Existing law, the Confidentiality of Medical Information Act (CMIA), generally prohibits a provider of health care, a health care service plan, or a contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, unless a specified exception applies. Existing law makes a violation of the CMIA that results in economic loss or personal injury to a patient punishable as a misdemeanor. Existing law requires specified businesses that electronically store or maintain medical information on the provision of sensitive services on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer to develop capabilities, policies, and procedures, on or before July 1, 2024, to enable certain security features, including limiting user access privileges and segregating medical information related to gender affirming care, abortion and abortion-related services, and contraception, as specified.