AB1843 designates public health records that contain personally identifying information about hepatitis B and hepatitis C as confidential and restricts disclosure absent written consent or a statutory exception. The bill gives local health officers explicit authority to request and receive identifiable hepatitis B/C records from health care providers and facilities without the patient’s written consent when necessary for case investigation, linkage to care, or reengagement in treatment, and allows subsequent disclosures to the infected person or their treating hepatitis provider for proactive care coordination.
The measure also sets strict limits on what may be disclosed (only the information necessary for the purpose), requires recipients to keep the information confidential, and creates a layered enforcement regime: civil penalties for negligent and willful disclosures (statutory ranges), potential misdemeanor liability if a disclosure causes economic, bodily, or psychological harm, and a private right to recover actual damages. The bill will force local health agencies and providers to update data-sharing practices, privacy agreements, and compliance controls.
At a Glance
What It Does
Declares identifiable hepatitis B and C public health records confidential, allows local health officers to request and disclose identifiable information without written patient consent for case investigation and linkage to care, and limits downstream use and redisclosure. It imposes civil penalties and possible misdemeanor liability for unauthorized disclosures and authorizes victims to recover damages.
Who It Affects
Local health departments and their officers, hospitals and clinics that maintain hepatitis B/C records, treating hepatitis providers, and people diagnosed with hepatitis B or C whose records are held by public health agencies. Compliance officers and privacy officers will need to rework data-sharing agreements and minimum-necessary practices.
Why It Matters
The bill narrows permissible sharing of HIV-like public health data while explicitly carving out a public-health exception for active case work and care coordination. It creates statutory monetary and criminal consequences for disclosure mistakes, changing the legal and operational risk profile for agencies and providers handling hepatitis data.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB1843 makes personally identifying public health records for hepatitis B and hepatitis C confidential by default and then draws a narrow, operational pathway for public-health action. Under the bill, a patient’s written consent is the baseline for disclosure, but a local health officer may bypass that consent when they need identifiable information from a provider or facility for case investigation, to link a person into care, or to reengage someone who has fallen out of treatment.
That exception is explicitly limited to what the officer needs to accomplish those public-health tasks.
Once a local health officer obtains identifiable information, the bill permits further disclosure of that information to two categories of recipients: the person who tested positive and the provider who delivers their hepatitis care. Those downstream recipients must treat the information as confidential and may not further disclose it except as required by law or with the patient’s written authorization.
The statute requires that any disclosure include only the information necessary for the stated purpose and be made upon agreement that the recipient will maintain confidentiality.AB1843 creates a layered enforcement regime. Negligent disclosures carry civil penalties up to $5,000; willful or malicious disclosures carry penalties between $5,000 and $25,000; and any negligent, willful, or malicious disclosure that results in economic, bodily, or psychological harm can be prosecuted as a misdemeanor with a jail term of up to one year or a fine up to $25,000 (or both).
Victims may collect court costs and actual damages, each violation is a separate actionable offense, and the statute expressly preserves other legal remedies.
The Five Things You Need to Know
The bill makes personally identifying hepatitis B and C public health records confidential by default and ties disclosure to written consent unless an explicit statutory exception applies.
A local health officer may request and receive identifiable hepatitis records from providers or facilities without written patient consent for case investigation, linkage to care, or reengagement in treatment.
Disclosures to the infected person or their treating hepatitis provider are allowed for proactive care coordination, but recipients must keep the information confidential and may not further disclose it except as required by law or with the patient’s written consent.
Civil penalties: negligent disclosure—up to $5,000; willful/malicious disclosure—$5,000–$25,000; penalties and court costs are payable to the person whose record was disclosed.
If a disclosure causes economic, bodily, or psychological harm, the actor may be guilty of a misdemeanor (up to one year jail and/or up to $25,000 fine), and the injured person may recover actual damages; each violation is separately actionable.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Baseline confidentiality for hepatitis B and C public health records
This provision establishes that public health records containing personally identifying information about hepatitis B and C are confidential and may not be disclosed except with written consent or as otherwise authorized by law. Practically, agencies must treat these records like other protected public-health data and build consent workflows and access controls to prevent routine disclosure.
