In Brief

Various players in the health care industry are or will soon be subject to new requirements relating to sexual and reproductive health data under a pair of bills passed last year amending the California Confidentiality of Medical Information Act (the “CMIA”). Many of the central provisions of bills AB 254 and AB 352, which were both signed into law by Governor Gavin Newsom in September 2023, came into effect on January 1, 2024. Additional provisions are scheduled to come into effect on July 1, 2024.


The CMIA, enacted in 1981 well before the recent crop of privacy legislation, places restrictions on the use, disclosure and maintenance of “medical information.” CMIA defined “medical information” broadly to mean “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, mental or physical condition, or treatment.”

The CMIA prohibits health care providers, health care service plans, and contractors from disclosing medical information about their patients and enrollees without their authorization, subject to exceptions. The CMIA also imposes certain requirements on the creation, maintenance and destruction of medical information, intended to ensure such information is properly secured.

Although the CMIA is sometimes overlooked in the constellation of California privacy laws, it has attracted renewed attention from California lawmakers in the wake of the Supreme Court’s Dobbs decision and public debates regarding access to gender-affirming care. These amendments to the CMIA purport to strengthen privacy protections for individuals seeking these health services.

AB 254: Expanding CMIA’s Scope

AB 254 expands the definition of “medical information” to include “reproductive or sexual health application information.” AB 254 further defines “reproductive or sexual health application information” to mean “information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.” The amendments also expand the list of who is regulated under the CMIA, specifying that “any business that offers a reproductive or sexual health digital service to a consumer” is deemed to be a provider of health care subject to CMIA requirements.

These changes effectively confirm that CMIA restrictions and requirements apply to uses of reproductive and sexual health information, including by digital services such as apps. Entities that now find themselves within the scope of the CMIA will need to put processes into place to ensure that they comply with CMIA rules on the unauthorized disclosure of medical information, as well as its information governance requirements.

AB 352: New Restrictions on Sensitive Health Data

AB 352 amends the CMIA to introduce new requirements on businesses that electronically store or maintain “medical information on the provision of sensitive services,” which in turn are defined as “health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence[.]”

These new requirements include developing capabilities to enable all of the following on or before July 1, 2024:

  • Limiting access privileges to medical information relating to gender affirming care, abortion and abortion-related services, and contraception only to authorized individuals
  • Preventing the disclosure, access, transfer, transmission, or processing of such information to individuals and entities outside California
  • Segregating these types of medical information from other parts of a patient’s medical record
  • Providing the ability to automatically disable access to this information from those in other states

The AB 352 amendments also prohibit health care providers and service plans from cooperating with inquiries or providing information to other states’ or federal agencies that identify an individual and relate to their seeking of or obtaining an abortion or related services. The amendments provide an exception for cooperating with investigations of activities that are illegal under California criminal law.

Next Steps

The new provisions introduced by both AB 254 and AB 352 add to a constantly expanding landscape of health data mandates. Businesses should start preparing for the changes, if they have not already, by determining whether the changes to the CMIA bring them within the ambit of the law. Organizations subject to the new requirements should review their organizational and technical data management processes to determine if they are in a position to implement the new requirements, such as the mandatory segregation of reproductive health data.


Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.


Michelle is an associate in Baker McKenzie's International Commercial practice group based in San Francisco.


Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.