SB 81 makes patient authorization the default for medical‑information disclosures by health care providers, health plans, and their contractors, and then enumerates a set of compelled and permitted exceptions. The bill expressly forbids sharing, selling, or using medical information for marketing or immigration enforcement except where other provisions of the bill or law allow it.
The statute matters because it tightens state‑level limits on health data flows that many providers and third‑party vendors currently rely on for billing, analytics, care coordination, and public‑health work. It also draws a line on cross‑border legal demands (foreign subpoenas/search warrants), places concrete constraints on re‑disclosure by recipients, and layers California’s rules on top of federal HIPAA and ERISA frameworks—raising immediate compliance and interoperability questions for plans, contractors, and EHR vendors.
At a Glance
What It Does
Makes written patient authorization the default barrier to disclosure of medical information and then lists specific compelled (courts, subpoenas, warrants) and permitted (treatment, payment, billing, research, organ procurement, public health) exceptions. It also bans sale, marketing uses, and most disclosure for immigration enforcement and restricts re‑disclosure by recipients.
Who It Affects
Applies to licensed health care providers, health care service plans, insurers, contractors such as billing or analytics vendors, employee welfare benefit plans, and entities that currently receive health records for payment, quality review, research, or administrative services.
Why It Matters
Shifts more control of medical data to patients and narrows certain data channels that vendors, payers, and investigators depend on, while preserving a defined set of uses; the law will require systems changes and policy updates to reconcile California’s rules with federal HIPAA/ERISA requirements and out‑of‑state legal demands.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 81 flips the default: health records cannot leave a provider, plan, or contractor without a patient’s authorization except where the statute expressly permits or compels disclosure. The text supplies a long list of compelled disclosures (court orders, subpoenas, warrants, administrative investigative subpoenas, and similar legal processes) and permitted operational uses (treatment, payment, billing and administrative services, peer‑review, research, organ donation coordination, and public‑health reporting).
Each exception comes with a limit—either contextual (only for the decedent in a coroner’s inquiry) or procedural (written authorization, HIPAA compliance, or limitation on further disclosure).
The bill calls out two practical chokepoints. First, it forbids compliance with a “foreign subpoena” unless the requesting party first obtains a California court order under Code of Civil Procedure section 2029.300—meaning providers should not automatically turn over records to out‑of‑state subpoenas without that state‑court process.
Second, it prohibits the sale or marketing use of medical information and stops contractors and corporate affiliates from further disclosing records to non‑health entities unless the patient authorizes it or an exception applies. Those clauses directly affect data brokers, marketing firms, and certain administrative uses of health data.SB 81 also creates narrower pathways for otherwise routine flows: disclosures for payment and employer‑sponsored occupational health care are allowed but subject to written authorization, HIPAA alignment, and explicit limits on the content shared (for example, employers may receive only functional limitations and not statements of medical cause in employment disputes).
Research, disease‑management programs, and anonymization processes are permitted but require safeguards against re‑identification and further unlawful disclosure. Finally, the bill bars disclosure to immigration enforcement except where other statutory exceptions apply, placing California’s public‑interest protections above routine information sharing for enforcement purposes.
The Five Things You Need to Know
The bill makes patient authorization the basic rule: providers, plans, and contractors must obtain authorization before disclosing medical information, unless a statutory exception applies.
SB 81 expressly bans intentionally sharing, selling, or using medical information for marketing or other purposes not necessary to provide health care services.
Providers must not comply with an out‑of‑state (foreign) subpoena unless a California court order under Code of Civil Procedure §2029.300 authorizes compliance.
Medical examiner and coroner requests get expedited access limited to the decedent or prospective donor, but those offices cannot re‑disclose records to third parties without a court order or specific authorization.
Disclosures to employee welfare benefit (ERISA/Taft‑Hartley) plans and their contractors are allowed only with written authorization and in a manner consistent with HIPAA and Part 164 of Title 45 of the CFR.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Baseline rule: authorization required for medical‑information disclosure
This subsection establishes the default legal posture: medical information held by a provider, health plan, or contractor cannot be disclosed without the patient's authorization. Practically, that shifts the burden to the data holder to secure consent unless one of the explicit exceptions in the statute applies, and it signals that routine administrative or investigatory disclosures are not automatically covered unless they fit an enumerated category.
Compelled disclosures — courts, subpoenas, warrants, and investigators
This subdivision lists legal processes that compel disclosure: state and federal court orders, subpoenas and discovery devices in court or administrative proceedings, investigative subpoenas by government agencies, arbitration subpoenas, and valid search warrants. Crucially, it bars compliance with a so‑called ‘foreign subpoena’ unless the provider receives a California court order under CCP §2029.300. It also permits disclosure pursuant to search warrants from other states only when those warrants do not conflict with California law (including reproductive‑privacy protections) and do not run afoul of Penal Code limits.
