AB-352 Compliance: Tailoring Data Classification for Enhanced PHI Protection

In this second installment of our blog series, we dive into the critical process of customizing data classification technologies to accurately identify and manage PHI data related to abortion, gender-affirming care, and contraception, as mandated by AB-352. With the July 1, 2024 deadline approaching, it's essential for organizations to effectively discover and map where this PHI data resides within their systems.

Discovering and Mapping PHI Data

The first step in ensuring compliance with AB-352 involves a thorough discovery and mapping of PHI data across an organization. This includes considering both unstructured data sources such as file shares, and cloud-based file collaboration solutions like OneDrive, SharePoint Online, and Teams, as well as semi-structured datasets like emails within Exchange Online, and structured datasets in Microsoft Databases.

Structuring Classification Policies

To effectively identify relevant PHI data, classification policies must be structured to recognize both contextual and unique identifiers:

1. Contextual Information: This involves identifying data that pertains to PHI, particularly concerning AB-352. Critical elements include ICD-10 codes (International Classification of Diseases), CPT codes (Current Procedural Terminology), and HCPCS codes (Healthcare Common Procedure Coding System), along with terminology and keywords related to abortion, family planning, and gender-affirming care. To enhance accuracy, these keywords should be found in proximity to the mentioned codes.

2. Unique Identifiers: These are crucial for associating contextual information with an individual. This includes Full Name, Social Security Number, Email Address, Medical Record Numbers (MRN), Medicare Beneficiary Identifiers (MBI), Health Plan Beneficiary Numbers (HPBN), etc.

Data Correlation and Technology Support

Leveraging your existing classification tool, ensure it can identify both contextual and unique identifiers in close proximity to establish a correlation. Additionally, it should support scanning various document types, including OCR images and PDF files, across multiple platforms such as file shares, cloud-based platforms (OneDrive, SharePoint Online, Teams), structured datasets (MS SQL, Oracle, etc.), and email platforms like Exchange Online.

Introducing Part 3: Securing PHI Related to AB-352

Having established the framework for identifying sensitive PHI data, the next step is securing it. Our upcoming third blog will guide you through the crucial steps of securing this data. We'll explore:

• Classify, Categorize, Own: Understanding the nature of your data is vital. We'll discuss the importance of data classification and ownership to ensure appropriate handling and protection.

• Monitoring Data Usage: It's imperative to monitor how data is used, whether at rest or in transit. We'll focus on tools and techniques for effective data monitoring.

• Proactive Risk Remediation: Finally, we will delve into taking control of your data's security, establishing comprehensive data access controls, and other critical proactive measures.

Stay tuned for our final blog in this series, where we consolidate our understanding and move towards ensuring the utmost security of PHI data in compliance with AB-352.