California is one of the most transformed jurisdictions when it comes to advancement in legal tech in accordance with changing dynamics of technology, not only, in the United States of America but amongst the major economies of the world. It is one of the few jurisdictions that have taken significant steps in advancing healthcare privacy as well as implementing required regulations to match the recent advancements.
The California Department of Public health (“CDPH”), is a regulating authority looking over health care. It has issued new regulations that specify the reporting requirements which the health care facilities must adhere to. These regulations have been implemented in California’s Health and Safety Code Section 1280.15 which requires a clinic, health facility, home health agency, or hospice licensed by the Department to prevent any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information, and to report the same to the Department – as well as to the affected patient(s). This article critically scrutinises the updated regulations of the Health & Safety Code 1280.15 that have created certain exceptions for breach reporting requirements of the patient’s confidential information.
Overview of the new regulations to the Health and Safety Code
The California Department of Public Health (“CDPH”) issued a few new regulations recently that came into effect on 1st July 2021 which certainly complements Section 1280.15 of the “Health and Safety Code”. This general statutory law, covering areas of health and safety in the state of California, prevents any unauthorised access to, or use or disclosure of, a patient’s medical information and to report any unauthorized access, use or disclosure to the Department not more than fifteen (15) business days after such breach was detected. These regulations were ordered to be effective immediately on 1 July 2021 which certainly limits the circumstances where the instances of unauthorised access to medical information have to be reported to CDPH.
The California department of public health now requires all the health care facilities which are situated in the state of California to report any breaches of medical information. This breach needs to be reported to the California Department of Public Health within (15) fifteen days of any such data breach.
The Health Insurance Portability and Accountability Act of 1996 has also ordered the data breaches to be reported to the HHS’ office for Civil Rights within 30 days of the detection of a breach. This report should be in writing and should also be signed by the representative of such a health care facility containing all the required information in explaining such data breach. The required information is expected to be detailed with certain essential elements. Such elements are as mentioned herein below:
- Name/address of health care facility where such breach has taken place.
- Date/time of the breach.
- Date/time of discovery of such breach.
- Name of patient(s) affected.
- Description of medical information breached.
- Nature and extent of the medical information involved (including types of individually identifiable information/likelihood of reidentification).
- Description of events surrounding the breach.
- Date of notification of affected patients, or expected data if notifications are not yet sent.
- Name(s)/contact information of the individual(s) who performed the breach (if known), witness(es) (if any), and the details of any unauthorized person(s) to whom the disclosure was made.
- Contact information of the health care facility’s representative;
- Description of corrective actions taken.
- Details of any previously reported events that include the affected patient’s medical information during the past 6 years.
- A copy of the notification letter was sent to the affected patient(s).
- Audit reports, witness statements, and other documents that the health care facility relied upon in determining a breach occurred.
The consequences of any delay in issuance of any notification or the required information concerning such breach to the California Department of Public health results in administrative penalties. Such financial penalties warrant a minimum of $15000 per violation to a maximum of $250,000 per event depending on several factors. However, the department may choose to be lenient to medical facilities that are for small and rural hospitals, primary care clinics and nursing facilities only upon a request submitted to the California Department of Public health.
Reasons for implementing such regulations
Section 1280.15 of the Health & Safety Code which was in effect for many years, requires a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health to prevent any sort of unlawful or unauthorised access to the use and disclosure of patient’s information and reporting such unauthorised access, use or disclosure of a patient’s medical information no later than 15 days when discovered by the licensee. However, what lacked under this law was the reporting requirement for such breaches and a mechanism through which administrative penalties could be effective for such breaches in an equitable and just manner. The purpose of these regulations doesn’t restrict here. It is also intended to provide additional details on the reporting requirement which shall ultimately result in increased vigilance by the health care facilities in order to protect the information of the patients and thereby improve their experiences for the people of California. These regulations are closely aligned to the breach reporting obligations under Section 1280.15 with federal reporting requirements under HIPAA.
New exceptions to the notice requirements
Despite the statute providing internal paper records, electronic mail, or faxes inadvertently misdirected, within the same facility or health care system during the course of coordinating care or delivering services; does not constitute unauthorized access to, or use or disclosure of, a patient’s medical information, there is no exception for the misdirected communication outside of the health care system. For example, a health claim being sent to the wrong person, fax directed to the wrong physician or any other breach that pose no risk to the patient.
