On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This is good news for these healthcare providers, who often found it difficult to investigate reasonably and respond to a potential breach within the five-day period. This law takes effect on Jan. 1, 2015.

Changes to California Health and Safety Code Section 1280.15 California’s clinics, health facilities, home health agencies, and hospices are required to prevent breaches of medical information, defined as any unlawful or unauthorized access to, use of, or disclosure of, patients’ medical information. Previously, under California Health and Safety Code Section 1280.15 (“Section 1280.15”), these entities were required to notify affected individuals and the California Department of Public Health within five business days. Pursuant to Assembly Bill 1755, which amends Section 1280.15, these healthcare providers are afforded significantly more time:

Click here to view table.

“Medical Information”  Notably, the breach notification requirements of Section 1280.15 apply only to “medical information as defined in Civil Code Section 56.05(j).” The changes to Health and Safety Code Section 1280.15 do not affect any requirements with respect to breaches related to “personal information” under California’s Security Breach Notification Laws at Civil Code Sections 1798.29 (applying to California agencies) and 1798.82 (persons or businesses that conduct business in California).

A recent California Court of Appeal case, Eisenhower Medical Center v. Superior Court of Riverside County, clarified that the Civil Code Section 56.05(j) statutory phrase “medical information” does not refer to mere demographic information that is maintained by a healthcare entity, but rather must be “substantive information regarding a patient’s medical condition or history that is combined with individually identifiable information.” (Emphasis added.)   

Next steps for providers that are subject to Section 1280.15 (i.e., clinics, health facilities, home health agencies, and hospices):

  • You should amend applicable policies, procedures, and breach response plans by Jan. 1, 2015 to reflect these changes to the law.
  • You should also train staff on the changes prior to Jan. 1, 2015.