California Attorney General's Office
06/26/2024 | Press release | Distributed by Public on 06/26/2024 15:19
Attorney General Bonta Reminds Pharmacies and Health Data Companies of Their Obligations Under New California Law Governing Protected Health Information
New law prevents information regarding reproductive healthcare from being shared out-of-state
OAKLAND - California Attorney General Rob Bonta today sent letters to eight major pharmacy chains (CVS Health, Walgreen Company, Cigna, Optum Rx, Walmart Stores, The Kroger Company, Rite Aid Corporation, and Amazon Pharmacy), as well as five health data companies (Airtable, Jotform, Spruce Health, TigerConnect, and Epic). The letters remind the companies of their obligations to comply with California's Confidentiality of Medical Information Act (CMIA), including new requirements under Assembly Bill (AB 352) (Bauer-Kahan) to provide certain additional protections, including limiting access to information related to patients' reproductive health or gender-affirming care. The letters to the pharmacies also remind them of their obligations under California law not to disclose individuals' medical information to law enforcement without a warrant in most circumstances.
AB 352, which will go fully into effect on July 1, 2024, strengthens CMIA by generally prohibiting pharmacies and health data companies from providing information related to a patient's abortion to anyone from another state unless authorized by the patient or an exception in CMIA. AB 352 also requires these entities to enable data security features to segregate and protect health information related to abortion, contraception, and gender-affirming care so that it is not readily accessible across state lines.
"Protecting patient information is now more imperative than ever, especially since the repeal of Roe v. Wade," said Attorney General Bonta. "Pharmacies and health data companies statewide must safeguard the privacy and confidentiality of all medical records, including those related to abortion care. Today's letters remind these companies of their obligation to comply with California law. In California, we protect information regarding reproductive healthcare for patients wherever they may live."
Last year, the United States Senate Committee on Finance revealed that major pharmacy chains were failing to fully protect the privacy of their patients. The findings indicated that these pharmacy chains were disclosing protected health information (PHI) to law enforcement without a warrant, and often without notifying patients that their PHI was disclosed.
While this practice did not necessarily violate federal privacy laws, California's CMIA has more stringent protections. It prohibits pharmacies and other healthcare companies from providing patient medical information to most law enforcement without a warrant or prior patient authorization. And under AB 352's expanded protections, reproductive health information must be better protected to maintain the privacy of Californians and those individuals traveling to California to receive abortion and other reproductive health or gender-affirming care.
In today's letter, the Attorney General requests these eight major pharmacy chains and five data health businesses to provide information regarding their compliance with CMIA and the new requirements of AB 352.