SB 497 amends California’s CURES Prescription Drug Monitoring Program to block state and local agencies from knowingly providing CURES data or using state resources to assist interstate investigations or proceedings that seek to impose civil, criminal, or disciplinary liability for “legally protected health care activity” (as defined in Civil Code §1798.300). The bill preserves the PDMP’s core law‑enforcement and public‑health uses, requires regulations on access and audit standards, and clarifies reporting duties for dispensers.
The measure also carves two categories of prescriptions — testosterone and mifepristone — out of routine CURES reporting and requires removal of historical records for those prescriptions by a specified date. For practitioners, dispensers, researchers, and PDMP operators, SB 497 changes who can get CURES data, under what conditions it can be shared across state lines, and what technical and procedural safeguards California will insist on for interstate exchange.
At a Glance
What It Does
SB 497 prohibits California agencies and agents from knowingly providing CURES data or using state resources to aid interstate investigations that seek to impose liability for legally protected health care activity. It requires the Department of Justice to adopt regulations on access, preserves lawful in‑state investigations, allows interstate sharing under strict conditions, and excludes prescriptions for testosterone and mifepristone from routine CURES reporting with a deadline to purge prior records.
Who It Affects
California DOJ and the CURES PDMP operator; prescribers and dispensers (pharmacies, clinics, veterinarians) who must report controlled substance dispensings; in‑state and out‑of‑state law enforcement and regulatory agencies seeking PDMP data; researchers and educational entities (including University of California) that use CURES data under specified safeguards.
Why It Matters
This bill creates a legal firewall around PDMP data for care that California deems legally protected, limiting cross‑border investigations and setting a model for state control over prescription data. It also alters reporting obligations and data retention for specific drugs, with operational and compliance implications for pharmacies, health systems, and PDMP operators.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 497 leaves intact CURES as California’s controlled substances monitoring system but builds new walls around how that data can be used in interstate contexts. The Department of Justice still maintains CURES and may seek grant funding; the PDMP must comply with applicable privacy and security laws and the department must issue regulations that spell out approval, denial, and auditing procedures for users.
The bill formalizes stakeholder consultation before upgrades and rulemaking and requires the department to publish funding sources for CURES.
The core policy change is a prohibition on state or local agencies, or people acting for them, from knowingly providing CURES data or expending state resources to further any interstate investigation or proceeding that seeks to impose civil, criminal, or disciplinary liability based on another state’s laws for conduct that California defines as legally protected health care activity. That protection does not block investigations of conduct that is a crime under California law, nor does it bar audits or licensure investigations required by state or federal law, but it does prevent cooperating with out‑of‑state actions that would criminalize or sanction care that California permits.SB 497 also addresses data sharing mechanics.
The department may still enter interstate data‑sharing agreements and allow authorized users of other states’ PDMPs to obtain CURES information through an interstate hub, but only after California issues final regulations setting access standards and security requirements. Crucially, the department must not provide CURES data to out‑of‑state law enforcement except pursuant to a warrant, subpoena, or court order specified in state civil procedure and penal code sections.On operational rules, the bill tightens dispenser reporting: dispensers must transmit a defined set of data fields for each Schedule II–V dispensing as soon as reasonably possible but no later than one working day after release to the patient (veterinarians get a seven‑day window).
If dispensers suffer technical failures or disasters, reporting deadlines pause while normal operations are restored. Finally, SB 497 exempts prescriptions for testosterone and mifepristone from reporting, and directs the department to remove prior records of those prescriptions created before January 1, 2026 by January 1, 2027.
Unauthorized access or knowingly sharing CURES data with persons not legally authorized is a misdemeanor, with statutory exceptions tied to existing medical privacy law.
The Five Things You Need to Know
The bill forbids any California state or local agency, or person acting for one, from knowingly providing CURES data or using state resources to aid interstate investigations that seek to impose liability for legally protected health care activity.
California will not share CURES data with out‑of‑state law enforcement unless presented with a warrant, subpoena, or court order issued under specific state civil or penal code provisions.
Dispensers must report defined patient, prescriber, pharmacy, drug, refill, and date fields for each Schedule II–V dispensing within one working day of release to the patient; veterinarians have a seven‑day reporting window.
Prescriptions for testosterone and mifepristone are excluded from CURES reporting going forward, and the department must remove records of such prescriptions created before January 1, 2026 by January 1, 2027.
Unauthorized access to CURES or an authorized user knowingly furnishing CURES data to an unauthorized person is a misdemeanor, though entities covered by state and federal medical privacy laws are carved out from that subdivision.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
DOJ duty to maintain CURES and funding contingency
This section reasserts the Department of Justice’s role in maintaining CURES, subject to available funds in the CURES Fund, and authorizes the department to seek grants to operate the PDMP. Practically, this keeps the program dependent on its fund balance and external grants rather than mandating new appropriations, which matters for planning upgrades and vendor contracts.
Privacy safeguards and use limitations
The bill requires CURES operations to comply with federal and state privacy laws and instructs DOJ to adopt implementing regulations governing who may access data and for what purposes, how audits work, and when warrants or subpoenas are required. It also prohibits disclosure to boards whose licensees do not handle controlled substances. This creates a regulatory backbone that the department must fill in during rulemaking, shaping daily access, audit trails, and penalties.
