HIPAA Compliant Website Requirements in California: ADA and Privacy Law Risks
Summary
Healthcare websites in California face stricter requirements than in most states. Beyond HIPAA’s federal rules for protecting patient data, providers must also address accessibility obligations under the ADA and Unruh Civil Rights Act, and privacy requirements under the CCPA/CPRA. Together, these overlapping laws create a risk landscape where inaccessible design, missing cookie consent, or failure to provide the “Do Not Sell or Share My Personal Information” functionality can result in lawsuits, fines, and reputational harm.
Why California is different
Across the United States, HIPAA defines how healthcare providers must protect patient data online. But in California, compliance goes further.
HIPAA: Federal standards for securing Protected Health Information (PHI).
ADA Title II & III and the Unruh Act: Accessibility and disability rights requirements.
California Consumer Privacy Act (CCPA), amended by CPRA: Broad privacy protections for all personal data.
California Confidentiality of Medical Information Act (CMIA): Stricter rules on handling medical information, overlapping with HIPAA.
For hospitals, dental practices, telehealth platforms, and other healthcare providers in California, this means HIPAA compliance is only the starting point. Overlooking state-specific obligations can lead to lawsuits, regulatory enforcement, and costly penalties.
(For a national overview, see our HIPAA Website Compliance Guide for Clinics and Providers.)
Risk 1: Inaccessible websites under ADA and Unruh Act
Healthcare websites must be accessible to patients with disabilities. Without accessible design, patients may struggle to book appointments, complete intake forms, or access health information.
ADA Title III: Applies to private healthcare providers as “places of public accommodation.”
ADA Title II: Covers public hospitals and county-run clinics; DOJ requires WCAG 2.1 AA compliance by 2026–2027.
Unruh Act: Extends ADA protections in California and adds statutory damages of $4,000 per violation plus attorney’s fees.
Common accessibility barriers
Keyboard navigation failures
Missing form labels and instructions
Inaccessible PDFs or medical documents
Poor color contrast.
Penalty overview:
Law | Applies to | Typical penalties | Example for clinics |
|---|---|---|---|
ADA Title III | Private clinics | Attorney’s fees, injunctive relief | Lawsuit over inaccessible booking form |
ADA Title II | Public hospitals/clinics | DOJ enforcement, remediation costs | Public hospital site with unreadable PDFs |
Unruh Act | California businesses | $4,000 per violation + fees | Multiple inaccessible intake form fields |
Action for providers
Conduct accessibility audits against WCAG 2.1 AA and remediate flagged issues. Provide tools for patients to adjust text size, color contrast, and navigation, and include a channel for reporting accessibility concerns. Regularly scan your website for accessibility gaps using tools like Clym’s Accessibility Scanner, which helps identify barriers other testing tools and audits might miss.
Healthcare providers can add Accessibility Widgets to help patients adjust text size, contrast, and navigation in real time. To handle Accessibility Issue Reporting, it’s important to offer a clear channel. For example, Clym separates these functions by providing customization through its Accessibility Widget and issue reporting through its Governance Portal.
Lawsuits trends: California recorded more than 3,200 ADA website accessibility case filings in 2024, the highest in the nation. While many of these filings are settled or dismissed early, the volume highlights California as the leading state for ADA accessibility litigation. You can learn more about ADA lawsuit trends in our guide on ADA website lawsuits.
Risk 2: Cookie consent and tracking technologies under CPRA and HIPAA
California’s CCPA/CPRA regulates broad categories of personal data such as IP addresses, browsing behavior, and device identifiers. HIPAA adds an extra layer of restrictions when tracking technologies touch Protected Health Information (PHI). In practice, this means HIPAA obligations expand on CPRA where PHI is involved, creating stricter requirements for healthcare providers than for other businesses. Many clinics focus only on HIPAA and overlook CPRA obligations, or vice versa, which can create legal gaps.
- Penalties under CPRA: $2,500–$7,500 per violation.
- Enforcement focus: The California Privacy Protection Agency (CPPA) requires businesses to honor Global Privacy Control (GPC) signals.
- HIPAA tracking guidance: HHS has clarified that tracking technologies (such as analytics pixels or cookies) that collect PHI require a valid HIPAA authorization in a specific format not addressed by CPRA. This makes HIPAA more restrictive where patient health data is concerned.
- Patient rights: Californians can submit Data Subject Requests (DSRs) under CPRA that must be processed within statutory timelines.
Action for providers
Under CPRA, healthcare providers need to:
- Publish a privacy notice that explains what categories of personal information are collected, how it’s used, and whether it is sold or shared.
- Provide an easy way for visitors to opt out of data sharing, including honoring Global Privacy Control (GPC) browser signals.
- Keep a consent log that records when and how each choice was made.
Under HIPAA, the rules go further when tracking technologies capture protected health information (PHI). According to HHS guidance, analytics tools, pixels, or cookies that handle PHI require a valid HIPAA authorization. This authorization follows a specific format under the HIPAA Privacy Rule and is separate from CPRA consent. Because HIPAA applies directly to online tracking, it effectively extends cookie consent requirements and may also overlap with honoring GPC signals where PHI is involved. In practice, healthcare providers in California need to manage two layers: CPRA consent and opt-out rights for general personal data, and HIPAA authorization for tracking technologies that touch PHI.
