Under California Health & Safety Code (HSC) sections 1280.15(a) and (b), California licensed clinics, hospitals, home health agencies and hospices are required to prevent “unlawful or unauthorized access to, and use or disclosure of, patients’ medical information” (collectively, a breach) and to report any breach to the California Department of Public Health (CDPH) and the “affected patient” no later than five business days after the breach was “detected.” Since these requirements became effective on January 1, 2009, CDPH has assessed millions of dollars in administrative penalties for such breaches and for entities’ failures to report breaches as required. Also as of that date, the Office of Health Information Integrity (CalOHII) was established to “ensure the enforcement of state law mandating the confidentiality of medical information and to impose administrative fines” for the violation thereof on individuals and health care providers who are not otherwise under the jurisdiction of CDPH. Assembly Bill 211 (2008); HSC § 130200. This regulatory scheme recently has undergone multiple changes.

First, as of January 1, 2015, licensed facilities have a few more days in which to notify CDPH and the affected patients of a breach, as well as additional flexibility in the manner in which patients are notified. Second, the authority to assess administrative fines for medical information breaches against non-institutional health care providers has been moved from CalOHII to CDPH. Despite these changes, questions remain regarding the regulation of the privacy and security of medical information in California.

Increased Flexibility, but No Added Clarity

Under Assembly Bill 1755, effective January 1, 2015, licensed facilities now have 15 business days — rather than five — from the detection of a breach, or, if applicable, from the conclusion of law enforcement activity, to notify CDPH and any affected patients. HSC §§ 1280.15(b) & (c). Further, facilities now may provide the patient with notice via a previously agreed-upon alternate means or location, including by email. HSC § 1280.15(b)(2). Finally, the bill clarifies that CDPH has the discretion to consider whether to investigate breach reports. HSC § 1280.15(a). These changes, while helpful, do not resolve the multiple problems with California’s breach reporting scheme.

From the beginning, the breach reporting mandate has been difficult for California facilities to implement. First, there is no clear definition of what constitutes an “unlawful or unauthorized access, use, or disclosure.” CDPH has generally taken the position that every potential breach must be reported, whether or not any data actually has been accessed, used or disclosed inappropriately. Second, there is no definition or guidance as to when a breach “has been detected.” Arguably, some confirmation or investigation is in order so that a reporting entity can determine whether a breach truly has occurred. However, CDPH typically takes a narrower view, expecting a timely report, whether or not the potential breach has been verified. Third, it is often impossible for an entity to determine which patients were affected by a data loss within five business days, much less to identify and notify such patients. Finally, California’s breach reporting requirements are significantly more restrictive than the federal breach reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA), which allow as much as 60 days before reporting a breach. 45 C.F.R. pts. 160, 162, 164. Thus, facilities must run the breach reporting analysis twice to ensure they comply with both the California and federal legal schemes.

The extra 10 business days now allowed for reporting in California will give facilities some breathing room to determine whether a breach actually occurred and/or to identify the affected patients. However, there still will be instances in which the required notification simply cannot be made within the allotted time. In addition, although many physicians have begun utilizing “secure email” communications with their patients, the same cannot be said for licensed facilities. Unless and until these facilities have established arrangements for providing notice via secure email, the “alternate” notice options are unlikely to provide much flexibility.

Facilities that are faced with a possible medical information breach must quickly mobilize resources to identify whether a breach actually has occurred, whether a report to CDPH is required and whether patient notification is necessary. The same analysis must be conducted under HIPAA and certain other California consumer protection laws. Pepper attorneys can assist with this analysis and provide guidance on if, and how, such notices should be made.

Increased Authority for CDPH

CalOHII initially had authority to assess administrative fines of $2,500 to $250,000 against individuals and licensed health care professionals for failing to “establish and implement appropriate administrative technical and physical safeguards to protect the privacy of a patient’s medical information” or to “reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use or disclosure.” Civil Code (CC) § 56.36; prior HSC § 130203(a) (now HSC § 1280.18(a)). The amount of the fine depended on the nature of the breach, the identity of the person being fined and the willfulness of the actor causing the breach. Id. All such fines were to be deposited in the Internal Health Information Integrity Quality Improvement Account. CC § 56.36; prior HSC § 130204 (now HSC § 1280.19).

Senate Bill 587, effective June 20, 2014, has transferred the authority to assess administrative fines to CDPH.¹ According to the CDPH website, 66 penalties have been issued against facilities since 2009. In 2010, the sole year for which penalty amounts are listed, 16 fines were issued, totaling approximately $1.5 million. Given CDPH’s history of vigorous enforcement in this area, we expect the number and range of such penalties against individuals to increase in the coming months. Pepper attorneys have experience assisting health care facilities that wish to appeal such administrative penalties, and we stand ready to assist individuals who now will be subject to similar penalties.

Endnotes

1 SB 587 was an Omnibus Health Trailer Bill, which made technical changes to a significant number of laws in order to implement the 2014–2015 state budget. SB 587 authorized CDPH to “conduct joint investigations of individuals and health facilities for violations of [HSC sections 1280.18 and 1280.15], respectively.” HSC § 1280.18(c).