A wellness program requested medical data with a blanket authorization. Under California law, that authorization is void.
California's Confidentiality of Medical Information Act goes beyond federal HIPAA on consent, authorization, and penalties. SB 1299 adds workplace violence prevention requirements for hospitals. If you operate in California, your team needs to understand what state law adds on top of federal requirements.
Start 14-day free trialIf you operate in California, CMIA (California Health & Safety Code 56 et seq.) and SB 1299 impose additional requirements beyond federal HIPAA.
Course Details
15 minutes
State
California Law
Online, self-paced
What your team will learn
- What CMIA protects and how it differs from federal HIPAA
- Authorization requirements under CMIA: why blanket authorizations are invalid
- CMIA penalty structure: when privacy violations become personal liability
- SB 1299: workplace violence prevention plan requirements for hospitals
- What a Workplace Violence Prevention Plan (WVPP) must include
- CCPA and the California privacy landscape for healthcare
- Key CMIA vs. HIPAA comparisons
Who needs this training?
If you operate in California, CMIA applies to all healthcare employers with 5+ employees. R = Required by regulation. S = Strongly recommended.
| Practice Type | Status | Authority |
|---|---|---|
| Physician Practices & Medical Groups | Required (if CA) | CA Health & Safety Code 56 |
| Dental Offices | Required (if CA) | CA Health & Safety Code 56 |
| Urgent Care Centers | Required (if CA) | CA Health & Safety Code 56 |
| Home Health Agencies | Required (if CA) | CA Health & Safety Code 56 |
| Behavioral Health & SUD Treatment | Required (if CA) | CA Health & Safety Code 56 |
| Chiropractic Offices | Required (if CA) | CA Health & Safety Code 56 |
| Physical Therapy & Rehab Clinics | Required (if CA) | CA Health & Safety Code 56 |
| Ambulatory Surgery Centers (ASCs) | Required (if CA) | CA Health & Safety Code 56 |
| Pharmacies | Required (if CA) | CA Health & Safety Code 56 |
| Mental Health Private Practices | Required (if CA) | CA Health & Safety Code 56 |
| Community Health Centers (FQHCs) | Required (if CA) | CA Health & Safety Code 56 |
| Telehealth Providers | Required (if CA) | CA Health & Safety Code 56 |
Which roles must complete this training?
If you operate in California, all employees who handle medical information need CMIA awareness:
- All staff handling medical information: CMIA applies broadly to anyone who receives, maintains, or stores medical information
- Licensed healthcare staff: Additional cultural competency CE requirements under AB 241
- Supervisors: SB 1343 requires 2 hours of sexual harassment prevention training every 2 years (employers with 5+ employees)
- All non-supervisory staff: SB 1343 requires 1 hour of sexual harassment prevention training every 2 years
- Hospital personnel: SB 1299 workplace violence prevention plan training required for all hospital staff
Common California CMIA + SB 1299 training questions
How is CMIA different from HIPAA?
CMIA is broader in several key areas. It covers more types of entities (not just HIPAA-defined covered entities), prohibits blanket authorizations for disclosure, imposes personal liability on individuals who negligently disclose medical information, and provides patients a private right of action with statutory damages. HIPAA provides the federal floor; CMIA raises it.
What does SB 1299 require?
SB 1299 (codified in Cal/OSHA 8 CCR 3342) requires hospitals to maintain a workplace violence prevention plan (WVPP). The plan must include incident tracking, risk assessments, training for all personnel, and post-incident response procedures. The plan must be reviewed annually.
Does CMIA apply to self-insured employer health plans?
Yes, CMIA applies when employers receive medical information about employees through self-insured health plans. Employers cannot use this information for employment decisions. This is an area where CMIA provides protections beyond HIPAA.
Who needs California CMIA training?
If you operate in California, all employees who handle medical information need CMIA awareness. Licensed healthcare staff also have cultural competency CE requirements under AB 241. SB 1343 requires sexual harassment prevention training (2 hours for supervisors, 1 hour for all staff) every 2 years for employers with 5+ employees.
If you operate in California, make sure your team knows what state law requires
15 minutes per person. Certificate on completion. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.