HIPAA vs CCPA/CPRA
A detailed comparison to help you understand the differences, similarities, and when you need each framework.
Quick Overview
HIPAA
HIPAA is a US federal law establishing national standards for the protection of Protected Health Information. It applies to covered entities and their business associates in the healthcare ecosystem, providing the Privacy Rule, Security Rule, and Breach Notification Rule with enforcement by the HHS Office for Civil Rights.
CCPA/CPRA
The California Consumer Privacy Act, amended by CPRA, is a state privacy law that grants California residents rights over their personal information including the right to know, delete, correct, and opt-out of data sales. It applies to for-profit businesses meeting specified revenue or data volume thresholds.
What They Have in Common
- Both aim to protect individuals' sensitive personal information from misuse and unauthorized access
- Both require transparency about data collection and usage practices through notices and disclosures
- Both provide individuals with certain rights to access information held about them
- Both impose obligations for data breach notification when security incidents occur
- Both require organizations to maintain reasonable security measures for protected data
Key Differences
| Aspect | HIPAA | CCPA/CPRA |
|---|---|---|
| Scope | Specifically protects PHI within the US healthcare ecosystem | Broadly protects personal information of California residents across all industries |
| Preemption | HIPAA preempts state law — PHI held by covered entities is generally exempt from CCPA | Explicitly exempts information governed by HIPAA from its scope |
| Applicability | Applies to covered entities and business associates regardless of size or revenue | Applies only to for-profit businesses meeting revenue or data volume thresholds |
| Individual rights | Right to access, amend, and receive accounting of disclosures for PHI | Right to know, delete, correct, opt-out of sales, and limit sensitive data use |
| Data sale provisions | Sale of PHI is generally prohibited — permitted uses and disclosures are narrowly defined | Data sales are permitted with opt-out rights and do-not-sell mechanisms |
| Security specificity | Detailed administrative, physical, and technical safeguards with risk assessment requirements | Requires reasonable security measures without prescribing specific safeguards |
| Enforcement | HHS Office for Civil Rights with federal investigation authority | California Privacy Protection Agency and Attorney General; limited private right of action |
| Penalties | Tiered fines up to $1.5M per violation category per year | $2,500-$7,500 per violation; private right of action for data breaches |
Who Needs What?
Healthcare organizations operating in California need to understand the interplay between both laws. PHI held by HIPAA-covered entities is generally exempt from CCPA, but non-PHI data (marketing data, employee data, website analytics) collected by the same organization may fall under CCPA. Health-tech companies that process both PHI and general consumer data must maintain dual compliance programs.
Our Recommendation
Due to CCPA's HIPAA exemption, most healthcare organizations find the overlap manageable. Ensure your HIPAA-covered PHI is properly identified and documented so the exemption clearly applies. For non-PHI data about California residents (website visitors, marketing contacts, employees), implement CCPA compliance separately. A data inventory distinguishing PHI from general personal information is essential for navigating both frameworks.
Explore More Comparisons
Get compliant with PoliWriter
Generate HIPAA and CCPA/CPRA policies in hours, not months. AI-powered, customized to your infrastructure.
Get Started Free