AB 894 directs California general acute care hospitals to place new privacy controls around patient directories and to change how they present privacy information during admission. The law creates a clear patient-facing entitlement to limit how name and treatment-status information in a hospital directory is used or disclosed.
The change matters because patient directories are a routine operational tool for hospitals and for third parties (family, employers, law enforcement). The bill shifts a choice point to patients and their representatives, and it forces hospitals to update intake paperwork, front-line staff scripts, and recordkeeping to register and honor restrictions.
At a Glance
What It Does
The bill requires general acute care hospitals to notify patients or their representatives at admission (or as soon as reasonably possible if the patient is incapacitated or in an emergency) that they may restrict or prohibit use and disclosure of protected health information in the hospital’s patient directory. Hospitals must deliver an acknowledgment of privacy practices on a separate document and have staff verbally explain that document.
Who It Affects
This applies to California-licensed general acute care hospitals, admission and emergency department staff, health information management and privacy officers, and patients and their designated representatives — including families and legal proxies. It also affects third parties who commonly use directories to locate patients (e.g., visitors, clergy, employers, law enforcement) because hospitals must check for and honor restrictions before disclosing directory information.
Why It Matters
The law codifies a directory opt-out process beyond existing federal guidance and folds it into hospital licensing obligations, increasing compliance risk for noncompliant facilities. Operationally, admissions and emergency workflows will need rapid access to patients’ directory restrictions, and hospital privacy programs must document and enforce those choices; failure to comply can carry criminal exposure under the bill.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 894 inserts a new, mandatory patient‑notice and acknowledgment regime into hospital admissions practice. At the point a person is admitted — or immediately afterward if they cannot respond because of incapacity or an emergency — hospital staff must make the patient or their representative aware that they have the right to limit how information held in the facility’s patient directory is used or shared.
The statute requires that this acknowledgment take the form of a separate document rather than being bundled into a larger packet, and that staff also provide a verbal explanation of the notice.
The directory control the bill targets is the subset of information hospitals disclose to people who ask for a patient by name (for example, name, location in the facility, and general reason for treatment). Under federal HIPAA rules, covered providers may maintain such a directory and must offer patients the opportunity to opt out; this law takes that federal concept and folds it into state licensing duties for general acute care hospitals, creating a state-level compliance standard that hospital managers must operationalize.Practically, hospitals will need to adapt intake forms and electronic workflows so admissions staff can capture a patient’s directory preference and make that preference visible to clinicians, switchboard operators, and any unit releasing directory information.
The statute also builds in an accommodation for patients who cannot decide at admission: hospitals must deliver the notice and acknowledgment as soon as reasonably possible once the patient regains capacity or circumstances permit.Finally, the bill attaches enforcement significance to the requirement. Because noncompliance is treated as a criminal violation under the legislative digest language, hospital risk-management teams will need to integrate the new notice and documentation steps into training, audits, and incident response processes to avoid legal exposure.
The Five Things You Need to Know
The law applies to California general acute care hospitals and takes effect July 1, 2026.
Hospitals must give patients or their representatives a separate, stand‑alone acknowledgment of privacy practices (not just a line in a general packet).
Hospital personnel must also verbally inform the patient or their representative about the directory‑restriction option at admission or as soon as reasonably possible if the patient is incapacitated or in an emergency.
The right guaranteed is to restrict or prohibit the use or disclosure of protected health information in the facility’s patient directory — the information typically released to people who ask for a patient by name.
The bill makes failure to follow the notice and acknowledgment requirements a criminally punishable violation, creating a state‑mandated local program (the legislative digest also states no state reimbursement is required for that mandate).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Patient right to restrict directory disclosures
This provision recognizes and protects a patient’s ability to limit use and disclosure of information that would appear in a hospital patient directory. For administrators, it converts a patient privacy choice that federal HIPAA already contemplates into a state statutory right hospitals must honor; operationally this means admissions and records systems must capture and propagate that choice across units that answer directory inquiries.