Local health officer authority to obtain identifiable records without consent
Subdivision (b) authorizes local health officers to request and receive personally identifying information from a person’s health care provider or facility without written consent—but only as necessary for case investigation, linkage to care, or reengagement in treatment. This is an operational carve-out: it allows public-health action that uses identifiable data while limiting the statutory basis to narrow public-health functions, rather than broader surveillance or research activities.
Permitted downstream disclosures to patient and treating provider
After a local health officer obtains identifiable information, subdivision (c) permits further disclosure to the individual who tested positive or to the provider delivering hepatitis care so the system can proactively coordinate treatment. The subdivision also expressly requires that any personally identifying information given to a provider or facility remain confidential and not be further disclosed except as required by law or with written consent—shifting a statutory confidentiality duty onto receiving providers.
Minimum-necessary rule and confidentiality agreement requirement
This section requires disclosures to be limited to only the information necessary for the stated purpose and conditions disclosure on an agreement that the recipient will keep the data confidential as outlined in subdivision (a). In effect, the bill imports a ‘minimum necessary’ standard and an implied contractual or attestation requirement for recipients, which will affect data-sharing agreements and standard operating procedures.
Enforcement: civil penalties, misdemeanor exposure, and damages
Subdivision (e) lays out escalating consequences: statutory civil penalties for negligent and willful disclosures (with specific dollar ranges), misdemeanor criminal exposure when a disclosure causes harm, court costs and payment of penalties to the injured person, and an express private right to recover actual damages. It also clarifies that each unauthorized disclosure is a separate offense and does not limit other legal remedies. This creates direct monetary exposure to both individual wrongdoers and entities that supervise access.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- People with hepatitis B or C — the bill narrows routine disclosure of personally identifying public health records and gives individuals an express statutory pathway to monetary recovery if their records are improperly disclosed, enhancing privacy protections.
- Local health officers engaged in case-investigation and care linkage — the bill gives them explicit statutory authority to obtain identifiable records without patient consent when necessary, reducing legal uncertainty for active public-health work.
- Treating hepatitis providers — by allowing targeted, limited disclosures to the provider who will deliver care, the bill facilitates proactive outreach and clinical coordination that can improve treatment initiation and retention.
Who Bears the Cost
- Local health departments — must build or revise policies, training, and agreements to implement the minimum-necessary rule and confidentiality attestations, and face increased liability exposure for disclosure errors.
- Hospitals, clinics, and other providers — will receive identifiable public-health information under the statute and therefore must strengthen confidentiality controls, update business associate or data-sharing agreements, and potentially defend against civil suits or penalties for unauthorized redisclosure.
- Small community-based organizations doing outreach — may be asked to accept identifiable information for linkage to care but could lack infrastructure to meet confidentiality requirements, exposing them to legal and financial risk.
Key Issues
The Core Tension
The bill balances two valid objectives—protecting individual privacy and enabling targeted public-health intervention—but solving one creates risk for the other: authorizing local health officers to bypass consent improves case-finding and linkage to care, yet sending identifiable records to third-party providers and organizations increases the chance of harmful leaks, legal exposure, and reluctance by some partners to participate.
The bill aims to thread the needle between enabling public-health action and protecting individual privacy, but it leaves several operational questions unanswered. It does not specify administrative procedures for how a local health officer documents ‘necessity’ when requesting identifiable records, nor does it create a state-level administrative enforcement process; enforcement appears to be private suits and court-ordered penalties, which could produce uneven application and litigation-driven clarification.
The statute also conditions downstream disclosures on an “agreement” to keep information confidential but does not define the form or enforceability of that agreement, leaving agencies and providers to negotiate what counts as sufficient safeguards.
Interaction with federal HIPAA and existing California law is another practical uncertainty. The bill references the definition of confidential public health record in Section 121035(c) but does not reconcile how statutory penalties under this bill overlap with HIPAA breach rules, mandatory notification obligations, or other state confidentiality statutes.
Finally, the statute shifts substantial compliance burdens onto recipients of identifiable information (providers, facilities, community partners) without prescribing technical or organizational safeguards, which increases the risk that smaller entities will either decline to accept data or be noncompliant without clear standards or funding for capacity building.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.