California recently expanded its data breach notification law to include medical and health insurance information. In addition, the new law (CA AB 1298) will expand the state medical privacy law to cover businesses offering consumers “personal health records." The law will take effect January 1, 2008.

California law already requires notification to affected individuals of security breaches involving unencrypted “personal information,” which is currently defined as an individual's name in addition to one or more of the following data elements: 

  • Social Security number; 
  • Driver's license number or California identification card number; or 
  • an account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

AB 1298 adds two new data elements to this list: 

  • “medical information,” which is any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and 
  • “health insurance information,” which is an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

In addition, AB 1298 will expand the reach of the state medical privacy law, known as the Confidentiality of Medical Information Act (CMIA) to “[a]ny business organized for the purpose of maintaining medical information … for the purposes of allowing the individual to manage his or her information or for the treatment or diagnosis of the individual.” This broad definition potentially encompasses, among other entities, some pharmaceutical companies, personal health record vendors, employers who maintain certain medical information about their employees and any other business that maintains medical information for use by individuals or health care providers in managing that information or for receiving or providing medical diagnoses or treatment. Such businesses will now be considered “providers of health care” for purposes of the CMIA. The new law will subject companies providing such services to civil and criminal penalties for unlawful uses and disclosures of medical information.

These new legal provisions will affect HIPAA covered entities in California, pharmaceutical and medical device companies and others who maintain records about California consumers, employers who maintain medical or health insurance records about California employees, and businesses involved in personal and electronic health records.