In the aftermath of a series of serious data breaches affecting many Californians in the last few years, Governor Arnold Schwarzenegger has signed legislation to improve patient privacy laws and address leaks of confidential health information. The new laws are Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211), which give the state the ability to assess and enforce fines for unauthorized leaking of patient information. The new legislation will augment the Federal Health Insurance Portability and Accountability Act (HIPAA) standards, already in place. The new rules radically increase the fines available for state agencies to apply to rule breakers. The laws were approved by the Governor on September 30, 2008, and take effect January 1, 2009.
Moreover, AB 211 creates a new State Office of Health Information Integrity (OHII) to oversee data issues, and which will enforce statutes regarding confidentiality of health care data. The OHII will have the task of levying administrative fines on non-compliant entities. The Bills explain the purpose of the new office, being "to ensure the enforcement of state law mandating the confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information." The new statutes amend and augment sections of the California Health and Safety Code.
The scale of fines that can be imposed fall anywhere from $25,000 to $250,000 against health facilities and individuals for every time they inappropriately obtain, use or disclose medical information. Under the old law, there were no set penalties or administrative actions available for the state to use against organizations that failed to prevent such unauthorized access, use and disclosure of private patient information.
SB 541 describes the new fine scale for health care organizations that have data privacy and security violations, potentially putting patients at immediate risk of injury or death. The law says the fines go up to $50,000 for the first administrative penalty, up to $75,000 for the 2nd subsequent administrative penalty, and up to $100,000 for the 3rd and every subsequent violation.
An important change in the law is to make actionable not just data taken illegally by outside sources, called "unlawful" access, but now also the misuse of patient data by those who have legal, but un-permission access to the information through their jobs. This is termed "unauthorized access to patient health data." So this means health care organizations must implement controls not just to protect information from malicious outsiders, but also to guard against employee data misuse.
These specific employee-oriented data privacy loss rules came into being, in part, after some notorious incidents involving celebrities who were treated in California health care facilities, and whom had their persona health data exploited by unscrupulous workers. For example, a UCLA Medical Center employee was charged with accessing without authorization the confidential medical records of almost 1,000 individuals, including Maria Shriver, Governor Schwarzenegger's wife. Thirty other celebrities also had their data privacy violated. And this was just one of 127 UCLA employees who at least looked at the data without permission.
The law demands a report upon any data loss or misuse for health facilities or agencies regarding illegal or unauthorized access to, or disclosure of patient medical information. Such breaches can be sanctioned by the OHII for failure to report such breaches up to $100 for each day of unlawful or unauthorized access, use, or disclosure. Such fines can reach a maximum of $250,000.
California privacy laws heighten need for HIPAA compliance
