California Proposes New Privacy Breach Protections: Will Other States Follow The Trend?

Wednesday 10 September 2008
Last month The LA Times reported on a new law (AB 211 and SB 541) moving through the California Legislature to increase protections around confidential medical and health information and create a new state Office of Health Information Integrity to oversee compliance, investigate breaches and assess fines.

The article cites the high profile celebrity snooping cases into the records of Britney Spears, Farrah Fawcett and California First Lady Maria Shriver as recent examples highlighting the need for more protection. Governor Schwarzenegger has a personal interest in signing this bill if it gets through the legislature. The Health Law Prof Blog provides some additional insight and information on the bills.

As is often the case California is a leader in new legislative initiatives and I suspect we will see other states following the lead this coming legislative session looking at implementing or revising current breach notification and privacy of health information laws.

For more information on the bills check out the following additional information.

AB 211 (August 22, 2008 amendment) currently appears to be in the final stages of being passed by the California State Assembly. The bill creates a new Office of Health Information Integrity and gives the office powers to levy administrative fines and penalties. The bill also authorize the office to forward on the potential violation to the appropriate licensure bodies.

Following is the Legislative Counsel's Digest summary version of AB 211 (amended August 22, 2008):
AB 211, as amended, Jones. Public health. 
Existing law permits the establishment of the position of county
health officer for the performance of various duties and powers
relating to public health.

This bill would authorize the local health officer to provide
assistance to cities and counties with regard to public health issues
as they relate to local land use planning and transportation
planning processes.

Existing law prohibits a health care provider, health care service
plan, or contractor from disclosing medical information regarding a
patient of the provider or an enrollee or subscriber of the health
care service plan without authorization, except as specified.
Existing law makes it a misdemeanor to violate these provisions
resulting in economic loss or personal injury to a patient, as
specified. In addition, existing law authorizes administrative fines
and civil penalties against any person or entity that negligently
discloses, or knowingly and willfully obtains, discloses, or uses
medical information in violation of these provisions, as specified.
Existing law specifies the entities that may bring a civil action to
recover civil penalties.
This bill would require every provider of health care ,
as defined, to prevent the unlawful access, use, or
disclosure
implement appropriate specified safeguards
to protect the privacy
of a patient's medical information. The
bill would require every provider of health care to monitor
employees who have access to patient medical information, as
specified, to ensure compliance. The bill would also require a
provider to establish and maintain appropriate safeguards and
policies to ensure the confidentiality and security of medical
information, as specified
reasonably safeguard
confidential medical information from unauthorized or unlawful
access, use, or disclosure
. The bill would establish within
the California Health and Human Services Agency the Office of Health
Information Integrity to assess and impose administrative fines for a
violation of these provisions, as provided. The director would be
appointed by the Secretary of California Health and Human Services.
The bill would establish the Internal Health Information Integrity
Quality Improvement Account for the deposit of funds derived from
these penalties. Upon appropriation by the Legislature, the bill
would authorize money in the account to be used to support quality
improvement activities. The bill would also authorize the director to
make send a recommendation to
the licensing authority of a health care provider
for
further
investigation of, or discipline of
the licensee, as specified, and to recommend that a civil action to
collect penalties be commenced
for, a potential
violation to the licensee's relevant licensing authority
.

This bill would provide that any costs created pursuant to this
act associated with the implementation and operation of the Office of
Health Information Integrity shall be funded through non-General
Fund sources.

Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.


SB 541 passed the Senate on August 29, 2008 and is now in enrolled status. The bill creates specific penalties for the unlawful or unauthorized access to patient medical information and sets the fines at $25,000 per patient with a $250,000 cap per reorted event. It also sets a per day fine for failing to notify patients impacted by a breach after 5 days.

Following is the Legislative Counsel's Digest summary version of SB 541:
 SB 541, Alquist. Clinics, health facilities, home health agencies,
and hospices: administrative penalties and patient information.
Existing law provides for the licensure and regulation of clinics,
health facilities, home health agencies, and hospices by the State
Department of Public Health. A violation of these provisions is a
misdemeanor.
Existing law authorizes the department to assess a licensee of a
general acute care hospital, an acute psychiatric hospital, or a
special hospital an administrative penalty not to exceed $25,000 if
the licensee receives a notice of deficiency constituting an
immediate jeopardy to the health or safety of a patient and is
required to submit a plan of correction. Existing law makes these
provisions applicable to incidents occurring on or after January 1,
2007.
This bill would increase this administrative penalty to be up to
$100,000 for incidents occurring on and after January 1, 2009. This
bill would set the administrative penalties, for incidents on and
after January 1, 2009, at up to $50,000 for the first administrative
penalty, up to $75,000 for the 2nd subsequent administrative penalty,
and up to $100,000 for the 3rd and every subsequent violation.
Existing law also provides that, upon the adoption of specified
regulations, the administrative penalty for an immediate jeopardy
violation may be up to $50,000. If the violation does not constitute
an immediate jeopardy violation, the penalty may be up to $17,500,
except that no penalty shall be assessed for a minor violation.
Under existing law, moneys collected by the department as a result
of the imposition of the above penalties are required to be
deposited into the Licensing and Certification Program Fund, to be
expended, upon appropriation by the Legislature, to support internal
departmental quality improvement activities.
This bill would increase the administrative penalties for an
immediate jeopardy deficiency from $50,000 to a graduated scale of a
maximum of $75,000 for a first penalty, a maximum of $100,000 for the
2nd penalty, and a maximum of $125,000 for the 3rd and subsequent
penalties, and would increase the penalty for deficiencies not
causing immediate jeopardy from $17,500 to $25,000. The bill would
apply the penalty provisions only to incidents occurring on or after
January 1, 2009.
The bill would specify that, for any of the above administrative
penalties, a penalty issued after 3 years from the date of the last
issued immediate jeopardy violation be considered a first
administrative penalty so long as the facility has not received
additional immediate jeopardy violations and is found by the
department to be in substantial compliance with all state and federal
licensing laws and regulations. The bill would give the department
full discretion to consider all factors when determining the amount
of an administrative penalty.
This bill would require health facilities, clinics, hospices, and
home health agencies to prevent unlawful or unauthorized access to,
or use or disclosure of, a patient's medical information, as defined.
The bill would authorize the department to assess an administrative
penalty of up to $25,000 per patient for a violation of these
provisions, and up to $17,500 for each subsequent accessing, use, or
disclosure of that information.
The bill would require all of the administrative penalties to be
deposited into the Internal Departmental Quality Improvement Account,
which would be created within the existing Special Deposit Fund, and
would delete the requirement that certain of the penalties be
deposited into the Licensing and Certification Program Fund. The bill
would require moneys in the account to be used for internal quality
improvement activities in the Licensing and Certification Program.
This bill would impose specified reporting requirements on a
health facility or agency with respect to unlawful or unauthorized
access to, or use or disclosure of, a patient's medical information,
and would authorize the department to assess a penalty for the
failure to report, in the amount of $100 for each day that the
unlawful or unauthorized access, use, or disclosure is not reported,
up to a maximum of $250,000. The bill would authorize a licensee to
dispute a determination of the department regarding a failure to make
a report required by the bill, as provided.
By expanding the definition of an existing crime, this bill would
impose a state-mandated local program.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that, if the Commission on State Mandates
determines that the bill contains costs mandated by the state,
reimbursement for those costs shall be made pursuant to these
statutory provisions.