CCPA vs HIPAA: What Small Businesses Need to Know in 2026
CCPA and HIPAA are the two most consequential US privacy laws for small businesses. Many companies must comply with both. Here's a clear breakdown of what each requires and how they interact.
Who Must Comply: CCPA (CPRA)
The California Consumer Privacy Act (now CPRA as of Jan 1, 2023) applies to for-profit businesses that: (1) have $25M+ gross annual revenue, OR (2) buy/sell/receive/share personal data of 100,000+ consumers or households per year, OR (3) derive 50%+ of annual revenue from selling or sharing consumers' personal information. Threshold 2 catches many mid-size e-commerce, SaaS, and data companies. Non-California businesses that collect data from California residents must comply. Source: Cal. Civ. Code § 1798.100 et seq.
Who Must Comply: HIPAA
HIPAA applies to 'covered entities'—healthcare providers that transmit health information electronically (virtually all modern practices), health plans, and healthcare clearinghouses—and their 'business associates' (vendors, tech providers, billing services that access protected health information). There is NO revenue threshold. A 2-person medical practice must comply. A software vendor that processes patient records must comply as a business associate and sign a BAA. Source: 45 CFR Parts 160 and 164.
Key Requirements: CCPA vs HIPAA
CCPA requires: privacy notice at collection, right to know (consumers can request their data), right to delete, right to opt-out of sale/sharing, no discrimination for exercising rights. HIPAA requires: Notice of Privacy Practices, minimum necessary use standard, patient right to access records (within 30 days), Business Associate Agreements with all vendors touching PHI, security risk analysis (annual), breach notification within 60 days of discovery. HIPAA is significantly more prescriptive; CCPA gives more implementation flexibility.
Penalties: The Real Stakes
CCPA civil penalties: $2,500 per unintentional violation, $7,500 per intentional violation (enforced by CA AG). Private right of action for data breaches: $100–$750 per consumer per incident. HIPAA penalties: $137–$68,928 per violation per category, with annual cap of $2,067,813 per identical violation type. Criminal penalties: up to 10 years imprisonment for willful violations. The largest HIPAA settlement to date: $16M (Anthem, 2018). Source: CA AG CCPA enforcement, HHS OCR HIPAA enforcement data.
Do They Overlap?
Yes. A healthcare app that serves California consumers may face both. HIPAA's PHI definition is narrower than CCPA's 'personal information'—de-identified HIPAA data may still be CCPA personal information. HIPAA preempts state privacy law only where state law is less protective; CPRA provisions that are more protective than HIPAA still apply. Most healthcare tech companies build compliance for both simultaneously. Use the Stack Network Business Decision Advisor for a situation-specific analysis.