• California Imposes Additional Privacy Protection Obligations on Hospitals, Clinics, Home Health Agencies, and Hospices
  • January 9, 2009 | Authors: John O. Chesley; Mitchell J. Olejko
  • Law Firm: Ropes & Gray LLP - San Francisco Office
  • On January 1, 2009, California hospitals, clinics, home health agencies, and hospices (collectively “health facilities”) must comply with new privacy requirements requiring reporting of breaches and prohibiting certain activities (S.B. 541 and A.B. 211).

    Reporting Breaches

    Under S.B. 541, health facilities must report any unlawful or unauthorized access, use, or disclosure of patient medical information to both the California Department of Public Health (DPH) and the affected patient. The notification must be made no later than five days after the health facility detects the breach. This is a change from existing law, which requires only that notification be made without unreasonable delay and does not require reporting to DPH. In addition to the new notification requirements, these laws cover medical information in any medium or form, including hard copy. This is an expansion from existing law, which limits coverage to electronic personal information.

    Prohibiting Unauthorized Access

    Existing state law, the Confidentiality of Medical Information Act, already prohibits unlawful use or disclosure of patient medical information. The new laws additionally prohibit any unauthorized access, use, or disclosure of medical information. While “unauthorized” is not defined comprehensively in the statute, it includes inappropriate access, review, or viewing of a patient’s medical information without a direct need for medical diagnosis, treatment, or other lawful use. In other words, the new laws cover “snooping” even when patient information is not used or disclosed.

    New Enforcement

    S.B. 541 and A.B. 211 establish a new state enforcement agency, the Office of Health Information Integrity (OHII), mandate new security safeguards, and greatly increase penalties for violations. OHII will have authority to make regulations and the power to assess and impose penalties for patient privacy violations. Existing law allows only the Attorney General or a district, county, or city attorney to bring an action for a breach of medical information confidentiality. Health facilities’ privacy protocols may come under heightened scrutiny and the likelihood of enforcement against violators may increase. Since the new state reporting requirements and prohibitions are more stringent than standards under the Health Insurance Portability and Accountability Act, they will not be preempted by federal law.

    Action Steps

    In response, health facilities in California should review their reporting procedures to ensure that they can provide notification to DPH and the patient within the five-day window. Health facilities should also confirm that their written policies adequately restrict access as well as use and disclosure of patient medical information. In addition, administrative, technical, and physical safeguards to protect the privacy of medical information may need to be established, confirmed, or enhanced.