​Effective January 1, 2024, all health care providers are prohibited from knowingly disclosing, transmitting, transferring, sharing, or granting access to medical information in an electronic health records (EHR) system or through a health information exchange that would identify an individual and that is related to an individual seeking, obtaining, providing, supporting, or aiding in the performance of an abortion that is lawful under the laws of this state to any individual or entity from another state, unless the facility has received a valid authorization pursuant to the CMIA.

Businesses that electronically store or maintain medical information on behalf of a health care provider regarding the provision of sensitive services must, on or before July 1, 2024, develop capabilities, policies, and procedures to enable certain security features, including limiting user access privileges and segregating medical information related to gender affirming care, abortion and abortion-related services, and contraception from the rest of the patient's record.

Information Release Authorizations

AB 352 amends the CMIA to allow the release of medical information if the health care provider receives any of the following authorizations:

• A valid, written authorization pursuant to Civil Code section 56.11 that clearly states that medical information on abortion or abortion-related services may be disclosed, and only to the extent and for the purposes expressly stated in the authorization.
• An authorization pursuant to Civil Code section 56.10 to the extent necessary to allow responsibility for payment to be determined and payment to be made, or to the extent that it is not further disclosed by the recipient in a way that would violate the CMIA.
• An authorization for purposes of accreditation or the review of the competence or qualifications of a health care professional.
• An authorization for purposes of reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges.
• An authorization for purposes of bona fide research.
  

The content of the health records containing medical information relating to an individual seeking, obtaining, providing, supporting, or aiding in the performance of an abortion that is lawful under the laws of this state also must be disclosed to any of the following persons or entities:

• A patient or their personal representative, consistent with the Patient Access to Health Records Act (Chapter 1 (commencing with Section 123100) of Part 1 of Division 106 of the Health and Safety Code).
• In response to an order of a California or federal court, but only to the extent clearly stated in the order and consistent with Penal Code section 1543, if applicable, and only if all information about the patient's identity and records are protected from public scrutiny through mechanisms, including, but not limited to, a sealed proceeding or court record.
• When expressly required by a federal law that preempts California law, but only to the extent expressly required.
  

Legal Inquiries from Other States or the Federal Government

A health care provider is not prohibited from cooperating or complying with the investigation of an activity punishable as a crime under California law if it took place in California.

However, a health care provider is prohibited from providing medical information to, or otherwise cooperating with any inquiry or investigation by an individual, agency, or department from another state or, to the extent permitted by federal law, to a federal law enforcement agency that would identify an individual or that is related to an individual seeking or obtaining an abortion or abortion-related services that are lawful under the laws of this state, unless the request for medical information is authorized in accordance with specified existing provisions of law.

The bill exempts a health care provider from liability for damages or from civil or enforcement actions relating to cooperating with, or providing medical information to, another state or a federal law enforcement agency before January 31, 2026, if the provider of health care is working diligently and in good faith to comply with the prohibition.

CDPH's failure to expressly notify facilities of statutory or regulatory requirements does not relieve facilities of their responsibility for following all laws and regulations. Facilities should refer to the full text of all applicable sections of the Civil Code, the Health and Safety Code, and the California Code of Regulations to ensure compliance.

If you have any questions or concerns regarding this AFL, please contact the Medical Breach Enforcement Section at 279-667-1990.

Sincerely,

 ​Original signed by Cassie Dunham

Cassie Dunham

Deputy Director