On September 27, 2023, Governor Newsom signed AB 254 and AB 352, which both amend the California Confidentiality of Medical Information Act (“CMIA”). Specifically, AB 254 expands the scope of the CMIA to expressly cover reproductive or sexual health services that are delivered through digital health solutions and the associated health information generated from these services. AB 352 imposes new requirements on how electronic health record (“EHR”) systems must store medical information related to gender affirming care, abortion and related services, and contraception and the ability of providers of health care, health care service plans, contractors, or employers to disclose such information.
AB 254 amends the definition of “medical information” to include “reproductive or sexual health information,” defined as “information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.” “Reproductive or sexual health digital service” is in turn defined to mean “a mobile-based application or internet website that collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer.”
In addition to expanding the scope of “medical information,” AB 254 also states that “any business that offers a reproductive or sexual health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual” shall be deemed a “provider of health care” for purposes of the CMIA.
AB 352 requires that a business that electronically stores or maintains medical information on the provision of sensitive services on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer (e.g., an EHR system), develop capabilities, policies and procedures, on or before July 1, 2024, to limit access to, prevent disclosure of, and segregate medical information related to gender affirming care, abortion and related services, and contraception.
Further, AB 352 prohibits a provider of health care, health care service plan, contractor, or employer from:
- Releasing medical information related to an individual seeking or obtaining an abortion in response to a subpoena or request if that subpoena or request is based on another state’s laws that interfere with California’s Reproductive Privacy Act;
- Cooperating with an inquiry or investigation or otherwise providing medical information to an individual, agency, or department from another state (or, federal agency to the extent permitted by federal law) that would identify an individual and is related to an individual seeking or obtaining an abortion or related services; and
- “Knowingly” disclosing or otherwise transmitting medical information in an EHR system or through a health information exchange that would identify an individual and that is related to an individual “seeking, obtaining, providing, supporting, or aiding” a lawful abortion to out-of-state individuals or entities, subject to exceptions.
AB 352 also clarifies that a provider of health care will not be subject to liability for damages or to civil or enforcement actions, for failure to meet the requirements of this section before January 31, 2026, if the provider of health care is working diligently and in good faith to come into compliance with this section.