The Confidentiality of Medical Information Act (CMIA), codified at California Civil Code §56 et seq., is one of the most far-reaching state-level medical privacy statutes in the country. Enacted in 1981 and repeatedly amended since, the CMIA predates the federal Health Insurance Portability and Accountability Act (HIPAA) by more than a decade and, in many respects, offers broader protections to California patients than federal law provides.
The CMIA governs the collection, use, storage, and disclosure of medical information by a wide range of entities — not just traditional healthcare providers but also employers, insurers, and, increasingly, technology companies that store health-related data on behalf of others. Its private right of action, relatively generous remedies, and statutory definition of “medical information” have made it a favored vehicle for privacy class actions in California and plaintiffs attorneys are lining up to start filing lawsuits to unsuspecting businesses that collect PHI, SPI, and PII around medical information. Luckily for you if you’re reading this Captain Compliance is a leading data privacy software that protects businesses from these lawsuits when integrated into your business and website.
With the California Supreme Court’s May 2026 ruling in J.M. v. Illuminate Education Inc., 2026 S.O.S. 1331, the CMIA has again moved to the center of California data privacy litigation, with a newly clarified standard for when a breach triggers liability.
We Are Dealing With a CMIA Privacy Lawsuit What Do We Do?
We are not a law firm here at Captain Compliance but rather a software provider to handle your compliance requirements and keep you from getting out of line and into trouble. If you’ve received a CMIA lawsuit we will gladly help stand up our software within 24 hours and help with a good faith remediation response to help lower your settlement payout if not make it go away completely. Most plaintiffs firms want to see that you’re using a trusted privacy software like Captain Compliance that actually works and that you will be respecting their clients privacy requests moving forward. That goes a long way in settling a case whether it’s a CMIA, CDAFA, CIPA, or ECPA case good faith efforts to fix the privacy issues goes a long way.
What Is Protected: The Definition of “Medical Information”
The CMIA defines “medical information” broadly. Under Civil Code §56.05(j), medical information means:
“Any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”
The phrase “individually identifiable” is key — the law protects information that can be linked to a specific person. De-identified data falls outside the statute’s reach.
Courts have applied this definition broadly. Records pertaining to mental health treatment, substance use disorders, reproductive health, disability assessments, and genetic information have all been held to qualify. More contested are records that sit at the intersection of health and other domains — such as educational disability screenings or employer-requested fitness evaluations — and the Illuminate case underscores that the CMIA’s reach is not unlimited even where health-adjacent data is at issue.
Who Is Covered: “Providers of Health Care” and Beyond
Traditional Providers
The CMIA’s core obligations apply to “providers of health care,” which at its most basic level refers to licensed healthcare professionals and facilities — physicians, hospitals, clinics, pharmacies, mental health practitioners, and similar entities.
Health Care Service Plans and Insurers
Health care service plans (i.e., HMOs and similar managed care organizations) and health insurers are independently covered under the statute and are subject to their own disclosure restrictions.
Employers
One of the CMIA’s most consequential — and often overlooked — provisions applies to employers. Under §56.20 et seq., an employer who receives medical information about an employee is prohibited from using that information to discriminate in hiring, termination, promotion, or other terms of employment. Employers are also required to maintain the confidentiality of any employee medical information they receive.
Contractors
The CMIA extends its reach to “contractors” — defined as any person or entity that receives medical information from a covered provider or health plan in the course of providing services. This provision was designed to prevent covered entities from circumventing CMIA protections by routing information through third-party vendors.
Technology Companies: The §56.06 Expansion
Civil Code §56.06 extends “provider of health care” status to technology and data companies under certain circumstances. Specifically, the section covers:
“Any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual.”
This definition was designed to capture personal health record (PHR) platforms, health data aggregators, and similar technology intermediaries that serve as repositories for patient health information. However, as the Supreme Court made clear in Illuminate, the definition has limits. A company that incidentally stores health-adjacent data as part of a broader, non-medical technology service does not automatically become a CMIA-regulated “provider of health care.”
The court’s interpretation turns on purpose and function: is the business organized for the purpose of maintaining medical information for patient access or treatment? Or does it primarily serve some other function — such as educational administration — with health data being a secondary or incidental element?
Key Substantive Prohibitions
Section 56.10: The Disclosure Prohibition
The CMIA’s central prohibition is found at §56.10: a provider of health care shall not disclose medical information without first obtaining a valid written authorization from the patient. The statute enumerates specific categories of permissible disclosure that do not require authorization, including:
- Disclosures to other treating providers
- Disclosures to health oversight agencies
- Disclosures pursuant to court order or subpoena
- Disclosures for certain public health purposes
- Disclosures required by other state or federal law
Disclosures outside these enumerated categories require a compliant patient authorization — a written document specifying the information to be disclosed, the recipients, and the purpose. Here is a PDF of the text from the State of California.
Section 56.101: The Confidentiality-Preservation Obligation
Section 56.101 imposes an affirmative data security obligation: every covered provider “who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” This provision is the primary basis for data breach claims under the CMIA.
A negligent failure to maintain adequate data security — resulting in unauthorized access or exposure — can constitute a violation of §56.101, triggering civil liability even in the absence of intentional wrongdoing.
