WeVote

Bill

Bill

AB 2448

Medical information: confidentiality.

2025-2026 Regular Session Introduced by Cecilia Aguiar-Curry and 2 co-sponsors

AB 2448 tightens CMIA protections by requiring stricter access controls, segregation of sensitive data (gender-affirming care, abortion, contraception), cross-state restrictions, a

From committee: Do pass and re-refer to Com. on APPR. (Ayes 8. Noes 1.) (July 1). Re-referred to Com. on APPR.
0
WeVote Research Nonpartisan
Bill Summary · AB 2448

Summary of AB 2448 (2025-2026) – Medical information: confidentiality

Proposed by: Assembly Members Berman and Bauer-Kahan
Co-sponsors: Marc Berman, Rebecca Bauer-Kahan

Jurisdiction: California

Bill number: AB 2448
Session: 2025–2026 Regular Session

Status: Introduced February 20, 2026; actions listed through April 2026 (passage from committee and re-refer to a policy committee, etc.)

Purpose and intent
- The bill amends the Confidentiality of Medical Information Act (CMIA) to strengthen protections surrounding medical information held by providers, plans, pharmaceutical companies, contractors, and related entities.
- It expands the requirements for secure handling, storage, and access to electronic medical information (EMR/EHR), with a particular emphasis on sensitive categories of information (gender-affirming care, abortion and abortion-related services, and contraception).

Key provisions and changes
1. Confidentiality duties for medical information (Civil Code 56.101)
- Broadly reiterates that any entity that creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information must do so in a manner that preserves confidentiality.
- Negligence in handling medical information remains subject to remedies and penalties under CMIA (consistent with existing law).

  1. Electronic records integrity and access logging

    • Electronic health record (EHR) or electronic medical record (EMR) systems must:
      • Protect and preserve the integrity of electronic medical information.
      • Automatically record and preserve any change or deletion, including the identity of the user who accessed or changed the information, plus date/time and nature of the change.
    • Patients retain rights to access or obtain copies of their EMR/ER as permitted by state and federal law.
  2. Enhanced security for sensitive services (new or expanded CMIA safeguards)

    • Applies to a defined class of “businesses” that electronically store or maintain medical information on sensitive services on behalf of covered entities (providers, health plans, pharmaceutical companies, contractors, or employers).
    • By July 1, 2024 (existing obligation in CMIA framework; this bill explicitly extends/maintains it), these entities must implement capabilities, policies, and procedures to:
      • Limit user access privileges to information systems containing medical information related to gender-affirming care, abortion and abortion-related services, and contraception to authorized personnel only.
      • Prevent disclosure, access, transfer, transmission, or processing of such information to persons/entities outside of California unless compliant with CMIA.
      • Segregate gender-affirming, abortion-related, and contraception information from the rest of the patient’s record.
      • Automatically disable access to segregated information by individuals/entities located in other states.
    • Fees for compliance must be consistent with applicable federal regulations (specifically 45 C.F.R. § 171.302).
  3. Definitions and scope

    • “Gender-affirming care” includes gender-affirming health care and mental health care as defined by relevant Welfare and Institutions Code provisions.
    • The security provisions apply to EMR/EHR formats that meet federal definitions of electronic health records.
  4. Local government and fiscal notes

    • The bill states that there is no state reimbursement required for local agencies or school districts for costs mandated by the bill, as it falls under scenarios where costs arise from changes to crime definitions or penalties (per Government Code 17556 and related constitutional provisions).

Potential impact and who is affected
- Affects providers of health care, health care service plans, pharmaceutical companies, contractors, and employers that electronically store or maintain medical information (especially sensitive data linked to gender-affirming care, abortion, and contraception).
- Strengthens data security, access controls, and logging for EMR/EHR systems.
- Requires segregation and cross-state access controls for sensitive information, potentially complicating data sharing across state lines.
- Increases accountability for data handling by mandating automatic change logs and identity-traceability for edits to medical records.
- Local costs considerations: The bill is structured to not require reimbursement for local agencies for the mandated costs, per the act’s fiscal note guidance.

Timeline and procedural notes
- Original CMIA security provisions had a July 1, 2024 deadline for certain capabilities; AB 2448 reinforces and elaborates those requirements.
- Action history shows committee referrals and passage steps in early 2026, with re-referral to the Police and Community (P. & C.P.) Committee and to a policy committee (Health and P. & C.P.), reflecting ongoing legislative processing.

Bottom line
AB 2448 aims to tighten confidentiality and increase security for medical information, with a focus on sensitive services. It requires stricter access controls, segregation, cross-state access limitations, and robust auditing for EMR/EMR systems, improving patient privacy protections in California’s medical information framework.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.