SB 504 requires health care providers and laboratories in California to report all diagnosed HIV infections to local health officers using patient names on a department‑developed form, and it authorizes local and state public health authorities to access laboratory electronic reports. The bill prescribes acceptable transmission methods, preserves anonymous testing sites, creates an explicit exception to California’s medical confidentiality statute for disclosures needed to complete or support public‑health HIV case reports and surveillance activities, and mandates annual confidentiality agreements for state and local public‑health staff and contractors.
The statute also bars disclosure of named HIV reports to the federal government (with a narrow statutory exception), requires prompt investigation and reporting of confidentiality breaches to law enforcement, and ties penalties for improper disclosure to Section 121025. For clinical operations, laboratories, and local health jurisdictions this means new named‑data workflows, defined legal authority to share identifying information for public‑health purposes, and new administrative controls to guard against—and respond to—breaches.
At a Glance
What It Does
The bill requires named reporting of every HIV infection on a department form, allows secure electronic and several traceable physical delivery methods, and gives local health officers authority to deduplicate and forward unduplicated case counts to the state. It also creates exceptions to state medical confidentiality law for disclosures needed to complete reports or to carry out surveillance and linkage to care, and mandates annual confidentiality agreements for public‑health staff and contractors.
Who It Affects
Directly affects clinicians who diagnose HIV, clinical and public‑health laboratories that test for HIV, local health officers and the California Department of Public Health (CDPH), anonymous testing sites, and contractors or employees who access HIV public‑health records. It also creates legal exposure for anyone who willfully or negligently discloses reported HIV‑identifying data.
Why It Matters
By converting HIV reporting to a named, mandatory system and by clarifying disclosure authority for public‑health purposes, the bill reshapes how surveillance data flow between providers, labs, and health agencies—affecting program planning, federal funding eligibility, and patient privacy risk. Operationally, clinics and labs must update reporting workflows and data‑security practices; health departments must institute confidentiality controls and breach processes.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 504 turns HIV case reporting into a named, actively managed public‑health stream. Providers and labs must put patient names on the department’s reporting form and send those reports to the local health officer; laboratories that already submit electronic reports to the state will also be accessible to local health officers.
Local health officers then reconcile and report unduplicated case counts up to the department on the same department form. The law lists acceptable delivery channels—secure electronic reporting, courier, traceable mail, person‑to‑person transfer, or facsimile—to limit accidental loss of records in transit.
The bill carves out clear exceptions to California’s confidentiality statute (Civil Code Section 56.10) so providers can disclose identifying information to local jurisdictions or CDPH where that disclosure is “necessary” to complete or supplement a case report or to carry out surveillance, investigations, linkage to care, or reengagement efforts. That “necessary” standard is intentionally permissive: it can be met by the provider, the local health jurisdiction, or CDPH, which places judgement calls about data disclosure largely in the hands of clinical and public‑health actors rather than requiring prior judicial or administrative authorization.Protection mechanisms focus on limiting downstream disclosure and holding personnel accountable.
The bill requires state and local public‑health employees and contractors to sign annual confidentiality agreements that explain penalties and reporting procedures; it makes reported HIV cases non‑discoverable in civil, criminal, administrative, or other proceedings; it forbids disclosing identifying information to the federal government except where another statutory provision allows; and it establishes immediate breach‑reporting duties for local officers and a state‑level investigatory role for CDPH. Finally, the bill preserves continued reasonable anonymous HIV testing through alternative testing sites and obligates the department to update reporting forms and some regulations under an expedited process.
The Five Things You Need to Know
The bill requires patient‑name reporting of all HIV diagnoses to the local health officer using a department form and obliges local health officers to submit unduplicated, by‑name cases to the department.
Acceptable transmission methods are explicitly limited to courier, USPS express or registered or other traceable mail, person‑to‑person transfer, facsimile, or a secure confidential electronic reporting system; the department must implement this using existing resources.
SB 504 creates an exception to Civil Code Section 56.10 allowing providers to disclose identifying patient information to local jurisdictions or CDPH when necessary to complete or supplement HIV case reports or to carry out surveillance, investigation, linkage to care, or reengagement.
The bill requires annual confidentiality agreements for state and local health department employees and contractors, requires immediate reporting of any actual breach at the city or county level to CDPH and law enforcement, and assigns state‑level breach investigations to CDPH.
Reported HIV cases are protected from disclosure in civil, criminal, administrative, or other proceedings per Section 121025, and the statute expressly prohibits sharing identifying information with the federal government except as permitted under a narrow statutory provision.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Named case reporting and lab access to electronic reports
Subsection (a) establishes the core obligation: health care providers and laboratories must report all HIV infections using patient names on the department’s form. It also authorizes both local health officers and the department to access laboratory reports that are electronically submitted under an existing statutory provision, which creates parallel access channels to electronic lab surveillance data. Practically, that means clinics and labs must populate and transmit identifiable fields; local health officers will receive line‑level data and bear responsibility for case reconciliation.
Permitted transmission methods and resource note
Subsection (b) narrows acceptable delivery channels to traceable physical methods, person‑to‑person handoffs, fax, or a secure electronic reporting system and instructs implementation to proceed within the department’s existing resources. For implementers this limits permissible workflows but also signals no new appropriations—local and state agencies and reporting entities must absorb the operational costs of adjusting systems or rely on current IT and logistics capacity.
