HIPAA + CMIA Compliance for California Therapists — 2026 Guide
California therapists face double compliance: HIPAA (federal) and the California Confidentiality of Medical Information Act (CMIA). CMIA is stricter than HIPAA in several areas and carries its own penalties. Here is what every California therapist needs to know before February 2026.
$47,000
Avg fine in California
5 Days
CA breach notification deadline
2 Laws
HIPAA + CMIA dual compliance
Where California Is Stricter Than HIPAA
CMIA requires breach notification within 5 business days — HIPAA allows 60 days
CMIA covers all medical information, not just electronic — stricter than HIPAA's electronic focus
California prohibits selling mental health records in any form — even aggregated
CMIA violations carry $25,000 per violation + potential criminal charges
California therapists must update NPP by February 16, 2026 (federal requirement) AND ensure CMIA disclosures are current
Top Violations for California Therapists
Missing updated Notice of Privacy Practices (Feb 16, 2026 federal deadline)
Using standard Gmail or iCloud for client communication — no BAA available
Psychotherapy notes not stored separately from general health records
Telehealth sessions conducted on FaceTime or standard Zoom without a BAA
No HIPAA Security Risk Assessment completed or documented
Trusted by 225,000+ Therapists — Recommended for California Therapist in California
Get Your Practice 100% HIPAA Compliant in 2026
SimplePractice is the #1 HIPAA-compliant practice management platform built specifically for therapists. Includes secure messaging, telehealth, billing, and a signed BAA — everything you need to stay compliant and protect your clients.
Start Free Trial with SimplePractice →30-day free trial · No credit card required
Need HIPAA-compliant email only? See Hushmail for Healthcare →
FAQ — California Therapist HIPAA
Do California therapists have to follow both HIPAA and CMIA?
Yes. California therapists must comply with HIPAA (federal) and the California Confidentiality of Medical Information Act (CMIA). Where CMIA is stricter — which is often — CMIA governs.
What is the penalty for a CMIA violation in California?
CMIA violations carry a civil penalty of $25,000 per violation. Intentional violations can result in criminal misdemeanor charges. This is in addition to any federal HIPAA penalties.
Does SimplePractice work for California therapists?
Yes. SimplePractice provides a signed Business Associate Agreement, HIPAA-compliant telehealth, and encrypted messaging — addressing the most common compliance gaps for California therapists.