Effective January 1, 2015, AB 1755 gives clinics, health facilities, home health agencies and hospice services required to be licensed under Health & Safety Code Sections 1204, 1250, 1725 or 1745 (collectively “Healthcare Entities”) fifteen business days to investigate and report violations of the California Medical Information Act (CMIA). This is a big relief to California Healthcare Entities who scrambled to report suspected violations of the CMIA within five days.
Under former law in effect since 2008, Healthcare Entities were required to report any unlawful or unauthorized access to, and use or disclosure of a patient’s medical information to the CDPH and to the affected patient within five business days of discovering the unlawful or unauthorized access. Five days did not provide sufficient time for Healthcare Entities to fully investigate incidents, to perform meaningful risk assessments, or to implement processes to mitigate potential damages. As a result, to ensure compliance, entities were reporting suspected CMIA violations when incidents did not constitute or lead to an unlawful or unauthorized access to, and use or disclosure of, an individual’s medical information.
Once a suspected incident was reported, Healthcare Entities were forced to dedicate significant administrative resources to addressing CDPH’s and patient’s concerns instead of to fully investigating and analyzing the incident, correcting any problems and implementing processes to mitigate any damages. Many were confronted with legal action threatened and taken by potentially affected individuals. By the time reported incidents were determined to be “benign,” Healthcare Entities had incurred significant legal and other expenses – which may have been avoided if the entities had been given time to learn that reporting was not required.
In sum, the five business day timeline created unnecessary alarm for patients, significant problems for Healthcare Entities and undue burdens for CDPH. Indeed, in legislative analysis, the author of AB 1755, Assembly Member Jimmy Gomez, aptly stated that the five business day timeline for notification was “excessive” and “nearly unworkable.”
The January 1, 2015 extension of the reporting deadline from five days to fifteen gives Healthcare Entities and CDPH a special cause to celebrate the new year. Healthcare Entities at least have a fair chance of performing a meaningful investigation before they report suspected violations.
Healthcare Entities should remember, however, that this new reporting period is still much shorter than the time to report a breach under HIPAA – efforts to extend the reporting period to sixty days to align with HIPAA regulations were thwarted by consumer advocacy groups. Failure to report unlawful or unauthorized access within the fifteen day period can result in a penalty of $100 for each day the unlawful or unauthorized access, use or disclosure is not reported to the CDPH or the affected patient up to $250,000 per reported event.