A wellness program requested medical data with a blanket authorization. Under California law, that authorization is void.
California's Confidentiality of Medical Information Act goes beyond federal HIPAA on consent, authorization, and penalties. SB 1299 adds workplace violence prevention requirements for hospitals. If you operate in California, your team needs to understand what state law adds on top of federal requirements.
Start your free trialIf you operate in California, CMIA (California Civil Code 56 et seq.) and SB 1299 impose additional requirements beyond federal HIPAA.
Course Details
25 minutes
State
California Law
Online, self-paced
What your team will learn
- What CMIA protects and how it differs from federal HIPAA
- Authorization requirements under CMIA: why blanket authorizations are invalid
- CMIA penalty structure: when privacy violations become personal liability
- SB 1299: workplace violence prevention plan requirements for hospitals
- What a Workplace Violence Prevention Plan (WVPP) must include
- CCPA and the California privacy landscape for healthcare
- Key CMIA vs. HIPAA comparisons
Who needs this training?
If you operate in California, CMIA applies to all healthcare employers with 5+ employees. R = Required by regulation. S = Strongly recommended.
| Practice Type | Status | Authority |
|---|---|---|
| Physician Practices & Medical Groups | Required (if CA) | CA Civil Code 56 |
| Dental Offices | Required (if CA) | CA Civil Code 56 |
| Urgent Care Centers | Required (if CA) | CA Civil Code 56 |
| Home Health Agencies | Required (if CA) | CA Civil Code 56 |
| Behavioral Health & SUD Treatment | Required (if CA) | CA Civil Code 56 |
| Chiropractic Offices | Required (if CA) | CA Civil Code 56 |
| Physical Therapy & Rehab Clinics | Required (if CA) | CA Civil Code 56 |
| Ambulatory Surgery Centers (ASCs) | Required (if CA) | CA Civil Code 56 |
| Pharmacies | Required (if CA) | CA Civil Code 56 |
| Mental Health Private Practices | Required (if CA) | CA Civil Code 56 |
| Community Health Centers (FQHCs) | Required (if CA) | CA Civil Code 56 |
| Telehealth Providers | Required (if CA) | CA Civil Code 56 |
Which roles must complete this training?
If you operate in California, all employees who handle medical information need CMIA awareness:
- All staff handling medical information: CMIA applies broadly to anyone who receives, maintains, or stores medical information
- Licensed healthcare staff: Additional cultural competency CE requirements under AB 241
- Hospital personnel: SB 1299 workplace violence prevention plan training required for all hospital staff
Common California CMIA + SB 1299 training questions
How is CMIA different from HIPAA?
CMIA is broader in several key areas. It covers more types of entities (not just HIPAA-defined covered entities), prohibits blanket authorizations for disclosure, imposes personal liability on individuals who negligently disclose medical information, and provides patients a private right of action with statutory damages. HIPAA provides the federal floor; CMIA raises it.
What does SB 1299 require?
SB 1299 (codified in Cal/OSHA 8 CCR 3342) requires hospitals to maintain a workplace violence prevention plan (WVPP). The plan must include incident tracking, risk assessments, training for all personnel, and post-incident response procedures. The plan must be reviewed annually. Our course provides SB 1299 awareness; it does not replace your hospital's own written prevention plan or the annual, plan-specific interactive training the Cal/OSHA standard requires.
Does CMIA apply to self-insured employer health plans?
Yes, CMIA applies when employers receive medical information about employees through self-insured health plans. Employers cannot use this information for employment decisions. This is an area where CMIA provides protections beyond HIPAA.
Who needs California CMIA training?
If you operate in California, all employees who handle medical information need CMIA awareness. Licensed healthcare staff also have cultural competency CE requirements under AB 241.
If you operate in California, make sure your team knows what state law requires
25 minutes per person. Certificate on completion. Start your 14-day free trial now.
Get started freeRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. EZBunny provides state privacy-law training for California, Texas, and New York. Our state-specific safety and harassment courses are awareness training and may not, on their own, satisfy your state's specific mandate. Other states may have requirements not covered here. Last reviewed: April 2026.