AB1979 revises Section 56.05 of the Confidentiality of Medical Information Act to add and clarify key definitions that determine what information and actors are covered by California’s medical‑privacy law. Notable additions: app‑collected mental‑health and reproductive data, immigration status, a statutory category called “sensitive services,” and a more detailed definition of “marketing” with narrow exceptions and required disclosures.
Why this matters: the bill pushes CMIA beyond traditional clinics and plans onto digital health companies, pharmaceutical communications, and other non‑traditional actors labeled as contractors or pharmaceutical companies. Practically, organizations that collect or use app‑based mental or reproductive health information — and any entity that remunerates communications to patients — will need to reassess whether that activity triggers CMIA obligations and new opt‑out and disclosure practices.
At a Glance
What It Does
AB1979 rewrites CMIA’s definitional section to treat certain digital‑app data and immigration information as ‘medical information,’ creates a statutory list of ‘sensitive services,’ and narrows what counts as permissible marketing while imposing disclosure and opt‑out mechanics for remunerated communications.
Who It Affects
Digital mental‑health and reproductive‑health apps, pharmaceutical manufacturers and marketers, health care providers and Knox‑Keene plans, contractors (as newly defined), and any entity that handles patient data that can identify immigration status.
Why It Matters
By changing the gatekeeping terms that determine CMIA coverage, the bill will shift compliance obligations onto nontraditional data collectors and change how companies design outreach, consent, and record‑keeping — with particular operational friction around marketing disclosures and app‑based services.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB1979 is not a new rights or enforcement chapter; it is a focused retooling of definitions inside the Confidentiality of Medical Information Act. Definitions matter because they mark the outer boundary of CMIA protections; this bill moves that boundary to capture information and actors that previously lived in a gray area.
The result is a broader universe of data (not just clinic records) and a longer list of actors who may be treated as stewards of medical information.
The bill explicitly makes immigration status information part of “medical information” when collected or known by providers, health plans, pharmaceutical companies, or contractors. That is a concrete expansion: immigration‑related facts — current or prior status and place of birth when held in patient files — are now within CMIA’s protective language.
The text does not itself create new reporting prohibitions, but it does change the classification of that data for any downstream disclosure analysis under CMIA.Two new categories of digital services are defined: “mental health digital service” and “reproductive or sexual health digital service.” Both are mobile apps or websites that collect related application information from consumers, market themselves as facilitating those services, and use the collected data to facilitate care. The bill also defines the types of data those services collect as “mental health application information” or “reproductive or sexual health application information,” which the bill treats as medical information when in the possession of covered entities.The bill tightens the scope of “marketing.” It treats as marketing communications that encourage purchase or use, but enumerates three exclusions — unpaid communications, narrowly framed notices to current enrollees about network participation or benefit coverage, and certain tailored adherence communications for people with chronic, serious conditions.
The last exclusion is conditional: remedial communications that are paid for by a third party are allowed only if the communication discloses the source of remuneration and provides an opt‑out in at least 14‑point type with a toll‑free number; outreach must cease within 30 calendar days after a consumer opts out. That latter set of formatting and timing rules is an operationally specific requirement that will drive changes to how paid outreach campaigns are executed.Finally, AB1979 clarifies several actor labels — “contractor,” “pharmaceutical company,” “provider of health care,” “subscriber/enrollee,” “protected individual,” and an “expiration date or event” concept for authorizations — and creates an explicit list of “sensitive services” (mental/behavioral health, sexual and reproductive health, STI care, substance use disorder, gender‑affirming care, and intimate partner violence services, with statutory citations).
Those definitional choices will influence who must treat data as CMIA‑protected, who can rely on marketing exceptions, and how long an authorization or disclosure lasts.
The Five Things You Need to Know
The bill treats immigration status and place of birth, when collected by a provider, plan, pharmaceutical company, or contractor, as “medical information.”, It defines ‘mental health digital service’ and ‘reproductive or sexual health digital service’ as apps or websites that collect related application information, market themselves as facilitating those services, and use the data to facilitate care — and it treats that app‑collected data as medical information.