These exceptions have been not been retained in the new regulations and certainly have created additional exceptions for inadvertent disclosures within the same facility or health care, such as:
- Inadvertently misdirected communications sent to a HIPAA-covered entity within the course of coordinating care or delivering services.
- Disclosure of medical information in which a healthcare facility or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the medical information.
- Any access to, use, or disclosure of medical information permitted or required by state or federal law.
- Encrypted electronic data containing a patient’s medical information, provided the encrypted data has not been unlawfully accessed, used or disclosed.
- A disclosure for which a healthcare facility or business associate, as applicable, determines that there is a low probability that medical information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the medical information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the medical information or to whom the disclosure was made;
- Whether the medical information was actually acquired or viewed; and
- The extent to which the risk of access to medical information has been mitigated.
Astoundingly, these exceptions are parallel to HIPAA breach reporting regulations and in the much broader perspective since HIPAA do not contain any express exceptions for misdirected communications sent to the authorised entities of HIPAA.
The motive of these regulations was to harmonise the notification obligations of facilities with HIPAA, the reporting requirements to these regulations are an exception.
The definition of “detect” under the new regulations under 79901(f), also includes the business associates of the health care facility; these associates are required to report the breaches regardless of the knowledge of the breach within 15 business days and without any timely manner. This certainly makes the new code inconsistent with the HIPAA data breach regulations which don’t impute awareness of a breach by a business associate. This requirement to report a breach of which the facility may not be aware would be problematic.
The permission of a health facility to discharge the reporting obligations by having its business associate provide patient notices is certainly allowed by HIPAA and the same clause has been incorporated under the Section 79902(b) where such notice should be made to the department by the facility and not its business associates.
Content for notification to the patient under the Health & Safety Code Section 79902(b) must have the following:
A brief description of what happened, including the facility’s name, date of breach and date of discovery, if known;
- A description of the types of the medical information involved;
- Steps patients should take to protect themselves;
- A brief description of the facility’s mitigation efforts;
- Contact procedures for questions and additional information.
Like other regulations, not following the obligations leads to penalties. In the same way, these regulations also deal with administrative penalties which are imposed on breach of a patient’s medical information leading to violation of the Health & Safety Code 1280.15.
Any patient’s medical information that has been unlawfully accessed, used, or disclosed, can attract a penalty of up to $17,500 despite no delay in reporting. Such authority is vested with the department itself. In addition, the Department also imposes a penalty of $100 for each day the facility fails to report the breach to the Department which shall not exceed $250,000.
The Regulations have also established a base penalty amount of $15000 for any initial violation through which the department may assess an amount equal to 70% of the initial violation. The regulations under Section 7990(a) allow the base penalty to be increased or decreased on the following considerations:
- The compliance of the health care facility with the Health & Safety Code Section 1280.15 and other related state and federal law for the past three calendar years;
- The extent of the violation and preventive actions taken by the health care facility in order to correct it from recurring.
- There are a few factors that are outside the purview and control of the health care facility such as:
No penalty if the health care facility developed and maintained disaster and emergency policies and procedures that were immediately implemented during a disaster or emergency or were the sole cause of the breach.
- Any applicable factors identified by the Department depend on the specific circumstances.
The Health & Safety Code does not require health facilities to prevent all unlawful or unauthorized access to the medical records of the patients but to implement safeguards in order to prevent any unlawful and unauthorised access. The purpose of these regulations is to restrict any negligence by imposing strict liability.
Small and rural hospitals: Under Section 79905, the small and rural hospitals may be given penalty reduction upon request to the department for any financial hardships and adverse effects on the potential adverse effects within 10 business days after the issuance of such administrative penalty.
Primary Care Clinics: The regulations allow the department to show concessions on the primary care clinic in order to protect the access to quality in those facilities.
Skilled Nursing Facilities: A higher penalty may be charged under the health facility medical information breach law or under the provisions of the Health & Safety Code.
The updated regulations which certainly have created many exceptions will undoubtedly result in the decrease in the number of CDPH reports which hence will capitalize on the reduction in reports and broader production of documents to investigate a reported breach. The new regulations also will be helpful in order to reassess the privacy policies of the health care facilities and also strengthen the protection of the information of the patients and minimize regulatory scrutiny in any event of a breach. The Regulations and the HIPAA’s breach notification requirements, but quite identically aligned resulting in the uniformity of the laws with respect to the federal law.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: