California Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in California.
California operates the most aggressive healthcare-privacy regime in the United States. The Confidentiality of Medical Information Act (CMIA, Cal. Civil Code § 56 et seq.) imposes a 15-business-day breach notification window for medical information — materially stricter than HIPAA's 60-day federal ceiling — and Cal. Civil Code § 1798.82 (the Information Practices Act) requires notification "in the most expedient time possible and without unreasonable delay" with simultaneous notification to the California Attorney General when 500 or more California residents are affected. CMIA statutory damages run $1,000 to $25,000 per affected patient, and CCPA penalties reach $7,500 per intentional violation. Records retention under Cal. Health & Safety Code § 123145 is 7 years from last service date; pediatric records run until age 19 or 7 years from last service, whichever is later. The Controlled Utilization Review and Evaluation System (CURES 2.0) at cures.doj.ca.gov, administered by the California Department of Justice, must be queried on every controlled-substance prescription. Mandatory child-abuse reports to the county child protective agency run on a 36-hour clock under Penal Code § 11166.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay. CMIA (medical data) requires notification within 15 business days. AG must be notified if 500+ California residents affected.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Civil penalties up to $7,500 per violation under CCPA; CMIA statutory damages $1,000-$25,000 per patient
Enforcement Posture
The California Attorney General — through the Department of Justice Privacy Enforcement and Protection Unit — operates the most actively enforced healthcare-privacy regime in the country. The AG has historically pursued CMIA cases when threshold breach numbers are exceeded and has paired breach-notification failures with CCPA violations to multiply per-violation penalties. The DOJ has issued formal enforcement guidance on the CMIA's 15-business-day clock and treats unreasonable delay as a separate violation from the underlying breach. Settlements typically include multi-year compliance monitoring, mandatory employee training, independent privacy audits, and corrective-action obligations. Local prosecutors (district attorneys) can additionally pursue CMIA criminal penalties for willful disclosures. Practices should expect that any breach affecting 500+ California residents will be reviewed against both CMIA and CCPA frameworks simultaneously.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
| Mental health | 7 years | Last treatment |
Controlled-Substance Prescription Monitoring (CURES 2.0)
CURES 2.0 (cures.doj.ca.gov), administered by the California Department of Justice, requires queries on every controlled-substance prescription. Delegation to licensed staff (RNs, LPNs, MAs working under a documented standing order from the licensed prescriber) is permitted. Exemptions cover hospice, cancer treatment, ER or post-surgical ≤5-day supplies, in-office administration, and patients in a comprehensive pain-management program. Civil penalties reach $4,000 per violation and licensing-board discipline can include license suspension for repeated violations.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board citation and fine; possible license suspension for repeated violations; fines up to $4,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER or post-surgical, dispensing practitioner administering in office, patients in comprehensive pain management program
How California Rules Hit by Specialty
Behavioral health
Cal. Health & Safety Code § 123145 retention applies to mental-health records, but the Lanterman-Petris-Short Act (Welfare & Institutions Code § 5328) layers additional confidentiality and disclosure-consent requirements on top of CMIA. LPS records often require specific written authorization that goes beyond standard CMIA consent forms.
Pediatrics
Cal. Health & Safety Code § 123145 requires pediatric retention until age 19 or 7 years from last service, whichever is later — California's threshold is notably shorter than many states (which extend to age 25 or longer). However, mandatory child-abuse reporting under Penal Code § 11166 runs on a 36-hour written-report clock with telephone notification immediately.
Telehealth providers
Out-of-state telehealth providers serving California residents fall under CMIA for breaches of California-resident PHI and must register with CURES 2.0 before issuing any controlled-substance prescription. The Medical Board of California requires California licensure or recognized telemedicine credentialing.
Pharmacy/compounding
California pharmacies face CURES 2.0 dispensing-report obligations, California State Board of Pharmacy oversight, and CMIA breach exposure. Compounding sites are additionally subject to the Sterile Compounding Pharmacy Act. CURES exemptions cover hospice, cancer, ER ≤5-day supplies, in-office administration, and comprehensive pain-management program patients.
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, psychiatrists, psychologists, dentists, nurses, dental hygienists, optometrists, chiropractors, podiatrists, EMTs, paramedics, clinical social workers, marriage and family therapists
Report to
County child protective agency or local law enforcement (cross-report required)
Timeline
Within 36 hours
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine; up to 1 year if willful
Immunity provision
Good faith reporters immune from civil and criminal liability under Penal Code 11172
Mandated reporters
All healthcare practitioners, clinicians, and any person who provides health services
Report to
Adult Protective Services or local law enforcement; Long-Term Care Ombudsman for facility residents
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine; up to 1 year if great bodily injury or death results
Immunity provision
Good faith reporters immune from civil and criminal liability under Welfare & Institutions Code 15634
Mandated reporters
All healthcare practitioners who provide medical services for a physical condition (mandatory when assaultive or abusive injuries observed)
Report to
Local law enforcement immediately by phone and written report within 2 business days
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under Penal Code 11161.9
Mandated reporters
Physicians, laboratories, healthcare facilities, and health officers
Report to
Local Health Officer or California Department of Public Health
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Every person, firm, or corporation managing any hospital, pharmacy, or clinic, and every physician
Report to
Local law enforcement immediately by phone
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
California Compliance FAQs
Cal. Civil Code § 56.36 (CMIA) requires notification within 15 business days of detecting the breach — materially stricter than HIPAA's 60-day ceiling. Cal. Civil Code § 1798.82 separately requires notification 'in the most expedient time possible' with AG notification when 500+ California residents are affected.
Cal. Health & Safety Code § 123145 requires retention until age 19 or 7 years from last service date, whichever is later. This is shorter than many states' age-25 standard — California's age-19 floor reflects the state's choice to align with age of majority (18) plus 1 year for the youngest patients.
Yes. CURES 2.0 permits licensed staff working under a documented standing order to perform queries; the prescriber must review and document the result before issuing the prescription. Unlicensed front-desk staff cannot perform queries. Civil penalties up to $4,000 per violation enforce compliance.
CMIA (Cal. Civil Code § 56.36) authorizes statutory damages of $1,000 to $25,000 per affected patient for negligent or knowing unauthorized disclosure, plus actual damages, plus attorneys' fees. Class-action plaintiffs can aggregate damages across all affected patients, producing settlements in the millions for moderate breaches.
500 or more California residents affected triggers mandatory California Attorney General notification under Cal. Civil Code § 1798.82. The notification is filed through the California Department of Justice's online portal and the breach is added to the AG's public Breach Report Database.
Guides & Articles
Stay audit-ready in California
GuardWell tracks California-specific breach deadlines, retention periods, CURES 2.0 PDMP queries, and mandatory reporting obligations automatically.