New California Law Governs Protected Health Information

A new law prevents information regarding reproductive healthcare from being shared out-of-state.

The State of California recently sent letters to eight major pharmacy chains as well as five health data companies, reminding the companies of their obligations to comply with California’s Confidentiality of Medical Information Act (CMIA), including new requirements under Assembly Bill (AB 352) (Bauer-Kahan) to provide certain additional protections, including limiting access to information related to patients’ reproductive health or gender-affirming care.

The letters to the pharmacies also remind them of their obligations under California law not to disclose individuals’ medical information to law enforcement without a warrant in most circumstances.

AB 352, which went into effect on July 1, 2024, strengthens CMIA by generally prohibiting pharmacies and health data companies from providing information related to a patient’s abortion to anyone from another state unless authorized by the patient or an exception in CMIA. AB 352 also requires these entities to enable data security features to segregate and protect health information related to abortion, contraception and gender-affirming care so that it is not readily accessible across state lines.

“Protecting patient information is now more imperative than ever, especially since the repeal of Roe v. Wade,” said Attorney General Rob Bonta. “Pharmacies and health data companies statewide must safeguard the privacy and confidentiality of all medical records, including those related to abortion care. letters remind these companies of their obligation to comply with California law. In California, we protect information regarding reproductive healthcare for patients wherever they may live.”

Last year, the United States Senate Committee on Finance revealed that major pharmacy chains were failing to fully protect the privacy of their patients. The findings indicated that these pharmacy chains were disclosing protected health information (PHI) to law enforcement without a warrant and often without notifying patients that their PHI was disclosed.

While this practice did not necessarily violate federal privacy laws, California’s CMIA has more stringent protections. It prohibits pharmacies and other healthcare companies from providing patient medical information to most law enforcement without a warrant or prior patient authorization. And under AB 352’s expanded protections, reproductive health information must be better protected to maintain the privacy of Californians and those individuals traveling to California to receive abortion and other reproductive health or gender-affirming care.

In the letter, the Attorney General requests the eight major pharmacy chains and five data health businesses to provide information regarding their compliance with CMIA and the new requirements of AB 352.