Firewall against interstate investigations of legally protected care
This is the statute’s central substantive protection: California agencies and those acting for them may not knowingly provide CURES data or use state resources to further interstate investigations or proceedings that target legally protected health care activity. The text limits California’s cooperation when another state seeks to impose liability for care California allows, while preserving California’s ability to investigate conduct that violates state criminal law or to comply with licensure and accreditation reviews.
Detailed dispenser reporting obligations and exceptions for outages
SB 497 prescribes the exact data fields dispensers must transmit for every Schedule II–V dispensing and sets a one working‑day deadline after release to the patient, with a longer seven‑day rule for veterinarians. The law also permits extensions when dispensers face temporary technical failures or disasters and requires dispensers to correct failures within their control. Those timelines will affect pharmacy workflows, vendor SLAs, and PDMP ingestion processes.
Interstate data sharing with conditions and limits
The department may enter agreements with interstate hubs or other states’ PDMPs, and may provide data to authorized users from other states, but only after issuing final access and security regulations and ensuring the out‑of‑state system meets California’s standards. Importantly, the statute bars transfer of CURES data to out‑of‑state law enforcement absent a warrant, subpoena, or court order under specified California code sections, creating a higher bar for foreign law enforcement access.
Exclusion and purge of testosterone and mifepristone records
The bill removes routine reporting obligations for testosterone and mifepristone prescriptions and requires DOJ to remove existing records of such prescriptions created before January 1, 2026 no later than January 1, 2027. That creates both an operational task for the PDMP operator and potential implications for any research or audits that relied on those data fields.
Criminal penalties for unauthorized access or disclosure
SB 497 makes unauthorized access to CURES, or an authorized user’s knowing furnishing of CURES data to an unauthorized person, a misdemeanor. The subdivision exempts certain health care providers governed by medical privacy statutes from that subsection. The criminal penalty acts as an enforcement backstop but will require DOJ to clarify intent standards and coordination with privacy laws.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Patients receiving legally protected health care (for example, care California classifies as protected): the bill reduces the chance their PDMP records will be used to initiate or support out‑of‑state legal or disciplinary actions.
- California clinicians who provide legally protected services: the prohibition on interstate assistance reduces the risk that their prescribing or dispensing records in CURES will be used to subject them to litigation or penalties in other states.
- University of California and approved researchers: the statute preserves the possibility of access to identifiable CURES data for research if they meet Civil Code §1798.24(t) requirements, maintaining a pathway for clinical and public‑health research.
- In‑state public health and regulatory agencies: the law clarifies when they can use CURES data and retains access for disciplinary, civil, and criminal purposes under California law, protecting their ability to investigate in‑state violations.
Who Bears the Cost
- Department of Justice/CURES operator: new rulemaking, stakeholder consultations, data‑purge operations for excluded drugs, and additional compliance checks to enforce the interstate firewall will require staff time and may need funding beyond current allocations.
- Dispensers (pharmacies, clinics): the one‑working‑day reporting deadline and specified data fields increase operational pressure, requiring robust EHR/pharmacy system integration, vendor SLAs, and contingency planning for outages.
- Interstate PDMP hubs and out‑of‑state authorized users: to receive CURES data they must meet California’s access, audit, and security standards and accept limitations on law‑enforcement uses, which may reduce the utility of cross‑jurisdictional feeds for some investigations.
- Health systems and data custodians: the mandated removal of historical testosterone and mifepristone records creates data‑management costs and potential gaps for retrospective analyses and quality reporting.
Key Issues
The Core Tension
The central dilemma SB 497 addresses is how to protect patients and providers from being subject to other states’ laws while preserving the PDMP’s public‑health and law‑enforcement roles: strengthening privacy and limiting interstate assistance reduces the risk of cross‑border legal exposure but may hinder multi‑jurisdictional investigations into diversion and abuse and impose significant operational burdens on the PDMP and reporting entities.
SB 497 resolves a policy choice in favor of protecting patients and providers from cross‑border legal exposure, but doing so creates practical and legal wrinkles. Operationally, the department must define what it means to “knowingly” provide data or expend resources in support of an interstate investigation — an evidentiary and enforcement standard that will matter in contested cases.
The requirement to remove pre‑existing records for excluded drugs forces one‑time data‑sanitation work and raises questions about backups, research datasets, and whether downstream copies (for example, commercial analytics vendors or health system data warehouses) must also be purged or are beyond the PDMP’s control.
On interstate cooperation, the bill’s prohibition on sharing with out‑of‑state law enforcement absent a specific judicial process balances privacy against cross‑border criminal investigations, but may complicate multistate narcotics or diversion probes where evidence spans jurisdictions. The statute permits interstate data sharing through hubs, yet conditions that sharing on California’s regulations and standards; the department’s eventual rules will determine whether practical, real‑time exchange is feasible or effectively downgrades cross‑jurisdictional access.
Finally, the carveouts for UC research access and licensure and accreditation audits preserve important public‑interest uses, but require careful procedural safeguards to ensure identifiable data are handled lawfully and consistently.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.