California Enacts New Patient Privacy Law Impacting Chiropractic Offices

Quick Listen:

In the quiet hum of a chiropractic clinic patients leafing through magazines, the faint clatter of a keyboard, the murmur of a scheduler there’s an invisible world of data at work. Appointment logs, treatment notes, and health histories flow through digital systems, each byte carrying the weight of patient trust. Now, in California, a new law is tightening the rules on how these clinics manage that information, pulling small practices into a national spotlight on health data privacy. It’s a seismic shift, and for chiropractors, it’s time to act.

Top chiropractic practices lose patients due to inconsistent follow-ups, disrupting flow and stalling revenue. Take charge of your practice’s growth. TrackStat‘s EHR-integrated automation and intelligent task prioritization streamline engagement, maximize retention, and keep schedules full without added stress. See how TrackStat empowers your team to retain patients and grow seamlessly. Schedule your risk-free demo today

New California Privacy Law Reshapes Chiropractic Practices

Signed into law by Governor Gavin Newsom 2025, Assembly Bill 45 bolsters safeguards for personal data collected near in-person healthcare facilities, including chiropractic offices. Starting January 1, 2026, the law restricts the collection, use, or sharing of data tied to a precise geolocation around these sites unless it’s essential for delivering requested services. It also prohibits geofencing practices, which use location data to target ads or track individuals near healthcare centers, and establishes stricter protections for research records linked to health services. A key feature: individuals harmed by violations can pursue legal action, raising the stakes for compliance.

This law isn’t an isolated move. It’s part of a broader wave of state-level privacy reforms, driven by rising unease over the misuse of sensitive health information. Chiropractic clinics, often lean operations with tight budgets, now face the same regulatory scrutiny as hospitals and corporate providers. The potential for lawsuits under AB-45’s private right of action underscores the urgency non-compliance could lead to crippling fines or eroded patient confidence.

Technology at a Crossroads

Step into a modern chiropractic office, and you’ll find practice management systems like Trackstat quietly powering the operation scheduling appointments, managing bills, storing patient records. These tools are indispensable, but they’re also potential weak points under AB-45. If a system uses location data to send appointment reminders, it risks breaching the law’s geofencing ban. The solution lies in robust updates: encryption for data transfers, secure patient portals for access, and automated consent tracking to ensure compliance.

Some clinics are already ahead of the curve. A mid-sized practice in Sacramento, for example, recently upgraded its software to include end-to-end encryption for all patient communications, a direct response to AB-45’s mandates. Others are partnering with vendors offering solutions that meet HIPAA standards, ensuring data is locked down and accessible only to authorized staff. These upgrades come with costs software licenses, staff training, and system audits aren’t cheap but they’re essential. As one office administrator noted, “Compliance isn’t just about avoiding fines; it’s about proving to patients their data is safe.”

The challenge extends beyond technology. Clinics must also adopt internal policies, such as regular privacy training and written security protocols, to align with the U.S. Department of Health and Human Services (HHS) guidelines. HHS emphasizes the Minimum Necessary Standard, requiring practices to use only the data essential for a task. For chiropractors, this might mean disabling location tracking in apps unless it’s critical for service delivery.

Lessons from the Healthcare Landscape

Chiropractors aren’t navigating this alone. Other healthcare sectors offer valuable blueprints. Dental practices, for instance, have grappled with similar requirements under the California Consumer Privacy Act (CCPA), revamping how they collect and store patient data. A dental group in San Francisco rolled out a patient portal that allows individuals to view and manage their information, a model that could work for chiropractic clinics. Physical therapy offices, meanwhile, have turned to compliance consultants to audit their systems, ensuring no location data is mishandled.

These examples point to a broader truth: compliance requires collaboration. Software vendors can provide tools, but clinics must enforce policies like staff training and data access controls. HHS underscores the importance of risk assessments to identify vulnerabilities before they become breaches. For chiropractors, this could involve reviewing how their systems handle geolocation data or confirming that Business Associate Agreements (BAAs) are signed with tech providers to ensure shared responsibility for data security.

The Cost of Non-Compliance

AB-45 doesn’t pull punches. Violations can carry fines of up to $25,000 per incident, a devastating hit for small practices. Beyond financial penalties, there’s the risk of reputational damage. A single breach say, an unauthorized leak of appointment data could drive patients away. The law’s private right of action amplifies this threat, empowering individuals to sue for violations, which could spiral into costly legal battles.

