State-specific guidance

HIPAA Business Associate Agreements in California — CMIA, CCPA, and BAA Term Implications

By BAA Generator Research Team · Published Apr 27, 2026 · Last reviewed Apr 27, 2026 · 6 min read

Quick answer: HIPAA establishes a federal floor for Business Associate Agreements. California state law adds requirements above that floor. A BAA executed for a covered entity or business associate operating in California should explicitly address the state-specific obligations below — not just the HIPAA baseline. California regulators and the state AG can investigate and enforce state law independently of HHS OCR.

California laws affecting BAA terms

Confidentiality of Medical Information Act (CMIA)

Cal. Civil Code § 56.05 et seq.

Stricter than HIPAA. CMIA prohibits disclosure of medical information without authorization, with narrower exceptions than HIPAA permits. BAAs in California should explicitly bind business associates to CMIA-level confidentiality, not merely HIPAA-floor protections.

California Consumer Privacy Act (CCPA) / CPRA

Cal. Civil Code § 1798.100 et seq.

Healthcare data is generally exempt from CCPA when subject to HIPAA, but CCPA covers any personal information not directly governed by HIPAA. BAAs should address how CCPA "do not sell," right-to-delete, and right-to-know provisions apply to non-PHI data the BA may also handle.

California Online Privacy Protection Act (CalOPPA)

Cal. Bus. & Prof. Code § 22575

BA websites that collect personal information from California residents need privacy notices. Less directly relevant to BAA terms but operationally important for BAs operating in CA.

What California BAAs should add to the HHS model

Bind the BA to CMIA-level confidentiality, not just HIPAA floor
Specify that CMIA exceptions narrower than HIPAA exceptions apply
Address CCPA obligations if BA handles non-PHI personal data on the CE's behalf
Reference California breach notification rules (CA Civil Code § 1798.82) if more stringent than HIPAA in any covered scenario

Operational notes

If your covered entity is based in California, every BAA you sign with a vendor handling PHI of your patients should bind that vendor to California's state-law obligations in addition to HIPAA. The HHS model BAA satisfies federal requirements but doesn't include state-specific language by default.

If your business associate operates in multiple states, you generally bind the BA to the strictest applicable state's requirements rather than each state separately. Practices in California typically reference California's rules in the BAA's "compliance with applicable law" clause.

For broader 2024–2026 HIPAA Privacy Rule context, see HIPAA BAA requirements. For state law and HIPAA interaction generally, see ComplyCreate's HIPAA vs state privacy laws guide.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · $49 one-time · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Your practice also needs an NPP

A BAA covers vendor relationships. The Notice of Privacy Practices is the patient-facing document required under § 164.520. California state law also affects NPP content.

Generate an NPP at NPP Generator →