Bill Text: CA AB1979 | 2025-2026 | Regular Session | Amended
Bill Title: Health care services: artificial intelligence.
Sponsorship: Partisan Bill (Democrat 1)
Status: (Engrossed) 2026-06-22 - From committee chair, with author's amendments: Amend, and re-refer to committee. Read second time, amended, and re-referred to Com. on HEALTH. [AB1979 Detail]
Download: California-2025-AB1979-Amended.html
|
Amended
IN
Senate
June 22, 2026 |
|
Amended
IN
Senate
June 17, 2026 |
|
Amended
IN
Assembly
April 23, 2026 |
|
Amended
IN
Assembly
April 09, 2026 |
|
Amended
IN
Assembly
March 19, 2026 |
|
Amended
IN
Assembly
March 16, 2026 |
CALIFORNIA LEGISLATURE—
2025–2026 REGULAR SESSION
Assembly Bill
No. 1979
| Introduced by Assembly Member Bonta |
February 13, 2026 |
An act to amend Sections 56.05 and 56.06 of the Civil Code, and to add Section 1339.77 to the Health and Safety Code, relating to health care services.
LEGISLATIVE COUNSEL'S DIGEST
AB 1979, as amended, Bonta.
Health care services: artificial intelligence.
(1) The Confidentiality of Medical Information Act (CMIA) prohibits a provider of health care, a health care service plan, a contractor, or a corporation and its subsidiaries and affiliates from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided. Existing law deems a business that offers a mental health digital service or reproductive or sexual health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, to be a provider of health care subject to the requirements of the CMIA.
The bill would additionally deem a business that
offers a health care chatbot, as defined, to a consumer for the above-described purposes to be a provider of health care subject to the requirements of the CMIA.
(2) Existing law provides for the licensure and regulation of health facilities and clinics by the State Department of Public Health. Existing law generally makes a violation of these provisions a crime. Existing law requires a health facility, clinic, physician’s office, or office of a group practice that uses generative artificial intelligence to generate written or verbal patient communications pertaining to patient clinical information, as defined, to ensure that those communications include both a disclaimer that indicates to the patient that a communication was generated by generative artificial intelligence, as specified, and clear instructions describing how a patient may contact a human health care provider, employee, or other appropriate person, except as specified.
This bill would require a health facility, clinic, physician’s office, or office or a group practice to ensure that no clinical decision, as specified, is based solely on the output of a clinical decision support system, as defined, and that a licensed health care professional, acting within their scope of practice, retains the ability to exercise independent professional judgment when reviewing and approving a clinical decision that is based on the output of a clinical decision support system. The bill would authorize the appropriate professional licensing board to pursue an injunction or restraining order to enforce these provisions to the extent that a violation constitutes the practice of a health care profession without a license. The bill would specify that these provisions do not apply to the use of automated decision systems for documentation and communication that does not involve the application of professional judgment, including automated messages to inform
patients of updates to their health records. By placing new requirements on health facilities and clinics, this bill would expand the scope of a crime and would impose a state-mandated local program.
(3) The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YESBill Text
The people of the State of California do enact as follows:
SECTION 1.
Section 56.05 of the Civil Code is amended to read:56.05.
For purposes of this part:(a) “Artificial intelligence” has the same meaning as that term is defined in Section 1339.75 of the Health and Safety Code.
(b) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.
(c) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.
(d) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications
containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.
(e) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(f) “Enrollee” has the same meaning as that term is defined in Section
1345 of the Health and Safety Code.
(g) “Expiration date or event” means a specified date or an occurrence relating to the individual to whom the medical information pertains or the purpose of the use or disclosure, after which the provider of health care, health care service plan, pharmaceutical company, or contractor is no longer authorized to disclose the medical information.
(h) “Generative artificial intelligence” has the same meaning as that term is defined in Section 1339.75 of the Health and Safety Code.
(i)“Health care
chatbot” means a generative artificial intelligence system with a natural language interface that provides adaptive, human-like responses to user inputs, collects health care chatbot information from a consumer, is marketed as facilitating mental or physical health services to a consumer, and uses the information to facilitate mental or physical health services to a consumer.
(j)“Health care chatbot information” means information related to a consumer’s physical
or mental health or wellness that is provided to, inferred by, or generated by a health care chatbot.
(i) “Health care chatbot” means a generative artificial intelligence system with a natural language interface that does all of the following:
(1) Provides adaptive, human-like responses to user inputs.
(2) Is marketed as facilitating or supporting health services to a consumer.
(3) (A) Uses health care chatbot information to facilitate or support health service to a consumer.
(B) For purposes of this paragraph, “health care chatbot information” means information related to a consumer’s physical or mental health or wellness that a consumer provides to a chatbot, either directly or by allowing access to that information, or is collected, generated, or inferred by a chatbot.
(k)
(j) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(l)
(k) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.
