Existing law, the Confidentiality of Medical Information Act (CMIA) , generally prohibits a provider of health care, a health care service plan, or a contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, unless a specified exception applies. Existing law makes a violation of the CMIA that results in economic loss or personal injury to a patient punishable as a misdemeanor. Existing law requires specified businesses that electronically store or maintain medical information on the provision of sensitive services on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer to develop capabilities, policies, and procedures, on or before July 1, 2024, to enable certain security features, including limiting user access privileges and segregating medical information related to gender affirming care, abortion and abortion-related services, and contraception, as specified.
This bill would also require those specified businesses to enable the above-specified capabilities, policies, and procedures for those security features, as specified. Because the bill would expand the scope of an existing crime, it would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.

Statutes affected:
AB 2448: 56.101 CIV
02/20/26 - Introduced: 56.101 CIV