Assembly Bill No. 352 (AB 352) in California changed a lot about how private health information is handled and shared on January 1. It mostly affected information about reproductive health services. Under California’s current Reproductive Privacy Act and the Confidentiality of Medical Information Act (CMIA), people have a basic right to privacy when making reproductive choices, and medical information should not be shared without permission.
AB 352 will have an effect on both standard and nontraditional health care organizations. However, because AB 352 changes several California laws and makes a new one, the changes are not all the same. It depends on which law it applies to. It is important to find out which California rules apply to your business: all of them, some of them, or none of them.
Security Measures for Certain Businesses
Businesses that store or maintain medical information electronically about gender-affirming services, abortion and services related to abortion, and birth control must (1) limit user access; (2) stop sharing medical information with people and organizations outside of California; (3) separate medical information from the rest of the patient’s record if the rest of the record needs to be shared because of a valid request; and (4) make sure that all of these things happen by July 1.[1] It’s not clear if this law applies to businesses outside of California that help people in California.
Prohibition on Cooperation With Out-of-State Inquiries
Health care providers, service plans, contractors, and employers are not allowed to help with any inquiries or investigations by another state or a federal law enforcement agency, or to give medical information to them in a way that would identify a person seeking or getting an abortion or services related to abortion that are legal in California, unless the request for medical information is allowed by law.
Prohibition on Disclosure of Medical Information
People who work for health care providers, service plans, pharmaceutical companies, contractors, and employers are not allowed to intentionally share or give access to medical information in an electronic health records system or through a health information exchange that could be used to identify a person and is related to someone who wants to have an abortion that is legal under C
Exclusion From Automatic Data Sharing
The bill says that health information about abortion and services related to abortion will not be immediately shared on the California Health and Human Services Data Exchange Framework, which is what the law requires.