On September 27, 2023, Assembly Bill 352 on Health information was signed by the California Governor and became law.

Scope

The Act outlines requirements for businesses that electronically store or maintain medical information on the provision of sensitive services on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer to develop capabilities, policies, and procedures.

Key requirements

The Act stipulates that covered businesses, in specific circumstances, must develop capabilities, policies, and procedures, on or before July 1, 2024, to, among other things:

• limit user access privileges to information systems that contain medical information related to sensitive services only to those persons who are authorized to access specified medical information;
• prevent the disclosure, access, transfer, transmission, or processing of medical information related to sensitive services to persons and entities outside of California;
• segregate medical information related to sensitive services from the rest of the patient's record; and
• provide the ability to automatically disable access to segregated medical information related to sensitive services by individuals and entities in another state.

Furthermore, the Act establishes specific rules around the disclosure, transmission, transfer, sharing, or granting of access to medical information that would identify an individual in relation to abortion.

You can read the Act here and view its history here.