives, maintains, or transmits ePHI, evaluate the threats to those systems, assess your current safeguards, determine the likelihood and impact of each threat, and assign risk levels.

Most small practices have never done one. Of those that have, most used a free online checklist and called it done. That is not an SRA. That is a false sense of security with a date stamp on it.

The Breach Notification Rule: When Things Go Wrong

The Breach Notification Rule (45 CFR Part 164, Subpart D) establishes what happens when PHI is compromised. And the timelines are absolute.

What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach unless you can demonstrate a low probability that the PHI was compromised based on a four-factor risk assessment:

  1. The nature and extent of the PHI involved
  2. The unauthorized person who used or received the PHI
  3. Whether the PHI was actually acquired or viewed
  4. The extent to which the risk has been mitigated

Notification Requirements

**Individual Notice:** You must notify affected individuals no later than **60 calendar days** after discovery of the breach. Not 60 business days. Calendar days. The clock starts when the breach is discovered — or when it would have been discovered through reasonable diligence.

**HHS Notification:** If the breach affects **500 or more individuals**, you must notify HHS **simultaneously with individual notification** — within 60 days. These breaches are posted on the OCR "Wall of Shame" — the Breach Portal — for public viewing.

**Media Notification:** If the breach affects 500 or more individuals in a single state or jurisdiction, you must also notify prominent media outlets serving that state or jurisdiction. Within 60 days.

**Annual Reporting for Smaller Breaches:** If the breach affects **fewer than 500 individuals**, you must log it and report it to HHS within **60 days of the end of the calendar year** in which the breach was discovered. These annual reports are maintained by HHS but not publicly posted.

The practices that get into the worst trouble are not the ones that have breaches — breaches happen. It is the ones that discover a breach and then do nothing for six months hoping it goes away.

Covered Entities vs. Business Associates

A covered entity under HIPAA is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits any health information electronically in connection with a HIPAA-covered transaction. If you are a medical practice, dental practice, optometry practice, physical therapy clinic, behavioral health provider, or any other provider that bills electronically — you are a covered entity.

A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. This includes your EHR vendor, your billing company, your IT support provider, your shredding company, your cloud storage provider, your answering service, and potentially dozens of other vendors.

Business Associate Agreements

Under 45 CFR 164.502(e) and 164.504(e), you must have a Business Associate Agreement (BAA) in place with every business associate before they access PHI. The BAA must:

  • Describe the permitted uses and disclosures of PHI
  • Require the business associate to use appropriate safeguards
  • Require the business associate to report breaches
  • Require the business associate to ensure that subcontractors agree to the same restrictions
  • Authorize termination if the business associate violates the agreement

**BAA tracking is one of the most neglected compliance obligations.** Most practices cannot produce a complete list of their business associates, let alone confirm that current BAAs are in place for each one. When OCR investigates, they ask for this list. If you cannot produce it, you have a problem.

California's CMIA: The Layer on Top of HIPAA

Here is where California healthcare practices get a special treat — and I do not mean that in a good way.

California's Confidentiality of Medical Information Act (CMIA), codified in California Civil Code Sections 56 through 56.37, imposes requirements that go beyond HIPAA in several important ways.

Broader Definition of Medical Information

HIPAA protects "Protected Health Information." The CMIA protects "medical information," which is defined more broadly. Under Civil Code Section 56.05(j), medical information includes any individually identifiable information in electronic or physical form regarding a patient's medical history, mental or physical condition, or treatment. The CMIA also covers information derived from genetic testing.

The practical impact: information that might not qualify as PHI under HIPAA's specific definitions could still be protected under the CMIA.

Private Right of Action

This is the big one. **HIPAA does not give individual patients the right to sue.** Enforcement is through OCR and, in criminal cases, the Department of Justice. If a patient's PHI is breached under HIPAA, the patient cannot file a private lawsuit under HIPAA itself.

The CMIA is different. Under Civil Code Section 56.35 and 56.36, patients in California have a **private right of action** for violations. They can sue for compensatory damages, punitive damages, attorneys' fees, litigation costs, and injunctive relief. The statute provides for damages of $1,000 per violation plus actual damages.

This means a California healthcare practice faces enforcement from two directions: OCR from above (federal), and individual patients from below (state). A single breach can trigger both a federal investigation and a wave of private lawsuits.

