Federal and California Laws that Protect Patient and Consumer Information

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. The aim of the law is to give California consumers more control over their personal data.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in response to the growing use of electronic records to hold and transmit private health records.

The Confidentiality of Medical Information Act (CMIA) is a California law that protects patient medical information provided by physicians.

The Health Information Technology for Economic and Clinical Health Act (HITECH) creates incentives for the use of electronic health record (EHR) systems and expands the regulations that govern electronic protected health information (ePHI).

Some of the definitions, such as protected medical information (for example electronic information vs. any form of information), vary from law to law. Some of the covered entities also vary from law to law, an experienced healthcare lawyer can explain the medical compliance issues for each law and help your medical practice or medical business implement plans to show your company is working to comply with both laws.

Key HIPAA rules and provisions

HIPAA, according to the Department of Health and Human Services, has several rules that help patients trust that their private health information (PHI) is being protected. These rules include the following:

• Privacy rule. This rule sets national standards for protecting IIHI for the following entities who conduct electronic health care transactions:
  • Healthcare providers: This generally includes all medical physician practices since most every doctor must keep PHI. Most physicians transmit PHI to insurance carriers, to federal agencies such as Medicare, and to other physicians they work with. PHI records of health care providers include claims, inquiries about benefit eligibility of a patient, referrals, and other transactions.
  • Health plans. This category applies to entities such as insurers, HMOs, Medicare, Medicaid, supplemental insurers, and long-term care insurers. The category also includes employer-sponsored health plans, government plans, and church-sponsored health plans. Some exceptions based on the number of participants apply.
  • Healthcare clearinghouses. Generally, these entities process information they receive from healthcare providers, health plans, and business associates.
  • Business associates. This category covers people or organizations (other than those who are part of another covered entity) that use or disclose PHI.
• Security Rule. This compliance rule is designed to protect the “confidentiality, integrity, and availability of electronic protected health information.” The HIPAA Privacy rule protects the broad definition of protected health information. The Security rule protects a subset of PHI – the protected health information that is transmitted electronically (e-PHI). The HIPAA Security Rule doesn’t apply to oral and written transmission of PHI. This rule requires that covered entities:
  • Ensure that e-PHI is confidential, has integrity, and is available
  • Anticipate threats against the security of the e-PHI
  • Protect against unauthorized uses or disclosure of e-PHI
  • Certify workforce compliance
• Enforcement Rule. This rule sets standards for enforcing the HHS HIPAA rules
• Breach Notification Rule. This rules requires that covered entities under HIPPA (and business associates of the covered entities) notify patients after there has been a breach of unsecured protected health information. There are related FTC breach notification rules as well which apply to vendors of personal health records

Skilled healthcare lawyers help physicians and other covered entities understand the security compliance requirements and work to help the covered entities come into compliance.

Uses of protected health information that are permitted

According the CDC, covered entities can use and disclose PHI without the consent of the patient for the following circumstances:

• If required by law
• If required for public health
• For treatment, payment, and healthcare operations
• For the benefit of victims of domestic violence or neglect
• For law enforcement
• For judicial and administrative proceedings
• For other authorized purposes which an experienced healthcare compliance lawyer can explain

The California Consumer Privacy Act (CCPA)

The CCPA is a state consumer protection law designed to protect the personal data of California residents. The law was passed in 2018 and became effective on January 1, 2020. The law gives California residents:

• The right to know what personal data information about the resident is being collected
• The right to know whether their personal data has been sold or disclosed
• The right to say no to the sale of their personal data
• The right to access their personal data, including the sources of the information, the purpose for collecting the information, and the categories of businesses that the organization holding the data shares it with
• The right to request that a business delete any personal data collected from consumers. The businesses that have the data must inform the consumer of this right.
• The right to be free from discrimination against exercising their rights to date privacy
• Numerous other statutory rights

The CCPA applies to for-profit and non-profit businesses that collect the personal data of consumers – provided the business operates in California and meets one of the following criteria:

• Has a gross annual income of more than $25 million
• Receives, buys, or sells the personal data of 50,000 or more people
• Half the yearly revenue of the business comes from selling consumer’s personal data

According to the CCPA, these businesses must, in a form that is reasonably accessible to consumers, “make available to consumers two or more designated methods for submitting requests for information required to be disclosed – such as a telephone number and/or an email address.”

