California’s Medical Privacy Laws
Act A.B. 211 and Act S.B. 541
Coming out of Sacramento California – January 1st, 2009 – Act A.B. 211 and Act S.B. 541 became law – adding to HIPAA and HITECH Act compliance requirements. The California Medical Privacy Laws or California HIPAA puts far more stringent regulations in place for entities handling ePHI – Electronic Protected Health Information, creating additional requirements for health care providers and facilities operating under California HIPAA to specifically protect against unlawful or unauthorized access to patient medical information. HIPAA Security and Privacy Rule, Comprehensive Risk Assessment, a BCDR Plan…all still apply, keeping in mind the focus of HIPAA and the Privacy Rule is just unauthorized use or disclosure.
California Medical Privacy Laws
These California Medical Privacy Laws – California HIPAA do two additional things beyond focusing on Unlawful and Unauthorized – the law maker created and agency to enforce the one new law, the California Office of Health Information Integrity – OHII. The OHII not only enforces A.B. 211 it also levies fine for violations the laws from $1000 to up to a maximum of $250,000 per violation under Ca. A.B. 211 for any provider of health care that fails to “establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information” and to “reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.” Providers of health care are also to prevent “Unauthorized access” as is defined “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use” as permitted under California law. The fines for violating S.B. 541 start at $25,000 and go up to a maximum of $250,000 once again – that is per incident! The enforcement agency is the California Department of Public Health – CDPH. The law makes out of Sacramento empowered the agency giving the new law teeth and reduced the reporting grace period for violation to five days. The violations outlined in SB 541 are similar to those in AB 211 and applies to any clinic, home health agency, hospice or health facility and requires those facilities to “prevent unlawful or unauthorized access to, and use or disclosure of patient’s medical information.” and as mentioned earlier failure to report disclosure within 5 days is also a violation per record or incident. Non-compliance can get very expensive, very quickly and this is beyond the fines impose for violations of HIPAA under the HITECH Act.