(1) The Confidentiality of Medical Information Act (CMIA) prohibits a provider of health care, a health care service plan, a contractor, or a corporation and its subsidiaries and affiliates from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided. The CMIA makes a business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information or for the diagnosis, treatment, or management of a medical condition of the individual, a provider of health care subject to the requirements of the CMIA.

The bill would clarify that “manage the individual’s information” includes the ability to query their medical history, summarize doctor’s notes, or organize lab results.

(2) Existing law provides for the licensure and regulation of health facilities and clinics by the State Department of Public Health. Existing law generally makes a violation of these provisions a crime. Existing law requires a health facility, clinic, physician’s office, or office of a group practice that uses generative artificial intelligence to generate written or verbal patient communications pertaining to patient clinical information, as defined, to ensure that those communications include both a disclaimer that indicates to the patient that a communication was generated by generative artificial intelligence, as specified, and clear instructions describing how a patient may contact a human health care provider, employee, or other appropriate person, except as specified.