Fee petition mechanics · Updated June 2026
California Confidentiality of Medical Information Act attorney fee petition mechanics: CDPH Office of Health Information Integrity complaint as primary Welch anchor under Civ. Code § 56.36, unauthorized medical information release advisory, and CMIA fee petition advisory
California Confidentiality of Medical Information Act (CMIA, Civ. Code §§ 56–56.37) solos billing hourly on Civ. Code § 56.36(b) attorney fees — in actions where the primary Welch temporal anchor is the CALIFORNIA DEPARTMENT OF PUBLIC HEALTH (CDPH) OFFICE OF HEALTH INFORMATION INTEGRITY (OHII) COMPLAINT CASE NUMBER (assigned at cdph.ca.gov/Programs/OHII when a patient or their representative files a complaint about unauthorized release of confidential medical information under CMIA; the CDPH OHII complaint case number is the ONLY primary Welch anchor in the fee-petition-mechanics series in a CALIFORNIA DEPARTMENT OF PUBLIC HEALTH OFFICE OF HEALTH INFORMATION INTEGRITY (CDPH OHII) COMPLAINT DATABASE — CDPH OHII is the CDPH division that enforces CMIA medical information privacy under a separate division, separate intake track, and separate case numbering from the CDPH Licensing and Certification Program's LTC facility complaint database used in california-long-term-care-residents-rights-hsc-1430 (tier_yy); distinct from the CRD FEHA/Unruh Act complaint databases; distinct from every DLSE administrative track (DLSE wage claim tier_vv, DLSE equal pay tier_xx, DLSE WPP tier_yy); distinct from the CCPA data breach class action practice area (tier_uu: ccpa-data-breach-private-right) which involves cybersecurity breaches at covered CCPA businesses affecting consumer personal information via PACER federal class action dockets; distinct from every county recorder instrument, every Superior Court CMS filing, and every private commercial document in the series; CMIA is California-specific medical information confidentiality law that provides a private right of action for individual patients — unlike HIPAA which has no private right of action; the CDPH OHII complaint is filed by the patient before retaining civil litigation counsel, making it the earliest government record in a § 56.36 civil matter, predating any civil complaint and any demand letter) — generate three billing gaps driven by advisory calls on the CDPH OHII investigation calendar and the unauthorized disclosure scope investigation calendar outside plaintiff counsel's scheduling control: CDPH OHII complaint filing and § 56.10 unauthorized disclosure analysis and § 56.36(b) $1,000 nominal damages and attorney fees theory advisory calls (7 clients × 2 calls × 42 min × 55% untracked ≈ 5.39 hrs = $1,617–$2,695/year at $300–$500/hr), disclosure scope investigation and § 56.35 covered entity analysis and § 56.36(b) actual damages and punitive damages advisory calls (6 clients × 3 calls × 44 min × 55% untracked ≈ 7.26 hrs = $2,178–$3,630/year), and § 56.36(b) attorney fee petition advisory calls (5 clients × 2 calls × 44 min × 55% ≈ 4.03 hrs = $1,210–$2,017/year). For a solo California CMIA practice, the annual billing gap from advisory call underlogging is $5,005–$8,342.
TL;DR
ClaimHour captures every CDPH OHII complaint date advisory call that starts the § 56.36(b) fee documentation period, every unauthorized disclosure scope investigation advisory call on the healthcare provider's disclosure calendar, and every § 56.36(b) attorney fee petition advisory call on the post-judgment calendar — passively, no timer, no audio, no call contents. $29–$59/mo. No PMS required.
CDPH OHII complaint filing and § 56.10 unauthorized disclosure analysis and § 56.36(b) nominal damages and attorney fees theory advisory: calls on the complaint intake and healthcare regulatory calendar
The California Department of Public Health Office of Health Information Integrity (CDPH OHII) Complaint Case Number — assigned at cdph.ca.gov/Programs/OHII — is the primary Welch temporal anchor for Civ. Code § 56.36(b) attorney fee billing documentation. California CMIA practice is the ONLY practice area in the fee-petition-mechanics series where the primary Welch anchor is in a CDPH OHII COMPLAINT DATABASE, distinct from all other CDPH divisions (including CDPH Licensing and Certification Program used in long-term-care-residents-rights tier_yy). CDPH OHII processes CMIA complaints under Civ. Code §§ 56–56.37 — California's Confidentiality of Medical Information Act — which applies to healthcare providers (doctors, hospitals, clinical laboratories, pharmacies, dentists, mental health professionals), health insurers, contractors to healthcare providers (medical billing companies, health IT vendors, transcription services), pharmaceutical company representatives, and employers with employee health information. CMIA is more protective than HIPAA in two key ways: CMIA allows individual civil suits (§ 56.36(b)) while HIPAA provides no private right of action; CMIA's $1,000 nominal damages per violation requires no proof of actual harm. The CDPH OHII complaint predates any civil complaint filing — patients frequently contact CDPH OHII as their first government resource after discovering an unauthorized disclosure — making the OHII complaint case number the earliest government record in a § 56.36 civil matter. For Hensley lodestar purposes, advisory calls made at or after the CDPH OHII complaint date are compensable in the § 56.36(b) fee petition.