‘Marketing’ is defined as communications that encourage purchase or use, but the bill lists three exclusions, including unpaid communications and limited notices to current enrollees about network participation or benefit coverage.
Remunerated communications to patients about adherence for certain chronic, serious conditions remain allowed only if the communicator discloses the remuneration source in no smaller than 14‑point type, offers an opt‑out using a toll‑free number, and stops outreach within 30 days after an opt‑out.
The bill defines ‘contractor’ to include medical groups, IPAs, PBM‑adjacent entities, and medical service organizations, but explicitly excludes insurance institutions and PBMs licensed under Knox‑Keene from that definition, affecting which entities are governed as contractors.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Authorization, authorized recipient, and confidential communications requests
These clauses preserve CMIA’s familiar mechanics: an authorization must comply with the statutory form (cross‑referencing Sections 56.11/56.21), and the bill keeps the concept of an authorized recipient and a confidential communications request (where the enrollee designates a specific mail, email, or phone for plan communications). Practically, the confidential communications request keeps plan‑to‑member messaging tied to subscriber preferences — an operational control that plans and vendors must honor when routing notices or marketing‑adjacent communications.
Who is a contractor, health plan, and provider of health care
The bill narrows and clarifies commercial actor labels. It defines contractor to cover medical groups, IPAs, medical service organizations and explicitly excludes licensed insurance institutions and certain PBMs under Knox‑Keene. ‘Health care service plan’ is tied to Knox‑Keene licensure, and ‘provider of health care’ tracks occupational licensing statutes. Those definitions matter because CMIA duties attach differently depending on whether an entity is a plan, provider, contractor, or pharmaceutical company — so reshuffling those labels will change compliance paths and contractual duties.
Marketing: definition, exclusions, and conditions
The bill defines marketing as communications that encourage purchase or use, then carves out three specific exceptions: unpaid communications, limited notices to current enrollees about network participation or benefit coverage, and tailored adherence communications for patients with qualifying chronic, life‑threatening or seriously debilitating conditions. The third exception is conditional: if the communicator received direct or indirect remuneration, the message must state the payment source in at least 14‑point type, provide an opt‑out method, and stop further messages within 30 days of an opt‑out. Operationally, that string of formatting and timing rules raises practical questions about how to implement compliant emails, in‑app banners, and SMS.
Medical information (expanded) and immigration status
‘Medical information’ remains defined as individually identifiable health data, but the bill expressly folds in immigration status and place of birth when known or collected by covered entities. That change means immigration‑related facts stored in a patient file are now CMIA‑classified data — a legal label that affects disclosure analysis and confidentiality obligations, particularly in cross‑checks with other legal duties and record‑requests.
Digital service and application‑data definitions for mental and reproductive health
The bill creates parallel definitions: ‘mental health application information’ and ‘reproductive or sexual health application information’ describe inferred or collected data about mental health, substance use, fertility, pregnancy, sexual activity, etc. ‘Mental health digital service’ and ‘reproductive or sexual health digital service’ are apps/websites that collect that data, market themselves as facilitating services, and use the data to facilitate care. Inclusion of both the ‘marketing’ and ‘use’ elements means that a passive tracker may escape coverage while a platform that connects consumers to care or accepts payment to promote services will likely be captured.
Sensitive services and protected individuals
The bill lists ‘sensitive services’ — mental/behavioral health, sexual and reproductive health, STI care, substance use disorder, gender‑affirming care, and intimate partner violence — and ties some services to specific Family Code and Health & Safety Code sections. It also clarifies ‘protected individual’ to include adults covered on a subscriber’s plan and minors who can consent under state or federal law. Those choices shape who benefits from heightened confidentiality and which services trigger extra sensitivity in handling records.
Immigration enforcement defined
The bill includes a stand‑alone definition of ‘immigration enforcement,’ covering efforts to investigate or assist in enforcement of federal civil and criminal immigration laws related to presence, entry, reentry, or employment. That definition is contextual: it’s a lens for interpreting data‑sharing restrictions and requests tied to immigration matters, though the statutory text itself does not create categorical immunity from lawful process.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Patients seeking sensitive services — People obtaining mental‑health, reproductive, substance use, gender‑affirming, STI, or intimate‑partner‑violence care benefit from clearer statutory recognition that those services and related data are sensitive and may receive heightened CMIA protection.
- Immigrant patients — By labeling immigration status and place of birth as medical information when in a patient record, the bill reduces ambiguity about whether those details are subject to CMIA confidentiality rules, which can limit voluntary disclosures to third parties.
- Users of mental‑health and reproductive apps that truly facilitate care — Consumers who use digital platforms that connect them to clinicians or treatments gain explicit statutory recognition that app‑collected clinical‑quality data can be treated as protected medical information.
- Privacy‑focused compliance teams and counsel — Organizations and regulators benefit from more granular statutory language to base policies on (even if the language raises implementation questions), replacing fuzzy boundaries with statutory tests to apply during audits or litigation.
Who Bears the Cost
- Digital mental‑health and reproductive‑health app companies — Apps that market themselves as facilitating services and that use collected data will likely fall inside CMIA, triggering record‑keeping, disclosure, and possibly consent obligations they did not previously face.
- Pharmaceutical manufacturers and marketers — Paid communications to patients will face new disclosure and opt‑out mechanics (including the 14‑point font and toll‑free number requirements) that complicate digital marketing workflows and campaign automation.
- Health care providers, Knox‑Keene plans, and contractors — These entities must account for a broader class of protected data (immigration and app‑collected data) and reassess consent, authorization expiration, routing of confidential communications, and vendor contracts.
- State regulators and compliance officers — Enforcement, audit, and guidance burdens may rise as agencies interpret ambiguous phrases (for example, what constitutes ‘marketing itself as facilitating’) and adjudicate disputes over the new definitions.
Key Issues
The Core Tension
The central dilemma is straightforward: AB1979 expands privacy protections to cover more kinds of health‑related data and actors — protecting vulnerable patients and modernizing CMIA for the digital era — but it does so by using technical, campaignable definitions that create compliance complexity, potential enforcement gaps, and incentives for actors to restructure services or marketing to avoid coverage. Protecting more data reduces harm but raises operational and legal costs, and the bill leaves the hard work of drawing workable bright lines to regulators and courts.
AB1979 is a definitions bill: it expands categories without attaching a new enforcement framework or explicit penalties in the text provided. That design leaves implementation and dispute resolution to regulators and courts, which creates transitional uncertainty.
Organizations will need operational policy updates and vendor contract changes before a regulator clarifies ambiguous terms, yet the bill’s practical effects begin the moment covered actors treat the definitions as binding.
Several phrases invite litigation and operational workarounds. The requirement that a digital service both “market itself as facilitating” and “use the information to facilitate” care is conceptually precise but fact‑sensitive; platforms can alter marketing language or narrow in‑product features to avoid classification.
Likewise, the 14‑point type requirement for disclosure and opt‑out is granular but poorly matched to many digital formats (tiny mobile screens, push notifications, or in‑app banners), creating compliance friction and potential accessibility conflicts. The immigration status expansion protects a very sensitive class of data, but it does not resolve conflicts with other legal obligations (mandatory reporting, subpoena compliance, or federal immigration enforcement requests), so covered entities will need decision frameworks for competing legal demands.
Finally, the bill’s exclusion of certain entities from the contractor definition (notably insurance institutions and PBMs licensed under Knox‑Keene) could produce asymmetric coverage: entities that process or monetize sensitive app data might fall outside the contractor label but still functionally act as data controllers. That ambiguity could shift compliance costs to smaller vendors while larger intermediaries escape via statutory labels, or it could force contractual reallocation of liability — outcomes that the text does not directly address.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.