Compliance is a moving target, and sometimes that target is moving fast. In the case of California Assembly Bill 352 (AB 352), businesses that store sensitive health information have already faced compliance milestones in January, July, and December of 2024. As we look ahead to January 31, 2026—the date enforcement begins—we’ll review AB 352's requirements, its impact on your agency’s systems, policies, and procedures, and how Exym is helping agencies stay compliant.
What is California Assembly Bill 352?
AB 352 became law on January 1, 2024, and safeguards patient and client privacy specifically related to personal reproductive health. This protection extends to individuals in-state, and from any out-of-state parties. Records safeguarded under AB 352 include:
- Use of contraception
- Abortion and abortion-related services
- Gender-affirming care
AB 352 expands on California’s existing Reproductive Privacy Act (Assembly Bill 254), and the Confidentiality of Medical Information Act (CMIA) to enhance privacy protections for sensitive information.
Reproductive Health Information: Why Additional Protections are Necessary
Reproductive health laws vary widely from state to state and are often subject to change. Personal decisions, and categories of health care provided legally in California could have negative professional or personal consequences if shared in states with differing laws. AB 352 ensures that this sensitive information cannot be made known to parties outside of California, offering critical protection for patients and clients.
Who is Impacted by AB 352?
According to the legislation, AB 352 applies to any business that electronically “stores or maintains medical information on the provision of sensitive services.” This means that a variety of clinicians, businesses and services can be held to the same standards as health care providers. This includes any business that:
- Offers software or hardware, including mobile apps, designed to maintain medical information to make that information available to an individual or health care provider (by request) for the purpose of managing the individual’s information for diagnosis, treatment, or management of a medical condition.
- Operates under Division 10 of the Business and Professions Code, which includes businesses authorized to receive or handle medical cannabis recommendations and identification cards.
- Provides mental health digital services to a consumer.
- Offers reproductive or sexual health digital services to a consumer.
For a full breakdown, refer to CAL Civil Code 56.06, which details the scope of businesses impacted.
Key Compliance Changes Under AB 352
To remain compliant and avoid penalties, agencies may need to implement changes across multiple levels of client information management, including system security, user policies, and data-sharing practices.
System Security Changes
- Access Controls: Limit user access privileges to reproductive health information.
- Data Segregation: Demonstrate that you’ve separated sensitive medical information from the rest of your clients’ records to maintain privacy during otherwise authorized disclosures.
- Auto-Disable Functionality: Ensure systems can automatically disable access to segregated medical information when needed.
Policy & Procedure Changes
- No Out-of-State Data Sharing of Protected Information: Aside from specified exceptions, agencies must prohibit out-of-state inquiry cooperation as well as “knowingly disclosing, transmitting, transferring, sharing, or granting access to medical information in an electronic health records system, or through a health information exchange” outside of California.
- Exclusions in Data Exchange Framework (DxF): Aside from specified exceptions, reproductive health services, including abortion-related care, must be excluded from real-time data sharing under the California Health and Human Services Data Exchange Framework.
Conclusion & Next Steps
It can be overwhelming to keep pace with changing legislation like AB 352 — especially when it requires sweeping changes across your agency’s systems, policies, and procedures.
At Exym, we’re committed to supporting agencies through these challenges. Our comprehensive EHR software solution includes tools like Sensitive Document Tagging and Automatic Data Sharing with Health Information Exchanges (HIEs) to align with AB 352. These tools ensure that information tagged as sensitive is not exported or shared with HIEs, and clients can complete a consent form to adjust their information sharing settings at any time.
Don’t let compliance slow you down. Learn more about how Exym can protect your clients' sensitive health information, simplify your workflows, and ensure your agency stays ahead of regulatory changes—all while allowing you to focus on what matters most: delivering quality care to those you serve. Schedule a consultation with us here.
December 3, 2024
Comments