• Home
• |
• Professionals
  • Attorneys
  • Management
• |
• Practice Areas
• |
• News
  • Firm News
  • Recent Cases
  • Upcoming Events
• |
• Resources
  • Publications
  • HIPAA Resources
  • Practice Technology
• |
• Diversity
• |
• Contact
  • Offices
  • Directions
• |
• Search

Publications

Print

• Publications
• Health Care Updates
• HIPAA Resources
• Practice Technology

New California Medical Privacy Requirements

AB 211, adds Section 130203 to the Health and Safety Code, which requires health care providers to (1) "establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information" and (2) "reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure." The law is applicable to all health care providers, as defined in the statute. "Unauthorized access," is defined as the inappropriate review or viewing of patient medical information without a direct need for diagnosis or treatment or other lawful use. Another important aspect of the new law is that it provides an individual right for a patient to sue if his/her privacy rights have been breached, which is a enforcement mechanism that the federal HIPAA law does not include.

SB 541, applies the AB 211 standards to licensed health facilities. The bill adds Section 1280.15 to the Health and Safety Code, which directs that "[a licensed] clinic, health facility, home health agency, or hospice...shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information...consistent with Section 130203." Section 130203, as above, requires covered persons or entities to establish appropriate safeguards to protect medical information and sets forth a reasonableness standard for safeguarding such information from unlawful or unauthorized access.

The new laws will be enforced by the new Office of Health Information Integrity ("OHII"), a division within the California Health and Human Services Agency that has the authority to investigate potential violations of the AB 211 privacy standards by health care providers. Upon concluding that a health care provider failed to establish appropriate safeguards or reasonably safeguard medical information against unlawful or unauthorized access, OHII may assess penalties ranging from $1,000 to $250,000. OHII may also recommend the provider to the state's licensing agency for further disciplinary action. SB 541 gives the California Department of Public Health the authority to investigate potential violations by health facilities and, when an actual violation of the applicable privacy standard is found, authorizes an administrative penalty of up to $25,000 for each patient whose medical information was accessed unlawfully or without authorization, and up to $17,500 for each subsequent occurrence of unlawful or unauthorized access of that patient's medical information, subject to a total cap of $250,000.

New California Requirement to Report Patient Privacy Violations

SB 541, effective January 1, 2009, also requires health facilities, clinics, hospices and home health agencies to report unlawful or unauthorized access to, or use or disclosure of, a patient's medical information, to the California Department of Public Health and to the affected patient or patient's representative no later than five days after detecting the incident, subject to the fines noted above. The failure to report such a violation subjects a facility to a fine of $100 per day for each day that the disclosure is delinquent.

HIPAA Security Rule Guidance

The National Institute of Standards and Technology has published a set of detailed guidance materials to serve as a framework for complying with the HIPAA security rules. The guidance includes checklists for compliance requirements, a glossary, cross references to standards and definitions, and a table of prior NIST published standards on security in various types of situations.

HIPAA Transaction and Code Sets Standards

On January 16, 2009, HHS published two final rules to adopt updated HIPPA standards. In one rule, HHS is adopting X12 Version 5010 and NCPDP Version D.0 for HIPAA transactions. In this rule, HHS also adopts a new standard for Medicaid subrogation for pharmacy claims, known as NCPDP Version 3.0. For Version 5010 and Version D.0, the compliance date for all covered entities is January 1, 2012. This gives the industry enough time to test the standards internally, to ensure that systems have been appropriately updated, and then to test between trading partners before the compliance date. The compliance date for the Medicaid subrogation standard is also January 1, 2012, except for small health plans, which will have until January 1, 2013 to come into compliance.

In a separate final rule, HHS modifies the standard medical data code sets for coding diagnoses and inpatient hospital procedures by concurrently adopting the International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) for diagnosis coding and the International Classification of Diseases, 10th Revision, Procedural Coding System (ICD-10-PCS) for inpatient hospital procedure coding. These new codes replace the current International Classification, 9th Revision, Clinical Modification, Volumes 1 and 2 and the International Classification, 9th Revision, Clinical Modification, Volume 3 for diagnosis and procedure codes respectively. The implementation date for ICD-10-CM and ICD-10-PCS is October 1, 2013 for all covered entities. Final rule for 5010, see here. Final rule for ICD-10, see here.

The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

The Office of the National Coordinator for Health Information Technology (ONCHIT) recently issued the Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information. The framework creates a set of consistent principles to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization.

Along with the Nationwide Privacy and Security Framework the Department of Health and Human Services (HHS) has issued the Health IT Privacy and Security Tool Kit. The Toolkit includes new HIPAA Privacy Rule guidance documents developed by the Office for Civil Rights (OCR) to help facilitate the electronic exchange of health information. The Toolkit also provide guidance principles for the following areas:

• Information Access – Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
• Correction – Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
• Openness and Transparency – There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
• Individual Choice – Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
• Collection, Use and Disclosure – Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.
• Data Quality and Integrity – Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
• Safeguards – Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
• Accountability – These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

Conclusion

Health care facilities and providers must review current policies and procedures regarding access to and maintenance of patient medical information to ensure that adequate safeguards are in place to prevent the unauthorized access or use of patient medical information. Health care facilities and providers should also conduct regular audits and evaluations to ensure that only appropriate parties are reviewing patient medical information, and be prepared to take prompt action when violations of patient privacy are identified. The new California laws significantly increase the financial penalties for the unauthorized access of patient medical information. In addition, health care providers and facilities face additional legal duties including prompt breach notification requirements, as well as the risk of being sued by patients for privacy violations. Health care organizations should immediately reevaluate and revise safeguards for patient medical information, compliance programs, privacy and security policies and procedures, information security system ability to monitor access to patient information, and educate staff regarding the new requirements.

Theodora Oringher Miller & Richman has substantial experience in assisting health care organizations with California and HIPAA Privacy and Security compliance strategies. If you have any questions or desire additional information please contact Michael Dowell at mdowell@tocounsel.com or the lawyer in the firm who generally handles your health care legal matters.