California Dental Privacy: Navigating HIPAA, CMIA, and CCPA/CPRA
California is the strictest state in the US for healthcare privacy. Dental practices operating in California must comply with federal HIPAA plus the California Confidentiality of Medical Information Act (CMIA) — a state law that gives patients the right to sue your practice for $1,000 per violation without proving any actual harm. Understanding where these laws overlap — and where California goes further — is essential for every California dentist in 2026.
$1,000
CMIA: per violation, no harm required
$250K
Max CA fine per intentional violation
7 years
CA records retention requirement
40,000+
Licensed dentists in California
The key California risk: Under CMIA, a patient does not need to prove they were harmed by a disclosure. Any unauthorized release of their medical information — even an accidental email — entitles them to $1,000 in statutory damages plus attorney's fees. This makes California litigation risk meaningfully higher than in most other states.
ADA-Endorsed Solution
Get California-Ready with Compliancy Group
Compliancy Group's platform includes state-specific compliance modules for California practices — covering CMIA obligations, breach response timelines, and marketing consent documentation.
See How It Works for California Practices →Federal HIPAA vs. California CMIA
Where California law is stricter than HIPAA, the California standard applies to your practice.
| Rule | Federal HIPAA | California CMIA |
|---|---|---|
| Patient right to sue practice directly | No private right of action | $1,000/violation — no harm required |
| Breach notification timeline | 60 days | Without unreasonable delay (faster than 60 days) |
| AG notification threshold | 500+ individuals | 500+ California residents |
| Max administrative fine (intentional) | $50,000/violation | $250,000/violation (CMIA) |
| Records retention | 6 years (policies/procedures) | 7 years from last treatment |
| Marketing use of PHI | Opt-out allowed | Written authorization required |
| Minor patient privacy | State law controls | Specific CA minor consent rules apply |
CCPA/CPRA and California Dental Practices
California's Consumer Privacy Act (CCPA, amended by CPRA) is the strongest consumer privacy law in the US — but most dental patient records are exempt from CCPA because they're already protected by HIPAA and CMIA.
What IS exempt from CCPA
Patient medical records, treatment notes, X-rays, and clinical data covered by HIPAA or CMIA are excluded from CCPA requirements.
What is NOT exempt from CCPA
Website analytics, email marketing lists, employee personal data, and any health-related data collected outside clinical systems (e.g., appointment scheduling apps, patient review platforms) may still be subject to CCPA — especially if your practice qualifies by revenue or data volume.
CCPA threshold: does it apply to you?
CCPA applies if your practice has annual gross revenue above $25M, processes personal data of 100,000+ California consumers annually, or derives 50%+ of revenue from selling personal information. Most single-location dental practices fall below these thresholds.
California Compliance Checklist for Dental Practices
Six actions California dental practices should take immediately.
Add a California Privacy Notice to your NPP
Your Notice of Privacy Practices must include California-specific patient rights under CMIA — including the right to sue for unauthorized disclosure. Standard HIPAA NPP templates do not cover this.
Update your breach response plan for California timelines
Your incident response protocol must reflect California's 'without unreasonable delay' standard. For any breach affecting 500+ California patients, you must also notify the California AG.
Encrypt all devices — California's safe harbor applies
California provides a breach notification safe harbor if compromised data was encrypted. Unencrypted laptops, USB drives, or mobile devices are the #1 source of California CMIA violations. Encryption eliminates notification obligations for lost/stolen devices.
Review marketing consent for California patients
Using patient information for any marketing purpose requires written authorization under CMIA. This includes email newsletters, before/after photo campaigns, and referral solicitation. Opt-out language is not sufficient.
Audit minor patient records policies
California has specific rules about when minors can consent to their own care (and therefore control their own records). Dental practices must have written policies covering divorced parents, emancipated minors, and minors seeking specific types of care.
Assess CCPA applicability for non-clinical data
Patient medical records are generally CCPA-exempt. But your website analytics, email marketing lists, and employee data may be subject to CCPA. Practices above the $25M revenue threshold or processing 100,000+ consumer records need a full CCPA assessment.
2026 Dental HIPAA SOP Kit — California-Ready Templates
47 ready-to-use templates including CMIA-compliant NPP language, marketing authorization forms, minor patient consent policies, and a breach response protocol. One-time $149 — instant delivery.
Get the SOP Kit — $149 →Frequently Asked Questions — California Dental Privacy
Does California CMIA apply to dental practices?
Yes. The California Confidentiality of Medical Information Act (CMIA) applies to all healthcare providers in California, including dental practices of any size. CMIA covers all medical information — including dental records, X-rays, and treatment notes — and is enforceable by both the state AG and individual patients.
Can a California patient sue my dental practice under CMIA?
Yes. Unlike federal HIPAA, CMIA gives California patients a direct private right of action. A patient can sue your practice for $1,000 in statutory damages per violation — without needing to prove any actual harm. They can also seek actual damages if greater, plus attorney's fees. This creates significant liability exposure even for minor disclosure errors.
How is California's breach notification different from HIPAA?
HIPAA gives covered entities 60 days to notify patients of a breach. California law (Civil Code §1798.29 and the CMIA) requires notification 'in the most expedient time possible and without unreasonable delay' — courts have interpreted this as much faster than 60 days. California also requires notifying the AG if a breach affects 500 or more California residents.
Does CCPA apply to my California dental practice?
For most small and mid-size dental practices, CCPA/CPRA does not apply to patient medical records because HIPAA-covered information is exempt. However, CCPA can apply to non-clinical data your practice collects — such as website analytics, email marketing lists, or employee data. Practices with annual revenue over $25 million, or that process data of 100,000+ consumers, should conduct a CCPA applicability assessment.
How long must California dental practices keep patient records?
California requires dental records to be retained for at least 7 years from the date of last treatment, or until the patient turns 19 (for minor patients) — whichever is longer. This is more specific than HIPAA's general 6-year retention requirement for policies and procedures.