Targeted exceptions to medical confidentiality for public‑health purposes
Subsections (c) and (d) modify the reach of Civil Code Section 56.10 by permitting providers to disclose identifying patient information to local jurisdictions or CDPH when the disclosure is necessary either to complete or supplement a case report or to permit the jurisdiction or department to investigate, control, or surveil disease or to coordinate linkage or reengagement in care. The statutory test—"necessary" as determined by provider or public health—delegates discretion to clinical and public‑health actors and reduces procedural barriers that could otherwise delay data submission or outreach to patients.
Preservation of anonymous testing sites
Subsection (e) requires the department and local health officers to ensure continued reasonable access to anonymous HIV testing through alternative testing sites, and to consult with HIV planning groups and stakeholders, including people living with HIV. This preserves a parallel pathway for people seeking anonymous tests and requires stakeholder input on how named reporting and anonymous services coexist in local programs.
Form and regulatory changes under expedited process
Subsection (f) directs CDPH to promulgate emergency regulations to align Title 17 provisions with the statute and allows the department to revise the reporting form without going through the full Administrative Procedure Act if revisions follow CDC reporting guidance; the revised form must be filed with the Secretary of State and printed in Title 17. That creates a faster regulatory path to change reporting instruments but also raises questions about notice and stakeholder review.
Non‑discoverability, confidentiality agreements, federal disclosure bar, and breach rules
These subsections set confidentiality guardrails: reported cases are not discoverable or producible in legal proceedings; employees and contractors must sign annual confidentiality agreements that describe penalties and reporting procedures; identifying information cannot be disclosed to the federal government except as narrowly allowed elsewhere; local officers must immediately report actual breaches to CDPH and law enforcement while CDPH investigates state‑level breaches; and willful, negligent, or malicious disclosures are subject to penalties under Section 121025. Together these provisions create a compliance and enforcement framework around the named reporting regime.
Preservation of other legal remedies
Subsection (l) clarifies that the section does not limit other remedies or protections under state or federal law. This preserves potential private or statutory causes of action and reserves the possibility that other statutes or constitutional claims could shape how the reporting and confidentiality regime operates in practice.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Local health departments and CDPH — Gain patient‑level data and direct access to lab electronic reports, improving case ascertainment, outbreak detection, and program planning, which can support grant applications and targeted interventions.
- People needing linkage to care — The exception to confidentiality for surveillance and reengagement allows public‑health workers to locate and reengage diagnosed persons who have fallen out of care, potentially improving clinical outcomes and reducing onward transmission.
- HIV program planners and funders — More complete named surveillance data supports finer‑grained epidemiology, resource allocation, and compliance with federal reporting expectations tied to funding.
- Anonymous testing program administrators — The bill explicitly requires preservation of anonymous testing sites, protecting a pathway for people who would otherwise avoid testing because of privacy concerns.
Who Bears the Cost
- Health care providers and clinical laboratories — Must change workflows to include patient names on reports, adopt secure transmission methods, and make discretionary decisions about disclosures that previously would have been restricted by Civil Code 56.10.
- Local health jurisdictions and CDPH — Must implement intake, deduplication, confidentiality agreements, breach‑investigation processes, and potentially expand secure IT infrastructure, all while the statute instructs implementation on existing resources.
- People living with HIV and those at risk — Named reporting increases the amount of identifiable health data held by government agencies, raising real privacy and stigma risks if confidentiality fails.
- State and local public‑health employees and contractors — Face new administrative duties (annual confidentiality agreements, breach reporting) and potential exposure to penalties for improper disclosures.
- Anonymous testing sites — Although preserved by statute, these programs may face practical strain as simultaneous named reporting requirements and outreach activities must be reconciled in local workflows.
Key Issues
The Core Tension
The core tension is between public‑health utility and individual privacy: the bill improves surveillance and potential care linkage by requiring named reporting and giving public‑health actors discretion to share identifying data, but those same features concentrate sensitive information in government hands and increase the risk that breaches or overbroad disclosures will deter testing and harm people living with HIV.
The bill resolves the perennial public‑health vs. privacy trade‑off by authorizing named reporting and narrowing confidentiality protections for public‑health needs, but it leaves several implementation questions open. The key operational gap is funding: the statute instructs implementation using existing departmental resources while adding responsibilities for intake, deduplication, confidentiality training, and breach investigations—tasks that commonly require new staff and IT investments.
Expect local jurisdictions and CDPH to prioritize tasks unevenly if budgets remain flat, which could affect timeliness and data quality.
Statutory terms and process shortcuts raise legal and practical uncertainties. The law lets providers, local jurisdictions, or CDPH determine when disclosure is "necessary," a subjective standard that could produce inconsistent practices and legal challenges—particularly where disclosure overrides California confidentiality law.
The ban on sharing identifying information with the federal government (subject to a narrow exception) creates potential friction with federal data requests tied to funding or research; the scope and interaction of that prohibition with federal law and grant conditions will require legal mapping. Finally, the instruction to update rules and forms under an expedited regulatory path accelerates technical fixes but limits formal stakeholder review, increasing the risk that revised forms will create gaps or unintended reporting burdens before they’re adjusted.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.