New health-care privacy laws heighten need for HIPAA compliance in California
Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline
October 7, 2008 (Computerworld) Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.
Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills — known as Senate Bill 541 and Assembly Bill 211 — also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.
In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday — the same day that he vetoed a data breach bill aimed at retailers — and are scheduled to take effect on Jan. 1.
The bills significantly raise the bar on security and privacy controls for health care businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. “The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue,” MacKoul said.
And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.
“The state is using HIPAA as the floor, saying it has been so many years since HIPAA went into effect that you needed to have complied with it a long time ago,” MacKoul said. As state statutes, SB 541 and AB 211 don’t directly require health care organizations to comply with the HIPAA regulations — but in effect, that is what they will end up doing, he added.
The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the health care provider to adopt a stringent “corrective action plan” in response to what HHS described as potential HIPAA violations.
The so-called resolution agreement — the first of its kind to be signed under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the health care industry as a sign that HHS would step up its enforcement actions going forward.
In California, SB 541 (download PDF) was sponsored by the California Department of Public Health (CDPH) and is aimed at stemming the increasing number of breaches involving patient health data in the state, according to an analysis of the bill by consultants for the State Assembly’s Committee on Health. Previously, there were no specific penalties or administrative actions available for the state to use against organizations that failed to prevent unauthorized access, use and disclosure of patient data, the analysis noted.
The new law amends and adds to sections of the California Health and Safety Code. One of the most significant changes is the addition of a requirement that covered entities take steps to prevent unauthorized access to patient health data — not just “unlawful” access, as was the case previously.
The change in terminology means that health care organizations will need to implement controls not just to protect information from malicious outsiders, but also to guard against misuse of data by employees who have access to systems as part of their job responsibilities, MacKoul said.
For instance, the consultants who wrote the analysis of SB 541 for the Committee on Health pointed to an incident at the University of California, Los Angeles, earlier this year in which a former UCLA Medical Center employee was charged with illegally accessing the confidential medical records of 939 individuals — including Maria Shriver, Schwarzenegger’s wife, and about 30 other celebrities. And that employee was just one of 127 workers at UCLA who allegedly snooped into data files without authorization.
SB 541 specifically requires covered businesses — such as licensed clinics, health facilities, home health agencies and hospices — to implement physical, technical, administrative and procedural safeguards for preventing unauthorized and unlawful access to patient data and for monitoring employee access to the data. The new law gives the CDPH authority to impose fines of up to $25,000 for each patient whose medical information may have been accessed, used or disclosed in an unauthorized manner.
Health care organizations also face administrative penalties of up to $100,000 — or four times the previous maximum of $25,000 — for data privacy and security violations that potentially put patients at immediate risk of injury or death. And SB 541 includes a new disclosure rule, under which any breaches must be disclosed both to the affected patients and the CDPH within five days of being discovered. Organizations that fail to do so can be fined $100 per violation for each day they are late, up to a maximum of $250,000.
Importantly, SB 541 also allows the CDPH to refer entities that aren’t compliant with HIPAA to the new Office of Health Information Integrity for enforcement under the provisions of AB 211. That bill, which is an amended version of an earlier measure (download PDF), also requires health care organizations to “reasonably safeguard” patient data from unauthorized access.
Like SB 541, AB 211 was sponsored by the CDPH and provides for a range of fines to be assessed against violators, starting from $2,500 to $25,000 per violation for organizations that negligently disclose patient records. People or companies that illegally use medical information for financial gain face fines of up to $250,000 per violation.
In addition, AB 211 allows individuals to take legal action against covered entities and licensed health professionals for failing to adequately protect their medical data. Patients can claim up to $1,000 in damages under the law, even if a data exposure caused no harm them.