SB 278 amends Cal. Health & Safety Code §120985 to create targeted exceptions to California’s strict confidentiality rules for HIV test results.
The bill lets a health care provider disclose HIV test results that identify a Medi‑Cal beneficiary — without the beneficiary’s written authorization — to the beneficiary’s Medi‑Cal managed care plan and to external quality review organizations when those disclosures are for administering quality improvement activities, including value‑based payment and healthy behavior incentive programs.
The bill also permits Medi‑Cal managed care plans to disclose HIV test results that have been stripped of identifiers to Department of Health Care Services staff for the same quality‑improvement purposes. SB 278 therefore moves HIV testing data out of a purely clinical silo and into payer and oversight workflows, creating new operational opportunities for care management and new privacy and implementation questions for providers, plans, and state staff.
At a Glance
What It Does
The bill authorizes providers to disclose identifying HIV test results for Medi‑Cal beneficiaries to the beneficiary’s managed care plan and to external quality review organizations without written patient authorization, but only when the disclosure supports quality improvement, value‑based payment, or similar programs. It separately authorizes managed care plans to share deidentified HIV results with departmental staff for those purposes.
Who It Affects
Primary obligations and access changes fall on clinicians and other providers who perform HIV testing for Medi‑Cal beneficiaries, Medi‑Cal managed care plans, external quality review organizations that assess those plans, and Department of Health Care Services personnel handling program oversight and payment models.
Why It Matters
The change gives plans and reviewers direct access to HIV test data needed to measure and pay for quality, which can speed population‑level interventions and value‑based contracting. At the same time it relaxes one of California’s most sensitive confidentiality rules, creating new privacy, compliance, and data governance responsibilities for all parties involved.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
California law has long treated HIV test results as highly confidential: disclosure that identifies the person who was tested is generally prohibited except for limited clinical uses. SB 278 carves out a deliberate exception limited to Medi‑Cal: when a provider performs an HIV test on a Medi‑Cal beneficiary, the provider may give identifying test results to the beneficiary’s Medi‑Cal managed care plan and to external quality review organizations if the disclosure is for administering quality improvement programs.
The bill lists examples — value‑based payment and healthy behavior incentive programs — to show the kinds of plan activities it anticipates.
Separately, the bill permits Medi‑Cal managed care plans to pass along HIV test results that do not identify individuals to Department of Health Care Services staff for the same quality and program administration purposes. That creates a two‑step data flow: providers → managed care plans/external reviewers (identifying data, limited purposes) → plans → state staff (deidentified data only).
The statute preserves the underlying framework of penalties that already applies to unauthorized disclosures; SB 278 is an authorization, not a blanket erasure of existing confidentiality protections.What the bill does not do is spell out technical or contractual safeguards. It does not set a de‑identification standard, require specific data use agreements, or add new auditing, reporting, or notice obligations for providers or plans.
Nor does it define limits on how plans may use identifying results beyond the stated program types. Those practical gaps will shape implementation: plans need access to lab results to compute measures and run payment models, but providers and advocates will want written safeguards and clear boundaries to avoid mission creep and re‑identification risks.Operationally, expect plans and external review organizations to seek data sharing agreements, and providers to update intake and consent workflows — or to develop internal checklists — to document permitted disclosures.
The Department of Health Care Services will need to translate the authorization into policy guidance (for example, specifying de‑identification methods and acceptable uses) if it wants consistent statewide practice and manageable privacy risk.
The Five Things You Need to Know
The bill lets a health care provider disclose HIV test results that identify a Medi‑Cal beneficiary to that beneficiary’s Medi‑Cal managed care plan without written patient authorization, but only for administering quality improvement programs.
External quality review organizations conducting reviews of Medi‑Cal managed care plans may receive identifying HIV test results from providers for the same quality‑improvement purposes.
Medi‑Cal managed care plans may disclose HIV test results that do not identify the test subjects to Department of Health Care Services staff for administering the same quality improvement and payment programs.
SB 278 explicitly ties permitted disclosures to program administration (including value‑based payment and healthy behavior incentive programs) rather than to routine billing or unrelated business uses.
The bill authorizes these disclosures but does not add technical de‑identification standards, detailed data use agreement requirements, or new notification/audit mandates in the text.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Creates limited exceptions to HIV result confidentiality for Medi‑Cal program administration
This is the core textual change: the statute that currently restricts disclosure of identifying HIV test results is amended to allow providers to disclose those results to a beneficiary’s Medi‑Cal managed care plan and to external quality review organizations when the disclosure is for quality improvement and related program administration. The practical implication is that plans and contracted reviewers gain a legal pathway to receive clinical test results they previously could not get without written patient authorization.
Permits identifying results to flow to plans and external reviewers for QI and payment programs
The bill limits the provider’s authorization to disclosures ‘for the purpose of administering quality improvement programs, including, but not limited to, value‑based payment programs and healthy behavior incentive programs.’ That framing narrows the permitted uses to program administration rather than general plan operations, but it nevertheless permits plan access to individually identifiable HIV test results when those results are relevant to measuring quality or administering payments tied to outcomes.
Allows deidentified results to go from plans to departmental staff
Managed care plans may provide HIV test results that do not identify individuals to Department of Health Care Services staff for the same program administration purposes. This creates an explicit, statutorily authorized workflow for DHCS to receive aggregated or deidentified clinical data to monitor and run statewide quality and payment initiatives tied to Medi‑Cal.
Reserves existing confidentiality protections and makes declaratory statements
The amendment contains clarifying statements that preserve the broader statutory framework — including penalties for negligent, willful, or malicious disclosures not covered by the new exceptions. In short, SB 278 is additive and narrow: it authorizes specified disclosures for specified Medi‑Cal administrative purposes and does not repeal or broadly relax the statute’s confidentiality regime.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Medi‑Cal beneficiaries living with HIV: Plans and reviewers having timely access to test results can support targeted outreach, linkage to care, and programs that improve viral suppression rates, which may improve clinical outcomes.
- Medi‑Cal managed care plans: Plans gain legal access to clinical HIV test data needed to measure quality metrics, implement value‑based arrangements, and operate incentive programs that depend on lab results.
- External quality review organizations and DHCS program staff: Reviewers and departmental analysts can better assess plan performance and population health trends when they can draw on test data (external reviewers get identifying results where necessary; DHCS gets deidentified aggregates).
Who Bears the Cost
- Providers and clinics serving Medi‑Cal patients: They will need to alter workflows, create secure transmission processes, and negotiate data sharing agreements — all of which require staff time and possibly IT changes.
- Medi‑Cal managed care plans: Plans assume added responsibilities for protecting sensitive HIV data, drafting data use agreements, and defending against re‑identification risk and potential liability if data are mishandled.
- Patients and privacy advocates: The expanded data flows increase the risk of inadvertent disclosure or re‑identification of HIV status, potentially undermining trust and deterring testing or disclosure in some populations.
- Department of Health Care Services: DHCS must interpret the authorization, set de‑identification expectations, and monitor plan and reviewer practices without an explicit funding or staffing line in the statute.
Key Issues
The Core Tension
The central dilemma is between improving HIV care at scale by giving payers and reviewers access to test data and protecting the individual privacy that has long been afforded to HIV test results; the bill tips access toward programmatic quality work but leaves the safeguards and limits that determine whether that access is safe and proportionate to implementation rather than statute.
SB 278 solves a concrete operational problem — plans and reviewers need HIV test data to run quality programs — by creating a statutory exception to allow that flow. But the statute leaves the most consequential implementation choices to regulators and contracting parties.
The bill does not define a de‑identification standard, does not require written data use agreements or notices to beneficiaries, and does not specify technical safeguards or minimum retention and destruction policies. Those omissions mean privacy protections will depend on downstream policies, interagency guidance, and contract terms rather than on statutory guardrails.
A second tension is scope control. The bill restricts permitted disclosures to quality improvement and related payment programs, yet the statutory language is broad enough that plans could argue new activities fit within the description, especially as payment models evolve.
Without explicit limits or reporting requirements, the line between permissible program administration and broader operational uses (including utilization management or payment determinations tied to individual beneficiaries) could blur. That dynamism raises compliance and legal risk for providers, plans, and the state — and practical concerns for beneficiaries who may not expect payer access to their HIV test results.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.