Three CDPH OHII complaint and § 56.10 analysis advisory call types generate untracked billing: (1) CDPH OHII complaint strategy and § 56.10 authorized vs. unauthorized disclosure analysis advisory — arrives when patient retains counsel after discovering medical information release (requiring § 56.10 authorized disclosure exceptions: treatment (sharing with treating providers in the care team); payment (sharing with health plan for billing); health care operations (quality review, utilization management); § 56.10(b) mandatory disclosures: law enforcement with court order; workers' compensation; child/elder/dependent adult abuse mandatory reporting; coroner; was the disclosure to any non-authorized recipient: employer (outside § 56.20 employment-context exception); media; family member without authorization; another patient; insurance company for non-treatment purpose; § 56.36(b)(1): $1,000 nominal damages per violation regardless of actual harm — no need to prove damages at this advisory stage; CDPH OHII complaint case number as primary Welch anchor; statute of limitations analysis: California courts apply CCP § 335.1 (2 years from discovery of violation) or CCP § 338 (3 years from act) — advisory call analyzes which SOL applies based on when patient discovered the disclosure — 42–48 min per call); (2) heightened-protection categories advisory — arrives when disclosed information includes sensitive categories (requiring § 56.10(c) heightened protections: mental health and psychiatric records (not disclosed without specific written authorization beyond standard medical authorization); substance use disorder treatment records (§§ 56.10–56.30 heightened restrictions; concurrent federal 42 C.F.R. Part 2 protections for federally assisted substance use disorder programs); HIV/AIDS-related information (Health & Safety Code § 120980 specific consent requirement); genetic information (§§ 56.17–56.18 genetic information restrictions; concurrent GIPA protections); reproductive health information (§ 56.10(c)(11) protections added by SB 107 (2022)); financial penalties for disclosure of heightened-protection categories: CDPH OHII can impose civil penalties up to $25,000 per violation for intentional disclosure; § 56.36(c) CDPH OHII-imposed civil penalty up to $3,000 per violation — 42–48 min); (3) HIPAA vs. CMIA parallel complaint strategy advisory — arrives when deciding whether to file OCR HIPAA complaint alongside CDPH OHII CMIA complaint (requiring Office for Civil Rights (OCR) HIPAA complaint at hhs.gov/hipaa/filing-a-complaint: OCR investigates HIPAA violations and can impose civil monetary penalties (CMPs) up to $1,919,173 per violation category per year; OCR complaint does NOT create a private right of action — the CMPs go to HHS, not to the patient; CMIA § 56.36(b) is the California individual's civil remedy that runs parallel to any OCR HIPAA investigation; joint OCR/CDPH OHII complaint strategy may provide leverage in pre-litigation settlement negotiations; CDPH OHII investigation findings are not binding on California courts for § 56.36(b) civil action purposes, but may be valuable as evidence — 42–48 min). At 55% untracked: 7 clients × 2 calls × 42 min × 55% = 323.4 min / 60 = 5.39 hours = $1,617–$2,695/year at $300–$500/hr.
Unauthorized disclosure scope investigation and § 56.35 covered entity analysis and § 56.36(b) actual damages and punitive damages advisory: calls on the healthcare disclosure investigation calendar
The unauthorized disclosure scope investigation calendar — set by the healthcare provider's records systems, the defendant's document retention policies, and the availability of health IT forensics experts — is entirely outside plaintiff counsel's scheduling control. Each disclosure to a different unauthorized recipient may constitute a separate § 56.36(b) violation with a separate $1,000 nominal damages minimum. Civ. Code § 56.35 establishes covered entity liability: healthcare providers, health service plans, contractors, and employers. The investigation advisory calls that arrive as the scope of the unauthorized disclosure is revealed through records requests, litigation discovery, and CDPH OHII investigation findings are systematically underlogged because they arrive on the defendant healthcare entity's disclosure calendar and the CDPH investigation timeline — neither of which the plaintiff's attorney controls. Ketchum v. Moses 24 Cal.4th 1122 (2001). PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000). Hensley v. Eckerhart 461 U.S. 424 (1983) lodestar from CDPH OHII complaint date. Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees.
