Medical information: confidentiality.
AB 2448 tightens CMIA protections by requiring stricter access controls, segregation of sensitive data (gender-affirming care, abortion, contraception), cross-state restrictions, a
AB 2448 tightens CMIA protections by requiring stricter access controls, segregation of sensitive data (gender-affirming care, abortion, contraception), cross-state restrictions, a
Proposed by: Assembly Members Berman and Bauer-Kahan
Co-sponsors: Marc Berman, Rebecca Bauer-Kahan
Jurisdiction: California
Bill number: AB 2448
Session: 2025–2026 Regular Session
Status: Introduced February 20, 2026; actions listed through April 2026 (passage from committee and re-refer to a policy committee, etc.)
Purpose and intent
- The bill amends the Confidentiality of Medical Information Act (CMIA) to strengthen protections surrounding medical information held by providers, plans, pharmaceutical companies, contractors, and related entities.
- It expands the requirements for secure handling, storage, and access to electronic medical information (EMR/EHR), with a particular emphasis on sensitive categories of information (gender-affirming care, abortion and abortion-related services, and contraception).
Key provisions and changes
1. Confidentiality duties for medical information (Civil Code 56.101)
- Broadly reiterates that any entity that creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information must do so in a manner that preserves confidentiality.
- Negligence in handling medical information remains subject to remedies and penalties under CMIA (consistent with existing law).
Electronic records integrity and access logging
Enhanced security for sensitive services (new or expanded CMIA safeguards)
Definitions and scope
Local government and fiscal notes
Potential impact and who is affected
- Affects providers of health care, health care service plans, pharmaceutical companies, contractors, and employers that electronically store or maintain medical information (especially sensitive data linked to gender-affirming care, abortion, and contraception).
- Strengthens data security, access controls, and logging for EMR/EHR systems.
- Requires segregation and cross-state access controls for sensitive information, potentially complicating data sharing across state lines.
- Increases accountability for data handling by mandating automatic change logs and identity-traceability for edits to medical records.
- Local costs considerations: The bill is structured to not require reimbursement for local agencies for the mandated costs, per the act’s fiscal note guidance.
Timeline and procedural notes
- Original CMIA security provisions had a July 1, 2024 deadline for certain capabilities; AB 2448 reinforces and elaborates those requirements.
- Action history shows committee referrals and passage steps in early 2026, with re-referral to the Police and Community (P. & C.P.) Committee and to a policy committee (Health and P. & C.P.), reflecting ongoing legislative processing.
Bottom line
AB 2448 aims to tighten confidentiality and increase security for medical information, with a focus on sensitive services. It requires stricter access controls, segregation, cross-state access limitations, and robust auditing for EMR/EMR systems, improving patient privacy protections in California’s medical information framework.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.