California Civil Code 56.101 – (a) Every provider of health care, health care service plan, …
(a) Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.
(b) (1) An electronic health record system or electronic medical record system shall do all of the following:
(A) Protect and preserve the integrity of electronic medical information.
(B) Automatically record and preserve any change or deletion of any electronically stored medical information. The record of any change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information.
(2) A patient’s right to access or receive a copy of the patient’s electronic medical records upon request shall be consistent with applicable state and federal laws governing patient access to, and the use and disclosures of, medical information.
(c) (1) A business, as described in Section 56.06, that electronically stores or maintains medical information on the provision of sensitive services, including, but not limited to, on an electronic health record system or electronic medical record system, on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer, shall develop capabilities, policies, and procedures, on or before July 1, 2024, to enable all of the following:
(A) Limit user access privileges to information systems that contain medical information related to gender affirming care, abortion and abortion-related services, and contraception only to those persons who are authorized to access specified medical information.
(B) Prevent the disclosure, access, transfer, transmission, or processing of medical information related to gender affirming care, abortion and abortion-related services, and contraception to persons and entities outside of this state in accordance to this part.
(C) Segregate medical information related to gender affirming care, abortion and abortion-related services, and contraception from the rest of the patient’s record.
(D) Provide the ability to automatically disable access to segregated medical information related to gender affirming care, abortion and abortion-related services, and contraception by individuals and entities in another state.
(2) Any fees charged to providers of health care, health care service plans, pharmaceutical company, contractors, employers, or patients to comply with this subdivision shall be consistent with Section 171.302 of Title 45 of the Code of Federal Regulations.
(3) For the purposes of this subdivision, “gender affirming care” means gender affirming health care and gender affirming mental health care as defined in subdivision (b) of § 16010.2 of the Welfare and Institutions Code.
(4) This subdivision does not apply to a provider of health care, as defined in Section 56.05.
(d) This section shall apply to an “electronic medical record” or “electronic health record” that meets the definition of “electronic health record,” as that term is defined in Section 17921(5) of Title 42 of the United States Code.
(Amended by Stats. 2023, Ch. 255, Sec. 1. (AB 352) Effective January 1, 2024.)