On September 18, 2014, California Governor, Jerry Brown, signed Assembly Bill 1755 (“AB1755”) into law, amending breach notification provisions in the California Health and Safety Code applicable to licensed clinics, health facilities, home health agencies, and hospices. Under existing law, certain health care entities licensed by the California Department of Public Health (“CDPH”), including hospitals and clinics, are required to report any unlawful or unauthorized access to or use or disclosure of a patient’s medical information to the affected patient or their representative at their last known address and to the CDPH no later than five (5) business days after the unlawful or unauthorized access, use, or disclosure has been detected. The CDPH then has full discretion to consider all factors “when determining the amount of an administrative penalty” under the statute, including a penalty of $100 per day beyond the reporting deadline up to a maximum of $250,000 per reported event.
AB1755 extends the reporting deadline from five (5) business days to fifteen (15) business days after the unlawful or unauthorized access, use, or disclosure has been detected. AB1755 also allows entities to report the breach to affected patients or their representatives using alternative means, including email (pursuant to the patient’s written consent), or via confidential communication methods requested by patients under Section 164.522(b) of the HIPAA Privacy Rule. Finally, AB1755 adds language clarifying that the CDPH has full discretion to consider all factors “when determining whether to investigate [a reported incident] and the amount of an administrative penalty, if any,” under the statute. These revisions are effective January 1, 2015. A redline demonstrating the revisions is available here.
The five (5) day reporting deadline has been the subject of controversy since its enactment in 2008. For example, in April 2010, the CDPH issued a notice assessing the maximum $250,000 penalty against a hospital for failure to timely report a breach incident involving the theft of a laptop on January 11, 2010. The hospital had reported the incident to the CDPH on February 19, 2010, and notified affected patients on February 26, 2010. According to the CDPH, the hospital had “confirmed” the breach on February 1, 2010, when it completed its forensic analysis of the information on the laptop, and was therefore required to report the incident to affected patients and the CDPH no later than February 8, 2010—five (5) business days after “detecting” the breach. Thus, by reporting the incident on February 19, 2010, the hospital had failed to report the incident for eleven (11) days following the five (5) business day deadline. However, the hospital disputed the $250,000 penalty and later executed a settlement agreement with the CDPH under which it agreed to pay a total of $1,100 for failure to timely report the incident to the CDPH and affected patients. Although neither the CDPH nor the hospital commented on the settlement agreement, the CDPH reportedly acknowledged that the original $250,000 penalty was an error discovered during the appeal process, and that the correct calculation of the penalty amount should have been $100 per day multiplied by the number of days the hospital failed to report the incident to the CDPH for a total of $1,100.
Although some uncertainty remains, particularly regarding “detection” of a breach incident, AB1755 has received support from licensed entities and health care organizations in California, including the California Hospital Association. Interestingly, a previous version of AB1755 would have extended the reporting deadline to sixty (60) calendar days, but this extension was shortened in the final version of the bill signed into law.