California Attorney General Rob Bonta has issued letters to eight major pharmacy chains and five health data companies, reminding them of their obligations under the state's Confidentiality of Medical Information Act (CMIA) and new requirements introduced by Assembly Bill 352 (AB 352). The legislation, which takes full effect on July 1, 2024, mandates additional protections for patient information related to reproductive health and gender-affirming care.
The letters were sent to CVS Health, Walgreen Company, Cigna, Optum Rx, Walmart Stores, The Kroger Company, Rite Aid Corporation, Amazon Pharmacy, Airtable, Jotform, Spruce Health, TigerConnect, and Epic. These communications emphasize the need for compliance with CMIA's provisions that generally prohibit sharing patient information about abortions with out-of-state entities unless authorized by the patient or an exception applies.
"Protecting patient information is now more imperative than ever," said Attorney General Bonta. "Pharmacies and health data companies statewide must safeguard the privacy and confidentiality of all medical records, including those related to abortion care. Today’s letters remind these companies of their obligation to comply with California law."
The new law requires pharmacies and health data companies to enable data security features that segregate and protect sensitive health information so it is not easily accessible across state lines. This move follows findings from the United States Senate Committee on Finance indicating that major pharmacy chains were disclosing protected health information (PHI) to law enforcement without a warrant or notifying patients.
While such practices may not violate federal privacy laws, California's CMIA imposes stricter protections against disclosing patient medical information without a warrant or prior authorization from the patient. AB 352 further strengthens these protections by ensuring reproductive health information remains private.
Attorney General Bonta's letter requests detailed compliance reports from the addressed pharmacy chains and health data businesses regarding adherence to CMIA and AB 352 requirements.