On September 30, 2008, California Governor Arnold Schwarzenegger signed into law two bills that provide new oversight, stricter requirements, and increased penalties for breaches of medical data confidentiality. Sponsored by the California Department of Public Health (CDPH), AB 211 and SB 541 were prompted in part by disclosures that employees at the University of California, Los Angeles Medical Center had been “snooping” into celebrity medical data and by concerns about the unauthorized use of patient data for fundraising and marketing. The laws become effective on January 1, 2009.
These new laws break new ground by making providers, health plans, and individuals accountable for unauthorized access to medical information, not just for unlawful use or disclosure. AB 211 requires providers, health care service plans, and contractors to safeguard confidential medical information reasonably and prevent unauthorized access. It also creates a new state office to oversee the enforcement of state laws on medical information privacy. The companion bill, SB 541, increases fines for immediate jeopardy from the current maximum of $25,000 (in the absence of departmental regulations) to $100,000, and makes such fines applicable to clinics, health facilities, home health agencies, and hospices. It also sets forth specific administrative penalties for privacy breaches.
Both laws define unauthorized access as “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (CMIA) (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or by other statutes or regulations governing the lawful access, use, or disclosure of medical information.”
AB 211
AB 211 adds Sections 130200 – 130205 to the California Health and Safety Code, which require every provider of health care to implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information and safeguard it from unauthorized access or unlawful access, use, or disclosure.
The law establishes the California Office of Health Information Integrity (CalOHII) within the California Health & Human Services Agency to enforce state law that mandates the confidentiality of medical information and to impose administrative fines for the unauthorized access, disclosure, or use of medical information. AB 211 authorizes CalOHII to levy administrative fines against any person and certain providers of health care (whether licensed or unlicensed), issue regulations, and refer violators to the appropriate licensing board for oversight. However, CalOHII may not assess administrative penalties against clinics, health facilities, home health agencies, or hospices licensed under the California Health and Safety Code that are governed by the provisions enacted in the companion bill, SB 541.
CalOHII is authorized to assess administrative penalties in the amounts specified in CMIA, which range from $25,000 to $250,000 for violations. In assessing fines, CalOHII is directed to consider factors such as the defendant's efforts to comply with the law; the nature and seriousness of the conduct; the harm to the patient, enrollee, or subscriber; the number of violations; the willfulness of the misconduct; the persistence of the misconduct; the length of time over which the misconduct occurred; and the defendant's assets, liability, and net worth.
SB 541
SB 541 amends Sections 1280.1 and 1280.3 and adds Section 1280.15 to the California Health and Safety Code. The law extends the administrative penalty provisions for immediate jeopardy — that currently apply solely to hospitals — to clinics, health facilities, home health agencies, and hospices. It also increases the amount of the administrative penalties for immediate jeopardy (in the absence of regulations) from $25,000 for an immediate jeopardy deficiency to a graduated scale of a maximum of $50,000 for the first administrative penalty, $75,000 for the second subsequent administrative penalty, and $100,000 for the third and every subsequent violation. The CDPH can assess higher penalties if it issues regulations to implement these provisions. SB 541 defines the term “immediate jeopardy” as a situation in which the licensee's noncompliance with one or more requirements of licensure has caused, or is likely to cause, serious injury or death to the patient.
Under this law, clinics, health facilities, home health agencies, and hospices also must safeguard confidential information in accordance with California Health and Safety Code Section 130203. SB 541 gives the CDPH the authority to assess administrative penalties for privacy breaches. CDPH may assess fines of up to $25,000 per patient whose medical information was accessed, used, or disclosed without authorization, and up to $17,500 per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patient's medical information.
SB 541 also requires the specified health care providers to report all incidents of unlawful or unauthorized access to, use, or disclosure of a patient's medical information. The reports must be made to CDPH and to the affected patient (or the patient's representative) within five days after detection of the breach. The clinic, health facility, agency, or hospice may be fined $100 per day for failure to report. The total combined penalty assessed under these provisions may not exceed $250,000 per reported event.
Both of these laws make it even more important for a much wider variety of health care providers — much more than hospitals — to look at privacy, security, and quality of care issues. Many providers probably have policies in place that would address these issues. However, providers will find it much more critical to put efforts into their compliance programs to address these issues, including:
AB 211
- Ensure that policies prohibit unauthorized access, rather than merely “unlawful” access to medical information
- Assess security measures, including administrative, technical, and physical safeguards for medical information
- Educate employees on privacy laws and the provider's policies on privacy of medical information
- Implement robust security audits of access to medical information that identify unauthorized access
- Take appropriate, documented action should unauthorized access to medical information occur
- Include access to medical information within the provider's compliance program and encourage reporting by employees of suspected unauthorized access
- Understand state reporting laws
- Report when legally required to do so
- Assess all events that involve noncompliance with licensure that causes, or is likely to cause, serious injury or death to the patient
- Look for opportunities for improvement and take appropriate action if reportable events occur