Permitted operational disclosures for treatment, payment, quality, research and public health
This long subsection authorizes disclosures necessary for treatment and emergency care, payment and benefits determination, billing and administrative services, peer review and accreditation, bona fide research (with identity safeguards), organ procurement, public‑health reporting, disease‑management programs, and certain employer‑requested occupational health records under strict conditions. Many permitted uses are qualified: recipients must not further disclose information in ways that violate the statutory part, employer disclosures require written prior requests and limits on content, and ERISA‑plan related disclosures must comply with HIPAA standards.
Prohibitions on marketing, re‑disclosure, and immigration‑enforcement uses
The statute flatly prohibits intentional sharing, selling, or using medical information for marketing or other non‑healthcare purposes without express patient authorization. It separately forbids contractors and corporate affiliates from further disclosing records to entities not involved in direct care unless authorized, and it bars disclosure for immigration enforcement except where another subdivision expressly permits or compels disclosure. Those provisions collectively remove common commercial and enforcement channels for medical data.
Definitions — who counts as medical examiner and school‑linked services coordinator
This short subsection defines terms used elsewhere in the section. It clarifies which practitioners qualify as 'medical examiner, forensic pathologist, or coroner' for expedited decedent‑related requests and enumerates credentials that qualify someone as a school‑linked services coordinator for permitted disclosures on campuses. The definitions limit ambiguity about who may lawfully request records under the special rules.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Patients and privacy‑conscious Californians — gain stronger statutory protection against unauthorized disclosure, sale, or marketing use of their medical information, and explicit protection against routine disclosure to immigration enforcement.
- People seeking reproductive or sensitive care — the restriction on complying with certain out‑of‑state legal process and the tie‑ins to California reproductive‑privacy law reduce the risk of cross‑border data exposure.
- Academic and public‑health researchers conducting de‑identified epidemiologic studies — retain a clear, statutory pathway for access provided they protect identities and follow the bill’s re‑disclosure limits.
- Organ procurement organizations and medical examiners — receive expedited access to records for decedent identification and donation evaluation, with statutory clarity about the scope and limits of that access.
Who Bears the Cost
- Health care providers and health plans — face new administrative burdens: obtaining written authorizations, vetting legal process (especially foreign subpoenas), segmenting records, and updating policies and contracts with contractors and affiliates.
- Third‑party data brokers, marketing firms, and analytics vendors — lose a source of medically identifiable data and face tighter contractual and legal limits on further disclosures, reducing revenue and requiring business model changes.
- EHR vendors, billing platforms, and contractors — must implement technical controls for purpose‑based access, support data segmentation for limited disclosures, and add auditability to comply with the statute’s re‑disclosure and authorization requirements.
- Out‑of‑state law‑enforcement and litigants seeking medical records — will encounter procedural hurdles (California court authorization) that add time and expense to obtain health records.
Key Issues
The Core Tension
The central dilemma is a classic trade‑off between individual medical privacy and the systemic need to move health information for treatment, payment, public health, research, and law enforcement: SB 81 tightens privacy and patient control—but in doing so it raises the risk of obstructing legitimate, time‑sensitive data flows and imposes significant technical and legal costs on providers, plans, and vendors who must keep the health system functioning.
SB 81 strengthens patient privacy, but it leaves several operational and legal questions unresolved. The statute references federal HIPAA requirements and ERISA/employee welfare plans without spelling out how conflicts will be reconciled in specific cases; providers and plans will need to map California’s authorization defaults against HIPAA’s permitted disclosures and ERISA plan rules to avoid inconsistent compliance obligations.
The foreign‑subpoena rule creates a clear procedural gate—requiring a California court order under CCP §2029.300—but it also invites litigation over when an out‑of‑state demand ‘interferes with’ California law, including reproductive‑privacy protections, and who bears the burden of seeking the California order.
Technical standards are thin. SB 81 permits anonymization and encoding but does not define the de‑identification threshold or the acceptable re‑identification risk, leaving implementers to reconcile state expectations with evolving federal guidance and industry practice.
The statute also omits explicit enforcement mechanisms or civil‑penalty language in the text provided, raising questions about remedies, private right of action, and agency roles for enforcement. Finally, the law’s operational scope—what counts as a contractor or affiliate, what is “necessary to provide health care services,” and how narrowly to draw employer‑disclosure limits—will require regulatory clarification or litigation to produce workable compliance rules.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.