Three disclosure scope investigation advisory call types generate untracked billing: (1) unauthorized recipient identification and § 56.36(b) per-violation nominal damages calculation advisory — arrives as the scope of the disclosure is revealed (requiring identification of each unauthorized recipient: employer HR department; insurance company outside treatment/payment context; media outlet; employer's attorney; family member without authorization; business associate without proper BAA (Business Associate Agreement)); § 56.36(b)(1) per-violation count: each disclosure to each unauthorized recipient = separate $1,000 nominal damages minimum; Pettus v. Cole (1996) 49 Cal.App.4th 402 — CMIA applies broadly to disclosures within healthcare organizations when information is provided to persons who need not have it in their treatment/payment/operations role; employer context under § 56.20: employer can only access employee medical information provided to it in the employment context (disability accommodation, FMLA, workers' compensation) — disclosure by employer HR to non-HR personnel = CMIA violation — 44–50 min); (2) § 56.36(b)(2)–(3) actual damages and punitive damages scope advisory — arrives when plaintiff's actual harm is quantified (requiring actual damages documentation: emotional distress from knowing personal medical information was disclosed (may include therapy records); reputational harm if disclosed diagnosis affected employment, relationships, or community standing; health insurance premium increases if disclosure resulted in insurer learning of pre-existing condition outside treatment context; lost employment opportunities if employer learned of medical condition affecting employment decisions; § 56.36(b)(3) punitive damages: was the disclosure intentional or reckless; Civ. Code § 3294 oppression/fraud/malice standard; § 56.36(c) intentional disclosure — CDPH OHII can impose civil penalty up to $3,000 per violation for intentional disclosure in addition to § 56.36(b) civil remedies; § 3345 enhanced civil penalties if patient is elderly or disabled — 44–50 min); (3) contractor liability and BAA breach analysis advisory — arrives when the disclosure was made by a healthcare contractor (medical billing company, health IT vendor, transcription service) rather than by the healthcare provider directly (requiring § 56.13 contractor restrictions: contractor who receives medical information from healthcare provider can only use it for the stated purpose and cannot re-disclose it; § 56.36(b) liability: the contractor who made the unauthorized re-disclosure; the healthcare provider who shared with the contractor under an improperly structured contract; HIPAA Business Associate Agreement (BAA) breach as concurrent claim basis: if the contractor violated the BAA, the provider may have claims against the contractor; whether contractor has cyber liability insurance covering CMIA civil damages — 44–50 min). At 55% untracked: 6 clients × 3 calls × 44 min × 55% = 435.6 min / 60 = 7.26 hours = $2,178–$3,630/year at $300–$500/hr.
§ 56.36(b) attorney fee petition advisory: calls on the post-judgment calendar
Civil Code § 56.36(b)(4) — 'an award of reasonable attorney's fees and costs' — provides attorney fees as part of the CMIA civil remedy available to a prevailing plaintiff. The § 56.36(b) fee petition requires a Hensley lodestar from the CDPH OHII complaint date (or first substantive advisory call date if no CDPH complaint was filed) through all phases of the civil litigation. The fee petition integrates three advisory billing phases: CDPH OHII complaint filing advisory calls (Phase 1), disclosure scope investigation advisory calls (Phase 2), and litigation through judgment. Ketchum v. Moses 24 Cal.4th 1122 (2001) positive multiplier: the contingent risk of establishing that the healthcare entity's disclosure was unauthorized under § 56.10 — and not covered by any treatment/payment/operations exception — supports the Ketchum multiplier for the § 56.36(b) California statutory fee component. PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000) California prevailing market rate. Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees for § 56.36(b) fee petition preparation. If concurrent UCL § 17200 claim (unauthorized medical information disclosure as unlawful business practice): § 1021.5 private attorney general fees require separate three-part public benefit test and separate lodestar documentation.