Section 56.11: Employer Medical Information
Under §56.11, employers are prohibited from disclosing medical information received in the course of an employment relationship without a written employee authorization. The prohibition covers information obtained through pre-employment physicals, fitness-for-duty examinations, workers’ compensation proceedings, or voluntarily disclosed medical conditions.
The “Significant Risk” Standard After J.M. v. Illuminate
Prior to Illuminate, California courts had been divided on what a plaintiff must prove to establish a CMIA violation in a data breach case. The dominant line of authority — Regents of the University of California v. Superior Court, Sutter Health v. Superior Court, and Vigil v. Muir Medical Group IPA, Inc. — required plaintiffs to demonstrate that their records were “actually viewed” by an unauthorized third party.
The Supreme Court unanimously disapproved those cases in Illuminate, holding instead that “confidentiality is breached when the information is exposed to a significant risk of unauthorized access or use.”
This new standard has significant practical consequences:
What it means for plaintiffs: A breach victim no longer needs to trace their information through a data breach to a specific, identifiable unauthorized user. Allegations of a concrete, real-world breach event combined with facts showing that exposed data is reasonably likely to be accessed or misused are now sufficient to state a claim.
What it means for defendants: Merely arguing that no one has actually read the data is no longer a complete defense. Defendants must now engage with the totality of the circumstances surrounding a breach — including the nature of the data, the sophistication of the intrusion, and any security measures protecting the data at the time of exposure. Robust encryption may remain a viable defense, per Justice Groban’s concurrence.
What it means for future litigation: The new standard is likely to make CMIA class certification significantly easier to obtain, because plaintiffs’ counsel will no longer need to demonstrate individualized proof that each class member’s records were actually viewed. Common questions of breach scope and security adequacy may now predominate.
Remedies
The CMIA provides a private right of action with the following remedies:
- Nominal damages of $1,000 per plaintiff, without proof of actual harm, for violations of the statute’s confidentiality provisions
- Actual damages for plaintiffs who can demonstrate real-world harm, including economic losses, emotional distress, and harm to reputation
- Punitive damages in cases of oppression, fraud, or malice
- Attorney’s fees for successful plaintiffs
- Injunctive relief to prevent future violations
The availability of nominal damages — an express statutory creation — is significant. It confirms that the CMIA is fundamentally a conduct-regulating statute, not merely a compensation mechanism. As the Supreme Court recognized in Illuminate, the legislature intended to hold covered entities accountable for negligent handling of medical information regardless of whether any particular breach victim suffered measurable out-of-pocket losses.
Relationship to Federal Law (HIPAA)
HIPAA sets a federal floor for medical information privacy, but it does not preempt state laws that are more protective. The CMIA is, in many ways, more protective than HIPAA:
- Private right of action: HIPAA does not create a private right of action. Enforcement is exclusively by the U.S. Department of Health and Human Services. The CMIA, by contrast, allows individuals to sue directly.
- Employer coverage: HIPAA generally does not cover employers in their capacity as employers (as distinct from employer-sponsored health plans). The CMIA’s employer provisions fill this gap.
- Scope of covered entities: HIPAA’s covered entity framework is more narrowly defined than the CMIA’s “provider of health care” definition as extended by §56.06.
For California practitioners, compliance with HIPAA does not guarantee CMIA compliance. Entities operating in California must conduct independent analysis under state law.
Recent Trends and Legislative Developments
In recent years, the California legislature has repeatedly amended the CMIA to address emerging threats to health privacy and this isn’t even getting into the Flow Period App ($56 million settlement) and Headway Privacy Lawsuits that we have covered in depth and the plaintiff firms like Almeida Law that have had multi-million dollar settlements for privacy violations because they weren’t using software like Captain Compliance to respect users consent choices:
Mental health records: Special protections for mental health and substance use disorder records have been strengthened, reflecting heightened sensitivity to the stigma associated with these conditions.
Genetic information: The CMIA’s definition of “medical information” has been interpreted to encompass genetic data, raising questions about the obligations of consumer genomics companies and direct-to-consumer health testing services.
Reproductive health: Post-Dobbs, the legislature enacted additional CMIA protections specifically prohibiting disclosure of reproductive health information in response to out-of-state legal processes, addressing concerns that California health records could be used in other states’ abortion prosecutions.
Artificial intelligence: The use of AI tools to analyze patient data is an emerging compliance concern. Questions about whether AI systems processing medical records trigger CMIA obligations for technology vendors — and whether their outputs constitute “medical information” — remain largely unresolved.
CMIA Privacy Compliance Help
For healthcare providers, health plans, and technology companies handling health-adjacent data in California, J.M. v. Illuminate and the CMIA more broadly demand:
- Robust data security programs, including encryption of stored medical information (particularly given Justice Groban’s suggestion that encryption may defeat a “significant risk” finding)
- Careful analysis of whether a business qualifies as a “provider of health care” under §56.06 before storing health-related data on behalf of third parties
- Strict controls over third-party contractor access to medical information
- Written authorization procedures that comply with CMIA requirements before any non-exempt disclosure
- Incident response plans that account for CMIA notification and liability exposure in the event of a breach
- Install and setup a proper subject rights request portal from Captain Compliance
- Setup a consent management platform and proper privacy notices
The CMIA is not a statute that rewards half-measures. Its private right of action, nominal damages provision, and class action compatibility make it an attractive vehicle for plaintiff litigation whenever health data is compromised.