Timing: admission and incapacitated/emergency patients
The section sets the timing obligation: staff must provide the notice at admission or, when the patient cannot respond, as soon as reasonably possible later. That phrasing preserves some operational flexibility but also imposes a measurable duty to follow up in emergency and incapacity cases, which will require tracking systems to flag outstanding acknowledgments and to document when and how they were completed.
Separate written acknowledgment and verbal explanation
The bill requires the hospital to use a separate document for the acknowledgment of privacy practices and to have personnel verbally inform the patient or representative. That dual delivery model reduces the risk that the disclosure gets buried in multi‑page intake packets, but it creates specific form and training work: hospitals must produce a compliant form, insert it into electronic health record workflows, and train staff in a standardized verbal script and documentation practice.
Scope of directory information covered
While the statute does not recast the substantive definition of protected health information, it targets the subset of PHI used for patient directories — the name, general reason for treatment, location, and similar identifiers released to people asking for the patient by name. Compliance teams should map where those disclosures currently occur (switchboard, nursing units, security) to ensure restrictions are enforced consistently.
Criminal exposure and fiscal-mandate language
The digest indicates violation of these requirements is a criminal offense and characterizes the bill as imposing a state‑mandated local program; it also states no state reimbursement is required. That combination means hospitals carry compliance obligations with potential criminal consequences, and local agencies may absorb implementation costs unless other funding sources are identified.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Patients concerned about privacy — the law gives admitted patients and their legal or designated representatives an explicit, state‑backed option to prevent directory disclosures that could expose their presence or treatment status to unwanted parties.
- Survivors of domestic violence and stalking victims — the additional notice and clear opt‑out mechanism reduces the administrative friction for these high‑risk groups to keep their location confidential from abusers or harassers.
- Hospital compliance and privacy programs — a statutory standard provides clearer enforcement expectations and a paper trail that privacy officers can audit and use to demonstrate compliance with both state and federal obligations.
Who Bears the Cost
- General acute care hospitals — they must redesign admission paperwork, update EHR templates, change switchboard and unit protocols, and run training programs; those changes have upfront and ongoing administrative costs.
- Front‑line admissions and emergency department staff — the law adds an interactional duty (verbal explanation and separate form) that lengthens intake and requires staff judgment about when to follow up for incapacitated patients.
- Local prosecutors and law enforcement — because the digest treats violations as criminal, local authorities may face more enforcement referrals and caseload pressure, and hospitals may face criminal investigations tied to procedural lapses.
Key Issues
The Core Tension
The central tension is between strengthening individual privacy control (and protecting vulnerable patients) and imposing concrete, enforceable duties on hospitals that must continue to use directories to coordinate care, admit and discharge patients, and respond to family or public‑safety inquiries; the statute solves for privacy clarity but does so at the cost of added operational complexity and potentially harsh enforcement consequences for procedural lapses.
The bill tightens patient control but leaves significant operational ambiguity. “As soon as reasonably possible” for incapacitated or emergency patients is fact‑sensitive and will be litigated or shaped by enforcement guidance; hospitals need clear internal standards (for example, within X hours or before transfer from ED to inpatient unit) to avoid uneven practice. The statute mandates a separate document and verbal notice but does not prescribe the contents, the method of documenting verbal delivery, or how long a restriction lasts — implementers will have to define form language, retention rules, and whether an opt-out must be renewed on readmission.
Treating noncompliance as a crime increases the stakes but also raises proportionality questions: clerical errors or missed verbal explanations that pose little privacy risk could trigger criminal exposure if prosecutors interpret the law strictly. There is also a potential clash with federal law: HIPAA already contemplates a directory opt‑out, but this state statute converts the practice into a licensing requirement and criminalizes failure to meet it; hospitals that operate multi‑state systems will need parallel workflows for state‑specific rules.
Finally, the law tightens restrictions on directory disclosure but does not expressly address verification of patient representatives or exigent disclosures to public safety officials, leaving ambiguity about exceptions and operational thresholds for release under competing duties.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.