Two § 56.36(b) post-judgment advisory call types generate untracked billing: (1) § 56.36(b) fee petition assembly and OHII-complaint-to-judgment lodestar advisory — arrives when plaintiff prevails at trial or settlement (requiring § 56.36(b) fee petition: Hensley lodestar from CDPH OHII complaint date through § 56.10 unauthorized disclosure analysis through disclosure scope investigation through civil complaint through judgment; hour categorization: CMIA § 56.36(b) claim hours (§ 56.36(b)(4) fees); concurrent UCL § 17200 hours (§ 1021.5 fees — separate public benefit test); concurrent FEHA claim if medical information disclosure was also used in an employment discrimination context (Gov. Code § 12965(b) fees — separate FEHA fee documentation); Ketchum positive multiplier for contingent CMIA liability risk; PLCM Group prevailing market rate; Missouri v. Jenkins fees-on-fees — 44–50 min); (2) CDPH OHII civil penalty coordination advisory — arrives when CDPH OHII has independently imposed civil penalties under § 56.36(c) (requiring coordination of civil penalty timeline with private § 56.36(b) civil action; § 56.36(c) CDPH-imposed civil penalties are non-duplicative of § 56.36(b) civil damages — both remedies available simultaneously; CDPH OHII findings from investigation: are the OHII investigative findings admissible in the § 56.36(b) civil action; settlement demand calculation: civil damages (§ 56.36(b) nominal + actual + punitive) plus civil penalty (§ 56.36(c)) plus attorney fees — 44–50 min). At 55% untracked: 5 clients × 2 calls × 44 min × 55% = 242 min / 60 = 4.03 hours = $1,210–$2,017/year at $300–$500/hr.
How ClaimHour fits California CMIA practice
California Confidentiality of Medical Information Act (CMIA) solos billing hourly on Civ. Code § 56.36(b) attorney fees — with CDPH OHII complaint filing advisory calls arriving when patients discover unauthorized medical information releases and contact CDPH before retaining civil counsel, unauthorized disclosure scope investigation advisory calls arriving as records requests and CDPH OHII investigation findings reveal the extent of the healthcare entity's disclosure on a timeline controlled by CDPH and the defendant's discovery responses, and § 56.36(b) attorney fee petition advisory calls arriving on the post-judgment calendar — and if your § 56.36(b) lodestar documentation must satisfy the Hensley contemporaneous-record standard from the CDPH OHII complaint date (the ONLY CDPH Office of Health Information Integrity primary Welch anchor in the fee-petition-mechanics series — a CDPH OHII government agency record distinct from CDPH LTC Licensing and Certification Program complaint (tier_yy), from CRD FEHA/Unruh complaints, from every DLSE administrative track, from CCPA data breach class action PACER dockets (tier_uu), and from every county recorder instrument and private commercial document in the series), through the § 56.10 unauthorized disclosure analysis, through the California Superior Court civil complaint filing date, through the § 56.36(b) fee petition, ClaimHour was built for that gap.
Related questions
Does CMIA § 56.36(b) provide attorney fees to defendants who prevail, or only to prevailing plaintiffs?
Civ. Code § 56.36(b)(4) provides for attorney fees as part of the civil remedy available to 'any individual' who brings a CMIA action — structuring fees as part of the plaintiff's recoverable civil remedies, not as a symmetric bilateral fee provision. California courts have not broadly applied § 56.36(b)(4) to award fees to prevailing defendants. This distinguishes CMIA from the § 52(a) Unruh Act (symmetric fee provision for both prevailing plaintiff and defendant), the § 1102.13 Transfer Disclosure Statement (symmetric prevailing party provision), and the § 7168 Contractor License Law (symmetric prevailing party provision). Accordingly, the § 56.36(b) fee petition risk analysis for client counseling focuses exclusively on the affirmative recovery of attorney fees by a prevailing plaintiff — not on the defendant's potential fee-shifting exposure against the client.
How does the CMIA § 56.36(b) civil remedy interact with the HIPAA Breach Notification Rule and OCR complaint timeline?
The HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured protected health information. When the healthcare provider sends the required HIPAA breach notification letter to the patient, this often serves as the patient's first actual knowledge of the unauthorized disclosure — triggering the CMIA statute of limitations. The attorney's advisory calls analyzing the HIPAA breach notification letter's scope and the CMIA § 56.36(b) civil remedies available are compensable from the date of receipt of that breach notification letter (which predates any CDPH OHII complaint filing or civil complaint). If the client files both a CDPH OHII CMIA complaint and an OCR HIPAA complaint, the two investigations proceed in parallel: OCR's investigation may result in HIPAA CMPs payable to HHS (no money to patient); CDPH OHII's investigation may result in § 56.36(c) civil penalties; and the § 56.36(b) civil action provides the patient's actual monetary recovery. All three timelines — OCR investigation, CDPH OHII investigation, and Superior Court civil action — generate independent advisory calls that must be contemporaneously documented from the CDPH OHII complaint date as the primary Welch anchor.