Contributed by Marcia Augsburger, Lara Compton, and Carissa Bouwer as part of the ongoing Privacy Matters series

In 2008 California put into effect breach reporting laws applicable to certain licensed health care providers Healthcare Entities that are more stringent than HIPAA - so stringent that Healthcare Entities have been required to report a suspected violation of the California Medical Information Act (CMIA) without completing a meaningful investigation to determine whether an incident constituted or led to an unlawful or unauthorized access to, and use or disclosure of, an individual’s medical information.  Under California’s health care licensing laws, clinics, health facilities, home health agencies, and hospice services required to be licensed under Health & Safety Code Sections 1204, 1250, 1725, or 1745 (collectively “Healthcare Entities”) were, and are until January 1, 2015, required to report a violation to the California Department of Public Health (CDPH) and to the affected individual within five business days of discovering the unlawful or unauthorized access.  Fortunately, under AB 1755, effective January 1, 2015,  Healthcare Entities have fifteen business days to investigate and report. 

Specifically, under what soon will be former California law, Healthcare Entities were required to report any unlawful or unauthorized access to, and use or disclosure of a patient’s medical information to the CDPH and to the affected patient within five business days of discovering the unlawful or unauthorized access.  Five days did not provide sufficient time for a facility to fully investigate potential unlawful or unauthorized access, to perform a meaningful risk assessment, or to implement processes to mitigate potential damages.  To ensure compliance over the last six years, most Healthcare Entities confronted with a potential violation chose to timely report over fully investigating and addressing the concern.  As a result, they reported many incidents that were not violations of the CMIA and/or did not result in such violations.  This created undue burdens on CDPH and Healthcare Entities and unnecessary alarm to patients.  In legislative analysis, the author of AB 1755, Assembly Member Jimmy Gomez, aptly stated that the five business day timeline for notification was “excessive” and “nearly unworkable.”

Once a suspected incident was reported, Healthcare Entities were forced to dedicate significant administrative resources to addressing CDPH’s and patient’s concerns instead of to fully investigating and analyzing the incident, correcting any problems, and implementing processes to mitigate any damages.  Many were confronted with legal action threatened and taken by potentially affected individuals.  By the time reported incidents were determined to be “benign,” Healthcare Entities had incurred significant legal and other expenses – which may have been avoided if the entities had been given time to learn reporting was not required.  Thus, the January 1, 2015 extension of the reporting deadline from five days to fifteen gives Healthcare Entities and CDPH a special cause to celebrate the new year! 

Healthcare Entities should remember, however, that this new reporting period is much shorter than the time to report under HIPAA - efforts to extend the reporting period to sixty days to align with HIPAA regulations were thwarted by consumer advocacy groups.  Failure to report unlawful or unauthorized access within the fifteen day period can result in a penalty of $100 for each day the unlawful or unauthorized access, use or disclosure is not reported to the CDPH or the affected patient up to $250,000 per reported event.