Businesses, such as covered medical practices and health care businesses, that fail to comply with the CCPA can be subject to civil and class action lawsuits to pay statutory damages or actual damages. Statutory damages can range from $100 to $750 for each California resident whose rights are affected. The fines can range from $2,500 for unintentional violation of the Act to $7,500 if the violation was intentional.

Personal data includes a resident’s name, post office address, Internet address, social security number, driver’s identification number, professional or employment-related information, bank account numbers, and many other types of information including medical information and health insurance information.

The obligation to disclose and protect protected data generally applies to information acquired by the business within the prior 12 months.

CCPA exclusions

The CCPA does not apply to:

• “Medical information governed by the Confidentiality of Medical Information Act…or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services…established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).”
• Health care providers governed by the Confidentiality of Medical Information Act and by HIPAA, “to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in the above paragraph.
• Information collected for certain types of clinical trials.

The Confidentiality of Medical Information Act

The Confidentiality of Medical Information Act (CMIA) is a California law that provides additional patient protection in addition to HIPAA. CMIA protects the confidentiality of personally identifiable medical information that a health care provider obtains. Some of the key provisions of this law are:

• The law forbids a health care provider, service plan, or contractor from disclosing patient medical information or the medical information of an enrollee or subscriber without first getting that persons’ authorization (unless an exception applies).
• Requires that the following entities who create, store, keep, destroy, or dispose of medical records do so in a form that protects the confidentiality of the information which is part of those medical records:
  • Health care provider
  • Health care service plan
  • Pharmaceutical company
  • Contractor
• Medical information under the CMIA means information (whether in electronic or physical form) that is in possession of (or derived from) one of the covered entities regarding a patient’s
  • Medical history
  • Mental or physical condition
  • Treatment
• “Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that reveals the individual’s identity.”

If confidential information is negligently released, the patient may file a claim for the actual damages or nominal damages of $1,000 or both. The plaintiff will need to prove that he/she suffered or “was threatened” with actual damages in order to recover the nominal damages.

“Any person or entity who knowingly and willfully obtains, discloses, or uses medical information in violation of CMIA shall be liable for an administrative fine not to exceed $2,500 per violation. *

The Health Information Technology for Economic and Clinical Health Act (HITECH)

The Health Information Technology for Economic and Clinical Health Act (HITECH), is part of the American Recovery and Reinvestment Act (ARRA) of 2009. HITECH creates incentives for the use of electronic health record (HER) systems. HITECH expands the regulations that govern electronic protected health information (ePHI). The Law also expands the scope of the HIPAA privacy and security rules – by increasing liability and enforcement actions for non-compliance. Experienced healthcare lawyers understand the compliance requirements and advise medical practices and businesses on how to implement those compliance requirements.

Some of the key provisions of HITECH are:

• Enforcement. Prior to the passage of HITECH, HIPAA was not strongly enforced. HITECH strengthened the ability to enforce HIPAA. The civil penalties for “willful neglect” were increased

While individuals can’t file lawsuits against health providers for HITECH violations, the state attorney general can file a lawsuit against the provider

• Breach notification. HITECH creates breach notification rules for unauthorized uses and disclosures of PHI that are not secured or not encrypted
• Electronic Health Record Access. If a provider has implemented an EHR system, the individual (patient) has to the right to obtain his/her PHI in an electronic format for the cost of the labor for the electronic request.
• Business Associates and Business Associate Agreements (BAA). HITECH added business associates to the entities that must comply with the HIPAA security rule. Most software vendors that provide EHR systems are business associations. Business associates must report security to breaches to the HIPAA covered entities the business associates work with
• “The Department of Health and Human Services (HHS) is required to conduct periodic audits of covered entities and business associates.”

There are other HITECH requirements that complement HIPAA requirements that an experienced healthcare lawyer can explain.

Federal and state laws are designed to protect the personal information of patients. The laws seek to balance the interests of the patients with the needs of physicians to make competent diagnoses and to provide effective treatments. Skilled healthcare lawyers help practices understand the newer privacy laws and comply with their strict requirements.

Contact Cohen Healthcare Law Group, PC for legal counsel on the current federal and state patient privacy laws. Our experienced healthcare attorneys help medical practices understand compliance rules and help verify they are in compliance.