Stricter Penalties and Requirements

The CMIA also imposes:

  • **Stricter authorization requirements** for disclosures beyond treatment, payment, and healthcare operations
  • **Administrative fines** of up to $2,500 per violation for negligent disclosure, and up to $25,000 per violation for intentional disclosure
  • **Mandatory employee training** on confidentiality policies and procedures
  • **Requirements for electronic health record systems** to maintain audit trails and detect unauthorized access

OCR Enforcement: The Penalty Structure

The federal penalty tiers under 45 CFR 160.404, as amended by HITECH, are structured by the level of culpability:

| Tier | Culpability Level | Per Violation | Annual Cap Per Category |
|------|------------------|---------------|------------------------|
| 1 | Did not know (and would not have known by exercising reasonable diligence) | $100 - $50,000 | $25,000 |
| 2 | Reasonable cause (not willful neglect) | $1,000 - $50,000 | $100,000 |
| 3 | Willful neglect, corrected within 30 days | $10,000 - $50,000 | $250,000 |
| 4 | Willful neglect, not corrected | $50,000 | $1,500,000 |

**Note:** The 2019 enforcement discretion notice adjusted the annual caps as shown above. The per-violation maximum remains $50,000 for Tiers 1-3, with the $1.5 million annual cap applying to Tier 4 — willful neglect that is not corrected.

Criminal Penalties

Under 42 U.S.C. 1320d-6, criminal penalties apply to persons who knowingly obtain or disclose PHI in violation of HIPAA:

  • **Up to $50,000 and one year in prison** for knowing violations
  • **Up to $100,000 and five years** for violations committed under false pretenses
  • **Up to $250,000 and ten years** for violations committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm

These criminal penalties apply to individuals, not just organizations. A rogue employee who snoops through celebrity medical records is personally liable.

What This Actually Means for Your Practice

Let me strip away the legalese and tell you what I see every day in California healthcare practices:

**The SRA is missing.** Either it was never done, or it was done once five years ago and never updated. This alone is enough for OCR to issue findings.

**BAAs are incomplete.** The practice has 15 vendors touching PHI and BAAs with maybe 6 of them. The cloud backup provider? No BAA. The answering service? No BAA. The IT guy who comes in on weekends? No BAA.

**Training is stale.** HIPAA training was last conducted when the practice opened, or when the last audit happened, or never. Workforce members cannot articulate the minimum necessary standard or explain what constitutes a breach.

**The breach response plan does not exist.** When something goes wrong — and it will — there is no documented procedure for who does what, when the clock starts, or how notifications are issued.

**The CMIA is invisible.** Most practices are vaguely aware of HIPAA. Almost none have addressed the CMIA's additional requirements. They do not realize that their patients can sue them directly for privacy violations under state law.

What Protekon Delivers for Healthcare

Protekon exists to solve exactly this problem for California healthcare practices. Not with a binder and a prayer, but with a managed compliance program that actually works.

**Security Risk Assessment:** We conduct a thorough, documented SRA that meets OCR requirements — not a checklist, but a genuine risk analysis covering every system that touches ePHI. We update it annually and whenever you make significant changes to your environment.

**BAA Tracking and Management:** We inventory every business associate, verify that compliant BAAs are in place, track renewal dates, and flag gaps. When you add a new vendor, we handle the BAA before they touch patient data.

**Policy and Procedure Development:** We build your HIPAA/CMIA compliance policies to your practice — not a generic template with your name pasted in, but policies that reflect your actual workflows, systems, and risk profile.

**Workforce Training:** Annual training that meets both HIPAA and CMIA requirements, documented with attestations, updated to reflect current enforcement trends and your specific policies.

**Breach Response Planning:** A documented incident response plan with assigned roles, notification templates, timeline tracking, and the four-factor risk assessment methodology. When a breach occurs, you execute the plan instead of panicking.

**Ongoing Monitoring:** Regulatory updates, enforcement action alerts, annual program reviews, and corrective action tracking. Compliance is not a project with an end date — it is a continuous obligation, and we manage it continuously.

**CMIA Compliance Layer:** We address the California-specific requirements that most HIPAA-only programs miss — the broader definitions, the private right of action exposure, the stricter authorization requirements, and the enhanced penalties.

The question is not whether you can afford managed compliance. The question is whether you can afford a $1.5 million penalty, a private lawsuit, and your name on the OCR Wall of Shame. For most California healthcare practices, the answer to that question makes the decision very simple.

---

*This article is provided for informational purposes and does not constitute legal advice. Healthcare practices should consult qualified legal counsel for compliance guidance specific to their circumstances. Regulatory citations reference 45 CFR Parts 160 and 164 (HIPAA), 42 U.S.C. 1320d-6 (criminal penalties), and California Civil Code Sections 56-56.37 (CMIA).*

Stay ahead of Cal/OSHA

Get the weekly compliance brief.

One email a week: new regulations, enforcement trends, and the templates we publish. No spam, unsubscribe any time.

See where you stand

What would Cal/OSHA cite you for today?

Run the compliance score. You'll see the gaps, the fine exposure, and the remediation path.

Get your score

Related Articles

"HIPAA Security Risk Assessment: Step by Step"

"HIPAA Security Risk Assessment: Step by Step"

"HIPAA Security Rule SRA requirements: scope, threat identification, vulnerability assessment, risk determination, risk management plan, and OCR audit expectations."

"Business Associate Agreements: Tracking and Compliance"

"Business Associate Agreements: Tracking and Compliance"

"What triggers BAA requirements, required provisions, tracking your BAA inventory, renewal management, breach notification obligations, and vendor due diligence."