HIPAA Compliance Strategies

Featured Health Business Daily Story February 25, 2008

California Expands Its Data Breach Notification Law to Include Medical Information and Insurance Data; Other States Likely to Follow

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

California's innovative data security breach notification law now also applies to medical information and health insurance data, thanks to a bill that expanded the regulation, which was signed by Gov. Arnold Schwarzenegger (R) in October and took effect Jan. 1. One expert says other states likely will consider this kind of expansion for their own laws.

"Because California has been a bellwether state for privacy and security regulation and S.B. 1386 was a landmark piece of legislation, I would expect other states to take note," says San Francisco attorney Reece Hirsch, referring to the state's original law, passed in 2002. It was the first data security breach law to be approved by a state legislature and was enacted after the state's payroll database was hacked into and victims weren't notified for nearly six weeks.

The law requires any agency, business or person doing business in the state that owns or licenses computerized data containing personal information to disclose any breach of security of the system. "The disclosure shall be in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement," the law states.

Because there is no federal regulation covering breach notification, the country experienced a wave of state laws passed after California's S.B. 1386. Twenty-two states approved similar provisions in 2005 alone. Hirsch says there are bills "languishing in committee" at the federal level, but passage in 2008 is not likely because it is an election year, and disagreements remain regarding certain key elements of the legislation. So state laws will have to fill the gap in the meantime, and California is the first state, to his knowledge, to expand its statute to specifically apply to medical information.

The new law expansion, A.B. 1298, has three main parts, says Hirsch. First, security breach notification rules now apply to two new categories — medical information and health insurance information. Providers' previous breaches may not have triggered an obligation to disclose, even if data included medical information. "Prior to Jan. 1, the definition of 'personal information' was quite specific and somewhat narrow. Generally, if the breach didn't involve a Social Security number or an account number, there was no legal obligation to notify," explains Hirsch, who is a partner with Sonnenschein Nath & Rosenthal LLP.

"Medical information" is defined in the legislation as any information on a person's medical history, mental or physical condition or medical treatment, or diagnosis by a health care professional. "Health insurance data" is defined as a policy number, subscriber identification number, any unique identifier used by an insurer or any information in a person's application and claims history.

"This amendment to the breach law really highlights the new focus on medical identity theft, which is a significant form of fraud that has been under the radar a little, but is quickly coming into focus," Hirsch says.

A second aspect of A.B. 1298 expands the state's medical privacy law to apply to a broader range of technology companies that now are beginning to offer personal health records (PHRs), Hirsch says.

"Previously, [the state Confidentiality of Medical Information Act] covered any business that maintained medical information for the primary purpose of making it available for treatment. But as big companies such as Microsoft and Google started to express interest in PHR products, [legislators] realized that those companies are not primarily about PHRs and didn't want them to escape regulation. It's a fairly small change, but [one that's] needed to close a loophole. It also reflects the recent movement toward imposing privacy regulation on other types of health care technology ventures, such as regional health information organizations," Hirsch says.

There have been proposals at the federal level that HIPAA be expanded to apply to a variety of technology companies, but that is still an idea just being kicked around, he adds.

The third major aspect of the expansion deals with California's security freeze law, which a state court recently ruled was unconstitutional to the extent that it allowed consumers to block the dissemination of public records in credit-report files, Hirsch says.

The change allows public records to be disclosed, even when a consumer has requested a security freeze. The change was needed to avoid further challenges that might lead to the law getting struck down in its entirety, Hirsch explains.

Advertise With AIS

Privacy

Site Map