As a result of recent breaches – including breaches of health information and information held by health insurers – a great deal of attention has recently been focused on state data breach notification requirements. Most States have general data breach notification requirements that apply to all data breaches, including those involving health information. A few States have specific data breach laws applicable to health information or to certain types of entities in the health care/health insurance industry. California is one of such States – and it has made several significant revisions to its statute, California Health and Safety Code § 1280.15, effective January 1, 2015 (A.B. 1755).
Section 1280.15 is applicable to clinics, health care facilities, home health agencies, and hospices, and requires such entities to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information (as that term is defined in California Civil Code § 56.05). It also requires such entities to report to the California Department of Public Health “any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information,” as well as to the affected patient (or the representative of such patient). Prior to January 1, 2015, such reports/notices had to be made within five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the entity. Now, with the amendments made by A.B. No. 1755, the entity has 15 business days to provide such notice to the Department of Public Health and to such patients. (It also has 15 business days after the date designated as the end of any law enforcement delay to make the required report/notification.)
A.B. 1755 also amended the patient notice provision (section 1280.15(b)(2)) to require the clinic, health care facility, home health agency or hospice to provide the report to the patient or the patient’s representative by an alternative means or at an alternative location – if the patient has made a written request for confidential communications, and the entity has reasonably accommodated the request, under the federal HIPAA Privacy Rule (45 CFR § 164.522(b)). In addition, under the amendment, notice may be provided by email only if the patient has previously agreed in writing to electronic notice by email.
In addition to these amendments, A.B. 1755 amended section 1280.15(a) to make it clear that the Department of Public Health has full discretion to consider all factors not only when determining the amount of a penalty to impose for a violation – but also in determining whether to investigate an entity under section 1280.15(a) and to impose any penalty or no penalty.