Here's a summary of the two companion legislative bills; they are all but
signed, and will take effect January 1, 2009. The scuttlebutt in Sacramento is
that the bills are directly driven by Governor Schwarzenegger's personal
interest in their passage, following unauthorized access by UCLA Medical Center
employees to his wife's medical information.
1. SB 541 creates a specific administrative penalty for hospitals,
home health agencies, hospices and licensed clinics that fail to "prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information." The penalty for violation is $25,000 per patient, with a cap of $250,000 "per reported event." The fine is to be levied by the state Department of Health Services (DHS), which must consider a number of factors, including the provider's history of compliance, the extent to which the provider detected violations and took steps to
immediately correct and prevent past violations from reoccurring, and factors beyond the provider's immediate control that restricted the facility's ability to comply with the law. In addition, once the provider determines that a violation has occurred, the provider must notify both DHS and the patient(s) whose medical information was unlawfully accessed, used or disclosed within 5 days following the provider's discovery of the access, use or disclosure.
Finally, if a provider fails to notify the affected patient(s) within 5 days, penalties of $100 per day can be assessed for each day until the patient(s) is/are notified, subject to the $250,000 cap above.
2. AB 211 creates a new office (Office of Health Information Integrity) and empowers it to levy administrative penalties against individual providers and those healthcare
provider entities not regulated by the companion bill for violations of a new Health & Safety Code section 130203 which states in part: "Every provider of health care shall implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information. Every provider of health care must reasonably safeguard confidential medical information from any authorized access or unlawful access, use or disclosure." If violations of the law occur, the office may assess the penalties provided in California's existing Confidentiality of Medical Information Act (Civil Code section 56 et seq.), ranging from $1,000 to $250,000.
In addition, when the new office deals with a violation by a health care provider, it is permitted to send a recommendation to the licensing agency for the health care provider for "further investigation or discipline" of the licensed provider. The Office's
recommendation and accompanying evidence are to be deemed "investigative
communications,"protected under Government Code section 6254.Hat tip: Jana Aagaard of Catholic Healthcare West.