On January 1, 2009, California hospitals, clinics, home health agencies, and hospices (collectively “health facilities”) must comply with new privacy requirements requiring reporting of breaches and prohibiting certain activities (S.B. 541 and A.B. 211).
Reporting Breaches
Under S.B. 541, health facilities must report any unlawful or unauthorized access, use, or disclosure of patient medical information to both the California Department of Public Health (DPH) and the affected patient. The notification must be made no later than five days after the health facility detects the breach. This is a change from existing law, which requires only that notification be made without unreasonable delay and does not require reporting to DPH. In addition to the new notification requirements, these laws cover medical information in any medium or form, including hard copy. This is an expansion from existing law, which limits coverage to electronic personal information.
Prohibiting Unauthorized Access
Existing state law, the Confidentiality of Medical Information Act, already prohibits unlawful use or disclosure of patient medical information. The new laws additionally prohibit any unauthorized access, use, or disclosure of medical information. While “unauthorized” is not defined comprehensively in the statute, it includes inappropriate access, review, or viewing of a patient’s medical information without a direct need for medical diagnosis, treatment, or other lawful use. In other words, the new laws cover “snooping” even when patient information is not used or disclosed.
New Enforcement
S.B. 541 and A.B. 211 establish a new state enforcement agency, the Office of Health Information Integrity (OHII), mandate new security safeguards, and greatly increase penalties for violations. OHII will have authority to make regulations and the power to assess and impose penalties for patient privacy violations. Existing law allows only the Attorney General or a district, county, or city attorney to bring an action for a breach of medical information confidentiality. Health facilities’ privacy protocols may come under heightened scrutiny and the likelihood of enforcement against violators may increase. Since the new state reporting requirements and prohibitions are more stringent than standards under the Health Insurance Portability and Accountability Act, they will not be preempted by federal law.
Action Steps
In response, health facilities in California should review their reporting procedures to ensure that they can provide notification to DPH and the patient within the five-day window. Health facilities should also confirm that their written policies adequately restrict access as well as use and disclosure of patient medical information. In addition, administrative, technical, and physical safeguards to protect the privacy of medical information may need to be established, confirmed, or enhanced.
If you have questions or would like further information, please contact any of the attorneys listed on this page.Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.