State privacy and confidentiality laws (such as California’s) can add to the HIPAA compliance burden when handling protected health information (PHI).Data breaches are becoming increasingly common. Recently, our HIPAA attorneys handled two data breaches, one electronic and the other involving a mix-up of paper medical records of several patients.
In general, HIPAA preempts state law, unless a specific exception applies. These exceptions include if the State law:
- Relates to the privacy of individually identifiable health information and provides “more stringent” privacy protections or privacy rights with respect to such information.
- Provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
- Requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.
HIPAA may not apply if the medical practice is all-cash, and therefore there are no electronic submissions of claims to insurance companies. In such case state law obligations may still be triggered.
As well, HIPAA applies to business associates and their subcontractors, such as lawyers, medical billers, accountants, IT consultants, and others who handle PHI.
Whenever dealing with sensitive business information, and especially, PHI, consult a HIPAA attorney who can provide legal counsel on privacy and security compliance.
Below is a list of some of the relevant California law. To bottom line, California requires compliance with privacy and security standards, and HIPAA is the gold standard, so even though California law is pithy on what such compliance means (except in the case of breach notification, where the rules are extensive), HIPAA compliance is often advisable.
Note: the information below includes summaries of law and excerpts taken on a snapshot date. Do not rely on this information but rather engage legal counsel to review your situation at any given time.
Health & Safety Code 13023: “(a) Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. (b) In exercising its duties pursuant to this division, the office shall consider the provider’s capability, complexity, size, and history of compliance with this section and other related state and federal statutes and regulations, the extent to which the provider detected violations and took steps to immediately correct and prevent past violations from reoccurring, and factors beyond the provider’s immediate control that restricted the facility’s ability to comply with this section.
Health & Safety Code 123100-123149.5: This governs access to healthcare records. With minor limitations, this law gives patients the right to see and copy information maintained by health care providers relating to the patients’ health conditions. The law also gives patients the right to submit amendments to their records, if the patients believe that the records are inaccurate or incomplete. Additional rules regulate when patients can be charged, and how much, for their records.
Civil Code 1798.80-1798.84: Section 1798.80 defines “personal information” as: “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. ‘Personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
Requirements include the following:
- Section 1798.81 (disposal of records): A business must take reasonable steps to dispose, or arrange for the disposal, of customer records containing “personal information,” by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information to make it unreadable or undecipherable.
- Section 1798.81.5 (security practices): A business that “owns or licenses” personal information about a California patient must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” to protect the information from unauthorized access, destruction, use, modification, or disclosure.[i]
A business that discloses personal information pursuant to a contract with a third party must require by contract that the third party implement and maintain reasonable security procedures and practices.
“Owns or licenses” includes retaining the information as part of the business’s internal customer account.
For purposes of this section, “personal information” means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (A) Social security number; (B) Driver’s license number or California identification card number; (C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (D) medical information (which means “any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional”).
There are various exceptions in 1798.81.5(e), including: (1) a provider of health care regulated by the Confidentiality of Medical Information Act; (2) a covered entity under HIPAA; (3) a business regulated by stricter state or federal law in this matters.
- Section 1798.82 (breach notification rules):
Definitions (1798.82(g)-(i)): For Section 1798.82, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver’s license number or California Identification Card
number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (4) Medical information. (5) Health insurance information.
“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. “Medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. “Health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’
1798.82(a) Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, must disclose any “breach of the security of the system,” following discovery, to any California patient whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
“The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
1798.82(b): Any person or business that maintains computerized data that includes personal information that the person or business does not own, must disclose any breach of the security of the system, following discovery, to any California patient whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
1798.82(c): The notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
1798.82(d): The breach notification must meet all of the following requirements:
(1) The security breach notification shall be written in plain language.
(2) The security breach notification shall include, at a minimum, the following information: (A) The name and contact information of the reporting person or
business subject to this section. (B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. (C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice. (D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided. (E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided. (F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
(3) At the discretion of the person or business, the security breach notification may also include any of the following: (A) Information about what the person or business has done to protect individuals whose information has been breached. (B) Advice on steps that the person whose information has been
breached may take to protect himself or herself.
1798.82(e): A covered entity that complies with the HIPAA breach notification requirements is deemed to have complied with section 1798.82(d). However, HITECH Act compliance will not exempt a covered entity from any other provision of Section 1798.82. Note: even if breach notification is not required under the HITECH Act, breach notification may still be required under Section 1798.82. As well, because Section 1798.82(e) exempts only “covered entities,” “business associates” under HIPAA must fully comply with both HIPAA and the HITECH Act.
1798.82(f): A breach that involves more than 500 California patients requires disclosure to the Attorney General.
1798.82(j): “Notice” may be provided by one of the following methods: (1) Written notice. (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code. (3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: (A) E-mail notice when the person or business has an e-mail address for the subject persons. (B) Conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains one. (C) Notification to major statewide media and the Office of Privacy Protection within the State and Consumer Services Agency.
1798.82(k) Notwithstanding subdivision (j), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.
Section 1798.83: There are additional requirements if disclosure was made to third parties that use the personal information for marketing purposes.
Section 1798.84 sets forth penalties.
1798.84(b): A customer injured by a violation of this title may institute a civil action to recover damages.
1798.84(c): In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.
1798.84(d): Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
1798.84(e): Any business that violates, proposes to violate, or has violated this title may be enjoined.
1798.84(f): (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. (2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).
17984.84(g): A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorney’s fees and costs.
17984.84(h): The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
Health & Safety Code Section 1280.15(a): (the codification of SB 541) requires certain licensed health care facilities (a clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745) to prevent unlawful or unauthorized access to, or use or disclosure of, patients’ medical information (as defined in subdivision (g) of Section 56.05 of the Civil Code and consistent with Section 130203). The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients’ medical information. The statute provides factors to be considered in setting the penalty.
Section 1280.15(b)(1) provides that a clinic, health facility, home health agency, or hospice to which (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department (the California Department of Public Health, CDPH) no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.
Section 1280.15(b)(2) provides that Subject to Section 1280.15 (c), a clinic, health facility, home health agency, or hospice shall also report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the affected patient or the patient’s representative at the last known address, no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.
Section 1280.15(c)(1) provides that a clinic, health facility, home health agency, or hospice shall delay the reporting, as required pursuant to paragraph (2) of subdivision (b), of any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information beyond five business days if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements of paragraph (2) of subdivision (b) would likely impede the law enforcement agency’s investigation that relates to the unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made. A law enforcement agency or official may request an extension of a delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing relating to the unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information, that notification of patients will undermine the law enforcement agency’s investigation, and that specifies a date upon which the delay shall end, not to exceed 60 days after the end of the original delay period. Subsection (c)(2) provides what the institution must do if the statement of the law enforcement agency or official is made orally. Subsection (c)(3) provides that a clinic, health facility, home health agency, or hospice shall submit a report that is delayed pursuant to this subdivision not later than five business days after the date designated as the end of the delay. Subsection (d) describes penalties for a violation of subsection (b); subsection (e) describes considerations to be taken into account in assessing penalties; subsection (f) describes deposits of penalties; subsection (g) describes the licensee’s ability to request a hearing; and subsection (h) describes the licensee’s option to transmit 75% of the total administrative penalty in lieu of disputing the determination. Subsection (i) provides that the department may refer violations of this section to the Office of Health Information Integrity for enforcement pursuant to Section 130303; subsection (j) contains definitions of “reported event” and “unauthorized.”
[i] Id., s. 1798.81.5(b). “Owns or licenses” includes retaining the information as part of the business’s internal customer account.”