Introduction
Following the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and the constitutional right to abortion, many states moved to ban or severely restrict access to abortion services, often with criminal penalties. Due to these growing restrictions, more individuals are now traveling to states where reproductive health care remains legal, including the state of California.
Abortion services are protected in California, but the flow of health information across state lines poses legal risks when a patient’s abortion history is made available in states with restrictions through electronic health records (EHRs) systems or health information exchange (HIE). Federal privacy standards are established through the Health Insurance Portability and Accountability Act (HIPAA), but limitations remain that can permit abortion-related protected health information (PHI) to be disclosed in some instances. The Biden administration issued a final rule in April 2024 to help address some of these gaps,[1] and states have additionally taken action with their own privacy laws.
To mitigate risks for patients and providers in California, Governor Gavin Newsom signed Assembly Bill 352 (AB 352) into law in late 2023, prohibiting patient abortion information from being shared out-of-state without authorization and safeguarding how reproductive health care data[2] is electronically stored and shared.
Quickly approaching is the July 2024 deadline for California entities to comply with AB 352’s technical capabilities requirements. With limited state guidance on compliance expectations and enforcement, challenges and questions remain for health care providers, health plans, EHR vendors, HIEs, and individuals accessing reproductive health care in California. To address these issues, Connecting for Better Health hosted an AB 352 workshop with coalition partners in April 2024 to identify challenges and key considerations to advance implementation.
The Current State of Implementation
Patient charts are complex and contain information throughout, including lab results and unstructured notes, that can indicate pregnancy and pregnancy loss, which may result in the disclosure of abortion-related information to entities outside California. The April 2024 workshop highlighted efforts underway to move towards implementation amid compliance challenges. To lead the workshop discussion, Connecting for Better Health was joined by the following experts:
- Lisa Matsubara, JD of Planned Parenthood Affiliates of California (PPAC) opened the workshop explaining the rationale behind AB 352. The state privacy law was pursued to establish abortion-related data in California as an information blocking privacy exception under the 21st Century Cures Act. She also shared that similar legislation is being considered in other states, prompting EHR vendors to examine technical advancements.
- Andrea Frey, JD of Hooper Lundy & Bookman discussed the legal implications of AB 352 and the HIPAA final rule. These mandates emerged at a time where organizations must balance the push for interoperability and access to information with patient privacy considerations, which remains critical to ensure that patients are not discouraged from seeking care. Regulated entities will need to carefully evaluate the information they collect and maintain to determine whether it relates to reproductive health care and is therefore subject to the new requirements. Operationally, such organizations may need to develop clear policies specifying when reproductive health care information can and cannot be disclosed in addition to mechanisms to safeguard this information.
- Dr. Steven Lane of Health Gorilla and Dr. Raymonde Uy of the National Association of Community Health Clinics presented their value set initiative to identify clinical codes to support implementation of AB 352 and the HIPAA final rule. Now available in the National Library of Medicine Value Set Authority Center, the value set can be a tool to begin identifying reproductive health care data in an organization’s EHR system.
AB 352 Implementation Considerations
Additional State Action is Needed
While the state has released high-level guidance on AB 352, including APL 23-025 and AFL 24-03, to notify impacted stakeholders of the requirements, it is not clear which state agency will be responsible for holding organizations accountable. As implementation continues, the state should release guidance to clarify expectations and consider the following:
- Establish a CalHHS Reproductive Health Care Privacy State Task Force
- Develop a process to review and address complaints for accountability
- Clarify state oversight and compliance expectations
Considerations To Enable EHR Capabilities
Evidence indicates that reproductive health care information is often documented in different ways across providers, organizations, communities, and even states. Organizations will need to assess how this information is captured in their EHR systems to inform tailored strategies for safeguarding this sensitive information.
- Segmentation of discrete data can begin by identifying structured codes and elements potentially related to reproductive health care, analyzing the presence of this information, tagging it, and then enforcing privacy restrictions.
