California has numerous laws that regulate the practice of medicine. Experienced California healthcare attorneys can explain the legal requirements that apply to a specific case and then advise a practice or business on the steps that can help reduce its legal risk. Our goal is to help you reduce the risks of litigation, develop strong working relationships, and understand the dangers that may lurk ahead.
Healthcare advice varies depending on whether the business involves the practice of medicine or the development and sale of healthcare products. The types of services and the kinds of products also govern which regulations and laws may apply. Some of the laws that health providers and medical companies need to follow.
The California Consumer Privacy Law
The California Consumer Privacy Act (CCPA) which also applies to non-medical businesses, takes effect on January 1, 2020. Physicians and other health providers need to understand how the new law affects their medical practice or medical business. The aim of the law is to give patients and consumers more control over the personal information.
The CCPA has three core requirements – one of which is fairly broad and could apply to many healthcare practices.
The California Consumer Privacy Act affect hospitals, medical practices, and medical companies who buy or receive large blocks of data. California compliance lawyers help businesses comply.
That requirement provides that companies are subject to the CCPA if the company
“Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
In today’s current healthcare market, many practices rely directly or indirectly on consumer and household patient and marketing data. Medical devices often track thousands of patients and consumers.
The CCPA law is considered to be one of the broadest in the country. The law does not just apply to California businesses. The law applies to business that have customers, even potential customers, in California. The other two requirements apply to businesses with a gross revenue of more than $25 million and companies where half or more of the businesses revenue comes from sales of personal information.
Many medical practices, hospitals, and health businesses do receive personal information on more than 50,000 people through their own practice or the purchase of customer information lists. Companies that use social media can approach the 50,000 limit quite easily.
The Core Consumer Rights of the CCPA
The key rights of patients and consumers under the CCPA are:
- Companies must inform their patients and consumers that the companies intend to collect their personal information.
- Patients and consumers have the right to know what personal information has been collected, the source of the information, who the information was shared with, and how the business intends to use it.
- Patients and consumers can forbid practices and business from selling their personal information.
- Patients and consumers can request that the personal information the company has on file be deleted.
- Health practices and companies cannot charge consumers or refuse to treat consumers who exercise their CCPA rights.
CCPA Compliance Issues
Some of the compliance issues regarding CCPA compliance that we review include:
- Identifying and classifying the personal information you do keep
- Reviewing what privacy controls exist and what additional controls need to be added. We help you work with your IT team and your security team to implement these controls
- Understanding your obligations under the CCPA and how to implement them.
- Creating processes and procedures to monitor complaints and issues raised about existing personal information and new information.
Any extra measures you take in this regard can raise your stock in the eyes of patients and customers, who prefer companies that are proactively working to protect their information.
The Confidentiality of Medical Information Act (CMIA)
California privacy standards, set forth in the CMIA, are similar to those under the federal HIPAA law. The CMIA limits the use of patient information and provide disclosure requirements for personal health information.
“CMIA prohibits a health care provider, health care service plan, or contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified.”
“CMIA requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.”
Medical information means information that is in electronic or physical form about a patient’s mental or physical condition or treatment. The information cannot identify the patient – such as through the patient’s name, address, electronic mail address, telephone number, or social security number.
The health provider, service plan, pharmaceutical company, or contractor can be assessed “either or both nominal damages of $1,000 and the amount of actual damages.” Of the CMIA law. If the violation of the CMIA was knowing and willful can be fined up to $2,500 for each violation. If there are 50,000 or more records, the damages can be quite substantial.
State Office of Health Information Integrity (CalOHI)
California law also establishes a State Office of Health Information Integrity, CalOHI, which is dedicated to providing information about rights and responsibilities relevant to health information, as well as the role of electronic health information exchanges (“HIEs”) in transmitting patients’ health information.
CalOHI performs the following functions, which skilled healthcare laws help health companies understand and prepare for:
- Evaluates, monitors and reports on state department compliance.
- Monitors, creates, and revise HIPAAs compliance policies through the Statewide Health Information Policy Manual (SHIPM).
- Conducts periodic assessments to determine which state entities need to comply with HIPAA.
- Provides overall leadership and guidance to state departments on HIPAA and other related state and federal laws.
California’s Department of Health Care Services
California has its own Privacy Office. This office is part of the Department of Health Care Services Office of HIPAA compliance. The duties of the office include protecting Patient Health Information (PHI), and investigating privacy breaches and complaints involving unauthorized access or disclosure of PHI.
The California Department of Managed Health Care (DHMC).
The California Department of Managed Health Care’s (DMHC) passed a new regulation, effective July 1, 2019 that expands the types of healthcare companies that must be licensed
This agency protects consumers’ health care rights. A recent rule, effective July 1, 2009, requires that more healthcare companies obtain licenses than before the regulation.
“The regulation is a response to failures (such as insolvencies) of companies that contract with Knox-Keene licensees who provide health care services through subscription plans. The licensees, typically HMOs, provide service to subscribers through:
- Agreements with doctors, hospitals, and other health providers to accept a regular fee (often a monthly fee) to provide medical services to patients
- Agreements with subscribers to pay a monthly subscription/fee.”
The new regulation requires that the following entities acquire a Knox-Keene license.
- Risk Bearing Organizations (RBOs)
- Independent physician associations (IPAs)
- Restricted plans
The regulations mean that DHMC will be able to monitor the financial stability of these healthcare companies (often called restricted licensees or risk bearing organizations).
“The new regulation should help concierge medical practices decide which restricted plans the practices should work with – because the practices will be able to learn from the DMHC if the plan is on solid financial footing.”
California Office of Privacy Protection
This agency provides information on privacy topics for individuals and consumers. The office maintains a webpage listing privacy laws, including health information privacy.
Health providers have more than a duty to protect the personal information and privacy of their patients. Health providers need to take affirmative steps to secure the patient’s information.
The California Code, Section 13023 requires that:
All health care providers need to create and implement “appropriate administrative, technical, and physical safeguards” to ensure that patient medical information is kept private. Providers need to take reasonable steps to keep patient medical information secure and confidential so nobody with unauthorized access can obtain, disclose, or use the patient medical information.
The California Office of Privacy Protection does consider the provider’s capability, complexity, size, and history of compliance with this section and with other related state and federal statutes and regulations – which is why a compliance plan is important. The agency also considers how well the provider detected security violations of patient medical data and took steps to prevent the breach from happening again. Other factors may also be considered by the agency.
The code specifically requires that
1798.81 A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make the information unreadable or undecipherable through any means.
1798.85 c. A business that “owns or licenses” personal information about a California patient must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” to protect the information from unauthorized access, destruction, use, modification, or disclosure.
Health providers and companies that do disclose patient information to third-party as part of a contract must take steps to ensure that the third party implements the health provider’s security protocols.
California places an extremely high priority on protecting the privacy of patient medical information. Several agencies have the authority to monitor patient medical data and breach responses. California also has several laws such as CCPA and CMIA which are designed to keep patient information private and safe.
Contact Cohen Healthcare Law Group, PC for legal counsel on healthcare transactions, regulatory compliance, and FDA and FTC law. Our experienced healthcare & FDA attorneys advise healthcare companies and healthcare providers ranging from medical centers, to integrative and functional medicine practices, cosmetics and supplement companies, and medical device manufacturers.