Does California have stricter HIPAA NPP requirements than federal law?

Yes. California's Confidentiality of Medical Information Act (CMIA) imposes stricter protections than federal HIPAA for certain categories of health information. California providers must comply with both HIPAA and CMIA — wherever CMIA is more protective, it governs.

What is the California CMIA and how does it affect the NPP?

The CMIA (Health & Safety Code §§ 56–56.37) restricts disclosure of medical information beyond HIPAA's baseline. It requires specific authorization for many disclosures that HIPAA permits without authorization. California providers' NPPs should reflect these additional restrictions on disclosure.

Do California mental health providers have extra NPP requirements?

Yes. California's Lanterman-Petris-Short Act and Welfare & Institutions Code § 5328 impose additional confidentiality protections for mental health records. Mental health providers in California should ensure their NPP reflects both federal psychotherapy-notes protections and California's stricter mental health record confidentiality rules.

Does a California provider need a separate NPP for CMIA?

No — you do not need a separate CMIA notice. California providers use a single HIPAA-compliant NPP that acknowledges California's stricter protections where applicable. The NPP should note that California law may provide additional rights beyond federal HIPAA.

State Requirements

HIPAA Notice of Privacy Practices for California Practices

California imposes stricter health information privacy requirements than federal HIPAA. Practices in California must comply with both — and wherever California law is more protective of patient privacy, it prevails. Here's what California providers need to know about their Notice of Privacy Practices.

Important: NPP Generator produces an NPP aligned to the federal HHS February 2026 model with a California state-law flag noting that California law may provide additional protections. For a full legal analysis of CMIA compliance specific to your practice type, consult a California health care attorney.

California's CMIA — the key overlay

The California Confidentiality of Medical Information Act (CMIA), codified at Health & Safety Code §§ 56 through 56.37, is California's primary health information privacy law. It applies to health care providers, health plans, and their contractors operating in California.

Key ways CMIA is stricter than HIPAA:

Authorization requirements. CMIA requires patient authorization for many disclosures that HIPAA permits as "treatment, payment, or operations" without authorization — particularly disclosures for marketing and certain research purposes.
Employer access restrictions. CMIA has strict limits on disclosures to employers. An employer who requests an employee's medical information must comply with specific CMIA requirements.
Minimum necessary standard. California's minimum necessary standard applies broadly and is enforced more strictly than federal HIPAA's baseline.
Penalties. CMIA provides a private right of action for patients — patients can sue providers directly for CMIA violations, with statutory damages of $1,000 per violation. HIPAA does not provide patients a private right of action.

California mental health and SUD privacy

California has separate, stricter laws for mental health and substance use disorder records beyond the CMIA:

Lanterman-Petris-Short Act (W&I Code § 5328). Records related to involuntary psychiatric holds (5150), treatment, and evaluations are strictly confidential and require specific legal authorization to disclose.
Mental health records generally. California W&I Code § 5328 broadly protects mental health treatment records even beyond federal psychotherapy-notes protections.
SUD records. California has its own SUD confidentiality protections (Health & Safety Code § 11845.5) in addition to 42 CFR Part 2. If your practice treats SUD patients, your NPP should reflect both federal Part 2 and California SUD confidentiality requirements.

See states with stricter NPP requirements for a broader comparison of state laws.

What California practices need in their NPP

All federal HIPAA NPP requirements (HHS February 2026 model)
A statement that California law may provide patients with additional privacy rights beyond federal HIPAA
For mental health providers: acknowledgment of California's stricter mental health record protections
For SUD treatment providers: combined HIPAA + 42 CFR Part 2 language (and consideration of California SUD confidentiality law)
Contact information for your Privacy Officer who can answer state-law questions

Frequently Asked Questions

Does California have stricter NPP requirements than federal HIPAA?▼

Yes. California's CMIA restricts many disclosures that federal HIPAA would allow as standard treatment, payment, or operations activities. California providers must comply with both laws — the more protective standard applies.

Does my California NPP need to reference the CMIA?▼

There is no federal HIPAA requirement to reference CMIA specifically in your NPP. However, best practice in California is to note that state law may provide additional protections and direct patients to ask about California-specific rights. This puts patients on notice of the additional protections without requiring a full CMIA legal analysis in the NPP itself.

Can a California patient sue me for an NPP violation?▼

Under the CMIA — yes. California's CMIA provides a private right of action with $1,000 statutory damages per violation. Federal HIPAA does not provide patients a private right of action. California providers face litigation risk from CMIA that providers in other states do not face under federal law alone.

I practice in California and New York — which state's rules apply?▼

Generally, the state law of the state where the patient receives services applies. If you provide services to patients in both states, the most protective applicable law applies to those patients. Consult a health care attorney for multi-state practice guidance.

Generate your California practice NPP in under 5 minutes.

Federal HHS February 2026 model with California state-law flag. PDF + editable Word. Post on your website and provide at intake. $49 one-time — no subscription.

Start your NPP — $49

Free watermarked preview available. See sample →

More guides: States with stricter NPP requirements · NPP for New York practices · Part 2 SUD language · NPP for therapists