- Unstructured elements will require different considerations to locate and protect potentially sensitive information, which may involve more manual reviews. To limit access and disclosures, generating discrete data linked to unstructured elements can be beneficial to support segmentation strategies.
- Consent management and standardized data elements, such as updated versions of the United States Core Data for Interoperability (USCDI), should also be explored to support implementation efforts.
Emerging Practices To Act In Good Faith
During the workshop, coalition partners shared the following AB 352 implementation strategies to help prevent the disclosure of abortion-related information outside of California:
- Flag disclosure requests from all out-of-state entities and for data from certain providers likely to document this information.
- Immediately protect unstructured data elements with clear privacy policies.
- Consider incorporating manual reviews for unstructured data elements.
- Assess systems for how reproductive health care data is documented to inform and tailor privacy strategies.
- Explore other solutions like sensitive encounter tools and artificial intelligence to identify, tag, and secure information related to reproductive health care.
Connecting for Better Health is committed to gathering and reporting feedback on AB 352’s implementation requirements to provide state agencies with the necessary information to develop appropriate guidance. For any questions, concerns, or feedback regarding AB 352, please contact us at info@connectingforbetterhealth.com.
Overview of Reproductive Health Care Privacy Policy Actions
Policy | Compliance Date | Regulated Entity | Affected Data Types | Policy Impact |
AB 352 | July 1, 2024 | Businesses that Store or Maintain Electronic Medical Information on Behalf of California Health Care Providers, Health Plans, Pharmaceutical Companies, Certain Contractors, and Employers | Gender-Affirming Care, Abortion, Abortion-Related Services, and Contraception | Must develop the following capabilities to protect this sensitive information: ● Ability to limit user access ● Prevent disclosures to out-of-state persons and entities ● Segregate this data from the rest of the patient’s electronic record ● Ability to automatically disable access to segregated information |
January 1, 2024 | DxF Participants | Abortion and Abortion-Related Services | California’s Data Exchange Framework (DxF) cannot require participants to exchange this information under the DxF | |
January 1, 2024 Safe Harbor for Health Care Providers until January 1, 2026 | California Health Care Providers, Health Plans, Pharmaceutical Companies, Certain Contractors, and Employers | May not knowingly share this information with out-of-state entities in an EHR system or through an HIE without patient authorization, except where an exception applies Establishes safe harbor for health care providers acting in good faith from liability or enforcement until 2026 | ||
HIPAA Privacy Final Rule | December 23, 20243 | HIPAA Covered Entities & Business Associates | All PHI | Establishes a new category of purpose-based prohibited PHI uses and disclosures Prohibits PHI use or disclosure for the purpose of conducting investigations or imposing liability on a person for merely seeking, obtaining, providing, or facilitating reproductive health care that is lawfully provided, either under state or federal law, with presumption4 |
PHI related to Reproductive Health Care5 | To use or disclose PHI potentially related to reproductive health care, a valid attestation from the requester is required to affirm that the information is not for a prohibited purpose |
1 The final rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy, prohibits the disclosure of PHI for purposes of conducting criminal or civil investigations or imposing liability in relation to reproductive health care that is lawfully provided. It additionally requires attestations that PHI requests related to reproductive health care are not for a prohibited purpose. The final rule’s compliance date is December 23, 2024.
2 AB 352’s technical requirements for businesses to limit access to reproductive health care information includes abortion and abortion-related services, gender-affirming care, and contraception information.
3 The final rule’s compliance date for provisions affecting Notice of Privacy Practices is February 16, 2026.
4 Reproductive health care provided is presumed lawful unless the HIPAA covered entity or business associate has actual knowledge that services were not provided under lawful circumstances, or the requester of the PHI supplies factual information that demonstrates a substantial basis for determining services were not provided under lawful circumstances.
5 While OCR intends for the final rule to be interpreted broadly and inclusive of the full range of services related to an individual’s reproductive health, gender-affirming care is not specifically protected under the new HIPAA Privacy Rule amendments.