To meet these combined obligations, providers must deploy mechanisms that capture and record CPRA choices and, where PHI is implicated, present the HIPAA authorization format required by federal law. This dual approach means that both state-level privacy rights and federal healthcare privacy protections are addressed.
Clym’s all-in-one digital compliance solution provides privacy notice and HIPAA authorization form tools, which combine cookie banners, GPC handling, and HIPAA consent workflows in one place.
Risk 3: “Do Not Sell or Share My Personal Information” under CCPA/CPRA
Under CPRA, patients and consumers have the right to request that businesses stop selling or sharing their personal information. This right covers identifiers such as IP addresses, browsing history, and contact details, not only PHI under HIPAA.
Penalties: $2,500–$7,500 per violation.
Scope: Applies to data collected through websites, analytics, or third-party tools.
Obligations: Providers must display a clear “Do Not Sell or Share My Personal Information” option and respond to requests within statutory timelines.
Penalty overview:
Law | Applies to | Typical penalties | Practical action |
|---|---|---|---|
HIPAA | PHI in forms, portals | $100–$50,000 per violation | Encrypt forms, sign BAAs |
Breach laws | Breaches affecting >500 residents | State + federal reporting obligations | Implement breach response policies |
Action for providers
Healthcare providers should make it simple for patients to exercise their CPRA rights by adding a “Do Not Sell or Share My Personal Information” link and setting up workflows to intake, track, and respond to data subject requests. As an example, Clym provides functionality to centralize these requests, making it easier for providers to respond on time and maintain records.
Other California laws impacting healthcare websites
Confidentiality of Medical Information Act (CMIA)
California’s CMIA provides additional protections for medical information, requiring stricter authorization processes and audit trails than HIPAA in some cases. While CMIA primarily governs offline handling of medical data, maintaining secure digital workflows (e.g. clear privacy notices, secure communications) supports compliance across both HIPAA and CMIA.
Californian healthcare website compliance checklist
Risk area | Law(s) involved | Practical action |
|---|---|---|
Accessibility | ADA Title II & III, Unruh Act | WCAG 2.1 AA audit, accessibility tools, patient feedback |
Cookie consent | CCPA/CPRA | Deploy banners, honor GPC, update privacy notices, log consent |
DSR requests | CCPA/CPRA | Provide “Do Not Sell or Share My Personal Information” link, intake, and resolve requests |
PHI handling | HIPAA + CMIA | Encrypt data, sign BAAs, maintain authorization workflows |
Tip for providers: A layered strategy is essential in California: HIPAA governs Protected Health Information, including how cookies and tracking technologies must be authorized when PHI is involved, and this can also affect the handling of GPC signals. CPRA establishes rules for broader personal data and consumer subject requests. ADA and the Unruh Act address accessibility obligations. Together, these requirements mean providers need both HIPAA authorization mechanisms for tracking technologies and CPRA processes for broader personal data requests.
Managing overlapping requirements
California’s legal environment requires healthcare providers to balance multiple obligations. On a single website, providers may need:
Accessibility tools for patients with disabilities.
Consent banners that respect CPRA choices and GPC signals, with additional HIPAA authorization requirements when cookies or tracking technologies capture PHI.
DSR functionality for “Do Not Sell/Share” requests.
HIPAA workflows for PHI.
Managing these with separate vendors can be complex. Some platforms, like Clym, integrate accessibility controls, consent management, HIPAA authorization, DSR tracking, and policy publishing in one place, helping providers simplify compliance and maintain stronger records.
Conclusion
California healthcare websites face overlapping compliance risks: ADA and Unruh Act accessibility obligations, CPRA cookie consent and DSR functionality, and HIPAA/CMIA requirements for PHI. Each carries legal, financial, and reputational consequences. By addressing these risks with structured workflows, healthcare providers can reduce exposure, streamline compliance, and build patient trust.
FAQs
Yes. Under ADA Title III and the Unruh Act, healthcare websites must be accessible. Courts generally require WCAG 2.1 AA compliance.
The Unruh Civil Rights Act is a California law that extends ADA protections and allows statutory damages of $4,000 per violation.
A DSR is a consumer request under CPRA to access, delete, or opt out of the sale or sharing of personal information.
Yes. If a provider’s website shares personal data for analytics, advertising, or cross-context behavioral purposes, CPRA requires a visible opt-out link.
HIPAA is a federal law covering PHI nationwide, while California’s CMIA adds stricter rules for medical information, including stronger authorization and disclosure requirements.
In California, any ADA violation is also a violation of the Unruh Civil Rights Act, which allows plaintiffs to claim $4,000 per violation plus attorney’s fees.
GPC is a browser signal that communicates a user’s choice to opt out of the sale or sharing of personal data. California requires businesses to honor it as a valid opt-out request.
No. HIPAA only protects Protected Health Information (PHI), regardless of how it is collected, through forms, portals, or tracking technologies. California healthcare websites must also address other legal risks: ADA accessibility requirements, Unruh Act liability, and CPRA privacy rights covering broader personal data such as IP addresses and browsing behavior.
No. HIPAA governs PHI, while CPRA covers broader personal data like IP addresses or website tracking information.
CMIA is a California law with stricter requirements for medical information. It overlaps with HIPAA but imposes additional obligations on providers in the state.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex