AB2448 places new confidentiality duties on anyone who creates, stores, or disposes of medical information and ties negligent handling to the remedies and penalties in Section 56.36. The bill also imposes specific technical requirements on electronic health/medical record systems and on businesses that host or maintain records on behalf of health actors.
Key operational changes include mandatory integrity protections and immutable audit logs for EHRs, and a set of capabilities for third‑party data hosts to segment records tied to gender‑affirming care, abortion, and contraception, prevent transfers outside California, and automatically disable out‑of‑state access. Those features carry fee limits tied to federal regulation and coexist with—but may conflict with—existing state and federal patient‑access rules and definitions.
At a Glance
What It Does
The bill requires EHR systems to protect data integrity and automatically log any change or deletion with user identity, timestamp, and the change made. It also requires businesses that store medical data for others to implement controls to restrict access to records related to gender‑affirming care, abortion, and contraception, and to block or disable out‑of‑state access.
Who It Affects
EHR and electronic medical record vendors, third‑party data hosts described in Section 56.06, providers and employers who contract with those hosts, and patients who receive abortion, contraception, or gender‑affirming services. Health care service plans, providers, and contractors are subject to other parts of the bill but subdivision (c) includes a narrow scope question that matters for implementation.
Why It Matters
AB2448 pushes specific privacy features into the tech stack, not just legal duties — creating new product requirements for vendors and new operational choices for providers. It also raises real interoperability, access, and enforcement questions because it tries to draw geographic boundaries around data flows in an already interstate health system.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill begins by imposing a baseline confidentiality obligation on anyone who handles medical information — providers, health plans, pharmaceutical companies, and contractors must preserve patient confidentiality and face the remedies and penalties in Section 56.36 if they negligently mishandle records. That creates a legal hook for enforcement tied to an existing statutory penalty framework.
On the technical side, AB2448 requires any electronic health or medical record system to safeguard integrity and to create an automatic, preserved audit trail of changes or deletions. The audit trail must record who accessed and altered a record, when that access occurred, and what change was made.
The bill leaves patient access rights intact but clarifies that those rights are governed by applicable state and federal access and disclosure laws.The most operationally consequential part targets businesses that electronically store medical information on behalf of others. Those businesses must implement a package of capabilities — access‑privilege limits, segregation of records for specified sensitive services, prevention of transfer/processing of those records to persons or entities outside California, and the ability to automatically disable access from another state.
The bill ties any fees charged to providers or patients for these capabilities to federal fee rules in 45 CFR 171.302 and adopts an existing statutory definition of gender‑affirming care via the Welfare and Institutions Code.Finally, the bill narrows its technical obligations by cross‑referencing statutory definitions: it says subdivision (c) does not apply to entities as defined in Section 56.05, and it confines the EHR requirement to systems that meet the federal definition of an electronic health record under 42 U.S.C. 17921(5). Those cross‑references will determine whether large categories of health actors are in or out of the bill’s core technical mandate, and they will shape how vendors and providers prioritize compliance work.
The Five Things You Need to Know
The bill requires EHR systems to automatically record and preserve any change or deletion to electronically stored medical information, including the identity of the person who accessed and changed the record, and the date, time, and nature of the change.
Businesses that electronically store medical records on behalf of others must enable access controls, segregation of records related to gender‑affirming care, abortion and abortion‑related services, and contraception, and the ability to automatically disable access to those segregated records by individuals or entities in another state.
Subdivision (c) directs those businesses to prevent disclosure, transfer, transmission, or processing of the specified sensitive records to persons or entities located outside California.
Any fees charged to providers, plans, contractors, employers, or patients for compliance with subdivision (c) must be consistent with the federal fee rules in 45 CFR 171.302.
Negligent creation, maintenance, preservation, storage, abandonment, destruction, or disposal of medical information exposes the actor to remedies and penalties under subdivisions (b) and (c) of Section 56.36; at the same time subdivision (c)(4) says this subdivision does not apply to entities defined in Section 56.05, creating a scope tension that implementers must resolve.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Broad confidentiality duty and negligence hook
This subsection imposes a general duty on anyone who creates, stores, or disposes of medical information to preserve confidentiality. If they negligently fail to do so, they become subject to the remedies and penalties cross‑referenced to Section 56.36(b) and (c). Practically, this converts technical failures into potential statutory liability rather than leaving them solely to contract or HIPAA enforcement.
EHR integrity and audit‑trail requirement
The bill requires any electronic health or medical record system to protect data integrity and to automatically record any change or deletion with the identity of the user, the timestamp, and the change itself. It preserves patient access rights but anchors them to existing state and federal access laws, which means designers must ensure auditability without obstructing lawful patient requests or required disclosures.
Technical capabilities for sensitive‑services data
This subsection mandates that businesses described in Section 56.06 that host or maintain medical records for others implement four core capabilities: fine‑grained access controls, blocking of out‑of‑state disclosures, segregation of records tied to gender‑affirming care/abortion/contraception, and the ability to automatically disable access from another state. Each capability is framed as a technical requirement, not merely a policy statement, meaning vendors will need to ship product features (or vendors/providers will need contractual add‑ons) to comply.
Fees, definitions, and carve‑outs
The bill limits any compliance fees to align with 45 CFR 171.302, references the Welfare & Institutions definition for gender‑affirming care, and then states that subdivision (c) does not apply to contractors, health care service plans, or providers as defined in Section 56.05. That last clause creates a scope question: the technical duties require work from certain third‑party businesses, but providers and plans may be outside subdivision (c)’s direct obligations depending on the statutory definitions.
Tie to federal EHR definition
The clause makes clear the EHR/EMR obligations apply to systems that meet the federal definition of an electronic health record under 42 U.S.C. 17921(5). That links California’s rule to federal terminology and may exclude simpler record systems that do not qualify as an EHR under the federal statute.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Patients receiving abortion, contraception, or gender‑affirming services — they gain statutory protections intended to reduce the risk that those records will be accessed or transmitted outside California.
- Privacy‑focused providers and clinics — clearer technical controls can reduce the risk of unwanted disclosures and lower litigation exposure when properly implemented.
- State enforcement and privacy regulators — the bill creates concrete technical benchmarks to measure compliance, making investigations and enforcement more practicable.
- EHR vendors that already offer segmentation and geo‑access controls — they can market new compliance features and capture demand from providers seeking to meet the new mandate.
Who Bears the Cost
- Third‑party data hosts and businesses described in Section 56.06 — they must develop or purchase segmentation, geo‑blocking, and auditing features and may need to rearchitect existing data models.
- EHR and EMR vendors — building immutable audit trails and reliable segmentation features (with attestation and testing) will add development, testing, and support costs.
- Providers that use third‑party hosts — they may pay higher fees for segmented storage and incur operational costs adjusting workflows and access privileges.
- State agencies and courts — enforcement will require technical review capacity and possible rulemaking to clarify ambiguous terms and resolve disputes about scope and compliance.
Key Issues
The Core Tension
AB2448 pits the legitimate objective of shielding particularly sensitive services from cross‑border exposures against the equally legitimate need for seamless clinical information sharing and compliance with federal access and disclosure rules; the bill protects privacy by forcing technical partitioning of records, but that partitioning can undermine interoperability, emergency care, and established legal disclosure pathways.
The bill demands capabilities that are technically non‑trivial in many production EHRs. Segregating specific services inside a patient’s longitudinal record can require schema changes, metadata tagging, and access‑control rewrites — work that is costly for vendors and not trivially pluggable into legacy systems.
Implementing automatic disabling of access from another state also raises architectural and usability questions: how does the system determine 'out‑of‑state' users in federated authentication or VPN scenarios, and how are emergency access needs handled?
There are also legal and operational frictions with existing access and interoperability regimes. HIPAA and state patient‑access laws give patients broad rights to obtain their records and allow disclosures for treatment across state lines.
The bill’s prohibition on processing or transferring certain records outside California may conflict with mandatory disclosure exceptions, cross‑state care, telehealth workflows, or lawful subpoenas originating in other jurisdictions. The text’s cross‑references — excluding entities defined in Section 56.05 while imposing duties on businesses described in Section 56.06 — create ambiguity over which actors must build these features, and the bill’s July 1, 2024 deadline (already past) raises practical retroactivity and enforceability questions implementers will need clarified guidance to resolve.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.