Last week, California Governor Gavin Newsom signed a package of legislation intended to strengthen the state’s shield laws, which provide protections to patients receiving and providers rendering reproductive health services, including abortions, in the state. Among other protections in a series of bills, the legislation amends the state’s privacy law governing medical information, the Confidentiality of Medical Information Act (CMIA),1 to require new entity types—specifically reproductive health apps—to comply with the CMIA and prohibit providers from disclosing certain reproductive health information through electronic platforms.
Specifically, on September 27, Governor Newsom signed AB 254 and AB 352, both of which amend the CMIA. AB 254 expands the applicability of CMIA by revising the CMIA’s definition of “medical information” to include “reproductive or sexual health application information.” This information consists of data on “a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service,” that is collected from a consumer by a mobile app or website that facilitates reproductive or sexual health services to a consumer, and uses such information to market their services to a consumer. Businesses that offer these apps or websites will become subject to the CMIA and may only disclose medical information they receive in accordance with the CMIA, which mirrors much of, but is in some cases more restrictive than, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
AB 352 requires electronic health record (EHR) systems that store information on behalf of providers and other organizations subject to the CMIA to adopt additional restrictions regarding medical information that is related to gender-affirming care, abortion and abortion-related services, and contraception. Among other requirements, by July 1, 2024, these EHR systems will have to segregate such information from other data and prevent the information from being sent out of state. Similarly, providers and other organizations subject to the CMIA will be prohibited from sharing abortion-related (and other protected) medical information with a person in another state via an EHR or a health information exchange, except under narrow circumstances. Those exceptions include cases where the patient has signed an authorization that specifies that abortion-related information may be disclosed, where the data is being disclosed for payment purposes, or for certain bona fide research.
These laws represent a significant tightening of restrictions on the use and disclosure of reproductive health data. They restrict the disclosure of such data not only in the context of civil or criminal actions, but also in cases where the person seeking the data is an out-of-state provider that treats the patient. On one hand, these laws close certain loopholes in existing shield laws that could enable out-of-state enforcement agency access to abortion-related data from an out-of-state provider who had this data in the EHR system due to interoperable data exchange. On the other hand, the law may be challenging to implement, as most providers and EHR vendors have been working to improve interoperability, as the federal government has emphasized the need to improve interoperability of data through the establishment of national health exchanges and enforcement of the Information Blocking Rule. Providers and health exchanges will be permitted to comply with the new CMIA requirements and the Information Blocking Rule, as the Information Blocking Rule provides an exception to its prohibitions to allow providers, EHRs and exchanges to refuse to disclose and deny access when such disclosure or access is required by law. (For more information on the Information Blocking Rule, see our previous articles Information Blocking Penalties to Take Effect September 1 and Health IT Organizations Soon to Face Enforcement Under Final OIG Information Blocking Rule. For more information on CMIA and health app provider obligations, see our previous article Health App Providers May Have Confidentiality Obligations Under State Law. To see key findings from our survey of all state shield laws passed in recent years, see our previous article State Abortion Shield Laws: Key Findings and Infographic.)
California follows other state efforts—such as those in Maryland and Washington—to adopt additional protections for reproductive health data. AB 352 is similar to a Maryland law enacted earlier this year, which becomes effective on December 1, 2023, that generally prohibits health information exchanges and electronic health networks from disclosing information related to abortion care unless to a specific treating provider and at the written request of the patient.2
Under the new laws signed by Governor Newsom, California health care providers will also enjoy increased protections. Specifically:
- AB 1707 will protect providers, including physician assistants (who have completed special training and who may now perform abortions by aspirations without the presence of a supervised physician3) and facilities, from state licensing actions against them based on the enforcement of hostile laws in other states, following in the footsteps of a number of other state shield laws; and
- AB 571 will prohibit the denial of malpractice insurance to a provider on the basis of the provider offering abortion, contraception or gender-affirming care that is lawful in California but unlawful in another state.
1 California Civil Code §§56 et seq.
2 MD. CODE, HEALTH – GEN., § 4-302.5; MD. CODE, HEALTH – GEN., § 4-305(b)(11)(vii).
3 California Business & Professions Code 3502.4 and 3527.5.