(m)
(l) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to
purchase or use the product or service.
“Marketing” does not include any of the following:
(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.
(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or
payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (e) and (f) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect
remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number
of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.
(n)
(m) (1) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, reproductive
or sexual health application information, mental or
physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.
(2) If individually identifying information regarding immigration status, including current and prior immigration status, or place of birth, is known or collected in electronic or physical form by a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, it shall be treated as medical information, as defined
in paragraph (1).
(o)
(n) “Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.
(p)
(o) “Mental health digital service” means a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.
(q)
(p) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.
(r)
(q) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (e), or a provider of health care.
(s)
(r) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can
consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.
(t)
(s) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing
with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.
(u)
(t) “Reproductive or sexual health application information” means information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual
health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.
(v)
(u) “Reproductive or sexual health digital service” means a mobile-based application or internet website that collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer.
(w)
(v) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender-affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.
(x)
(w) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.
(y)
(x) “Immigration enforcement” means any and all efforts to investigate, enforce, or assist in the investigation or enforcement of any federal civil immigration law, and also includes any and all efforts to investigate, enforce, or assist in the investigation or enforcement of any federal criminal immigration law that penalizes a person’s presence in, entry or reentry to, or employment in, the United States.
SEC. 2.
Section 56.06 of the Civil Code is amended to read:56.06.
(a) Any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.(b) Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(c) Any
business that is licensed pursuant to Division 10 (commencing with Section 26000) of the Business and Professions Code that is authorized to receive or receives identification cards issued pursuant to Section 11362.71 of the Health and Safety Code or information contained in a physician’s recommendation issued in accordance with Article 25 (commencing with Section 2525) of Chapter 5 of Division 2 of the Business and Professions Code shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(d) Any business that offers a mental health digital service to a consumer
for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(e) Any business that offers a reproductive or sexual health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements
of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including, but not limited to, laws that specifically incorporate by reference the definitions of this part.
(f) Any business that offers a health care chatbot to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the
definitions of this part.
(g) Any business described in this section shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.
(h) Any business described in this section is subject to the penalties for improper use and disclosure of medical information prescribed in this part.
SEC. 3.
Section 1339.77 is added to the Health and Safety Code, to read:1339.77.
(a) (1) A health facility, clinic, physician’s office, or office of a group practice shall ensure that no clinical decision is based solely on the output of a clinical decision support system.(2) A health facility, clinic, physician’s office, or office of a group practice shall ensure that a licensed health care professional, acting within their scope of practice, retains the ability to exercise independent professional judgment when reviewing and approving a clinical decision that is based on the output of a clinical decision support system.
(3) For purposes of this subdivision, “clinical
decision” includes, but is not limited to, assessment of patient condition and education of a patient or their family concerning the patient’s health care problems, including postdischarge
care.
(b) A health facility, clinic, physician’s office, or office of a
group practice shall not use or deploy a tool, system, or device that includes artificial intelligence to direct, guide, supervise, or instruct unlicensed personnel in their performance of any clinical function that is required by law to be performed by a person with a professional license.
(c) (1) A violation of this section by a licensed health facility is subject to the enforcement mechanisms described in Article 4 (commencing with Section 1290) of Chapter 2.
(2) A violation of this section by a licensed clinic is subject to the enforcement mechanisms described in Article 4 (commencing with Section 1235) of Chapter 1.
(3) A violation of this section constitutes “unfair competition” as
defined in Section 17200 of the Business and Professions Code and is punishable as prescribed in Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code.
(4) To the extent that a violation of this section constitutes the practice of a health care profession without a license, the appropriate health care professional licensing board may pursue an injunction or restraining order to enforce this section, as authorized by Section 125.5 of the Business and Professions Code.
(5) Nothing in this section limits the authority for a health care professional licensing board or enforcement agency to pursue any remedy otherwise authorized under the law.
(d) This section does not apply to
the use of automated decision systems for documentation and communication that does not involve the application of professional judgment, including, but not limited to, automated messages to inform patients of updates to their health records, generating reminders, or assisting patients to find information at their request.
(e) For purposes of this section, the following definitions apply:
(1) “Artificial intelligence” has the same meaning as defined in Section 1339.75.
(2) (A) “Automated decision system” means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score,
classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons.
(B) “Automated decision system” does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.
(3) “Clinic” has the same meaning as defined in Section 1200.
(4) “Clinical decision support system” means an automated decision system or generative artificial intelligence system whose outputs are used to inform clinical decisionmaking with respect to the provision, timing, or course of patient care.
(5) “Generative artificial
intelligence” has the same meaning as that term is defined in Section 1339.75.
(6) “Health care provider” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code.
(7) “Health facility” has the same meaning as defined in Section 1250.
(8) “Office of a group practice” has the same meaning as defined in Section 1339.75.
(9) “Physician’s office” has the same meaning as defined in Section 1339.75.