Getting compliant isn’t simple. Many chiropractic offices operate on razor-thin margins, making it tough to fund system upgrades or hire experts. Training staff on new privacy protocols pulls time from patient care, and retrofitting older systems to meet modern standards can be a technical nightmare. Yet HHS is clear: skipping these steps isn’t an option. Practices must adhere to HIPAA’s Security Rule, which mandates administrative, physical, and technical safeguards, and report any breaches within 60 days to affected individuals.

Turning Challenges into Strengths

Yet within these challenges lies opportunity. By prioritizing data security, chiropractic clinics can differentiate themselves in a crowded market. A practice that promotes its privacy measures clear consent processes, secure online access builds trust, a currency as valuable as any. In an age of headline-grabbing data breaches, patients gravitate toward providers who prioritize their safety.

Compliant technology also boosts efficiency. Advanced practice management systems, like those from Trackstat, offer features like automated audits and real-time privacy updates, reducing administrative burdens. Staff can spend less time on paperwork and more on patient care. Loyal patients, confident in a clinic’s data practices, are more likely to return, driving retention and referrals.

A Call to Action

California’s new privacy law is a clarion call for chiropractic offices: protecting patient data is no longer optional it’s a mandate. The path to compliance upgrading systems, training staff, conducting audits may seem steep, but it’s also a chance to redefine how practices operate. By embracing HIPAA-compliant tools and fostering a culture of privacy, chiropractors can turn a regulatory burden into a mark of excellence. This isn’t legal advice, but a reminder: consult compliance professionals, review your systems, and act now. In a world where data is both power and vulnerability, safeguarding it is not just the law it’s the foundation of trust.

Frequently Asked Questions

What is California’s Assembly Bill 45 and how does it affect chiropractic offices?

Assembly Bill 45, signed into law on September 26, 2025, and effective January 1, 2026, strengthens privacy protections for health data collected near healthcare facilities, including chiropractic clinics. The law restricts the collection and use of precise geolocation data around these sites and prohibits geofencing practices that target ads or track individuals near healthcare centers. Chiropractors must ensure their practice management systems and digital tools comply with these new restrictions or face fines up to $25,000 per violation, plus potential lawsuits from patients under the law’s private right of action.

How can chiropractic practices ensure HIPAA and AB-45 compliance for patient data?

Practices should upgrade their systems with end-to-end encryption for patient communications, implement secure patient portals, and ensure automated consent tracking. It’s essential to conduct regular risk assessments, provide staff training on privacy protocols, and sign Business Associate Agreements (BAAs) with technology vendors to establish shared responsibility for data security. Chiropractors should also follow HHS guidelines, including the Minimum Necessary Standard, which requires using only the data essential for service delivery and disabling unnecessary location tracking features.

What are the costs and consequences of non-compliance with California’s new health privacy law?

Non-compliance can result in fines of up to $25,000 per incident, which can be devastating for small chiropractic practices operating on tight margins. Beyond financial penalties, violations risk significant reputational damage a single unauthorized data leak could erode patient trust and drive clients away. The law’s private right of action allows individuals to sue for violations, potentially leading to costly legal battles, while HHS requires practices to report breaches within 60 days to affected patients, further exposing non-compliant clinics to scrutiny.

Disclaimer: The above helpful resources content contains personal opinions and experiences. The information provided is for general knowledge and does not constitute professional advice.

You may also be interested in: The Role of Digital Reviews in Local Chiropractic Visibility

Naota Hashimoto, DC

Most EHR systems collect data—but they don’t make it easy to act on that information. You're still left running reports, chasing down patients, and managing follow-ups by hand. TrackStat was built to change that. This activity-focused platform works alongside your EHR to show you where to focus your time and resources. It helps ensure that no patient falls through the cracks—automating the tasks it can, and building easy workflows around the ones that still need your attention. Instead of switching between systems and losing track of what's next, TrackStat puts everything in one place to help you increase visits, bring inactive patients back, and generate new ones—starting immediately. The platform includes tools like appointment reminders and confirmations, patient and provider mobile apps, online scheduling, review requests, and built-in marketing features. It also bridges the gap between platforms that typically don’t integrate—such as HighLevel (popular with many chiropractic marketing agencies), online intake forms, credit card processors, and more. TrackStat was created out of necessity. Dr. Naota Hashimoto and Dr. Nora Colman-Hashimoto built a high-volume, multi-million dollar practice with multiple providers by optimizing every system in the office. But like many clinics, they faced one major challenge: their software tools didn’t talk to each other. That’s what led to the creation of TrackStat—and today, it supports chiropractic offices across the country in running more efficient, connected, and profitable practices.