California Breach Regulations Applicable to Health Care Facilities Align “Breach” Definition with HIPAA, Expand Reporting Obligations, and Clarify Penalty Structure
California clinics, health facilities, home health agencies, and licensed hospices required to report breaches to the California Department of Public Health (CDPH) under California’s Health and Safety Code Section 1280.15 (Section 1280.15) are now subject to a new set of regulations. Section 1280.15, which has been in effect for a number of years, requires certain licensed California health care facilities to “prevent unlawful or unauthorized access to, and use or disclosure” of medical information and report any unlawful or unauthorized access, use, or disclosure of a patient’s medical information to the CDPH and the patient no later than 15 business days after discovery. The new regulations implementing Section 1280.15 expand the exceptions to the breach notification reporting requirement, impose requirements for the type of information that must be submitted to the CDPH in the event of a breach, and clarify the penalties available in the event of a violation of the regulations. This alert outlines the major takeaways from these new regulations and how they may affect California health care facilities moving forward.
1. Expands Exceptions to Definition of “Breach” to Closely Align with HIPAA
Section 1280.15 contains only one exception to the reporting requirement, for internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services. The new regulations expand the exceptions so that certain types of access, use, and disclosure are not considered “breaches,” aligning the definition of “breach” closely to HIPAA’s definition. The following are excluded from the definition of “breach” under the California regulations:
Any paper record, electronic mail, or facsimile transmission inadvertently (i) accessed, used, or disclosed within the same health care facility or health care system where the information is not further accessed, used, or disclosed unless permitted or required by law; or (ii) outside the same health care facility or health care system sent to a HIPAA-covered entity that has been inadvertently misdirected within the course of coordinating care or delivering services.
A disclosure in which a health care facility has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such medical information.
Access, use, or disclosure of patients’ medical information permitted or required by state or federal law.
Lost or stolen encrypted electronic data where the encrypted electronic data has not been accessed, used, or disclosed in an unlawful or unauthorized manner.
A disclosure where the health care facility determines there is only a low probability of compromise in accordance with HIPAA 4-factor analysis reviewing at least the following facts: (i) the nature and extent of the medical information involved; (ii) the unauthorized user or recipient of the medical information; (iii) whether the medical information was actually acquired or viewed; and (iv) the extent to which the risk of access to the medical information has been mitigated.
2. Establishes Expanded Reporting Requirements for the Information that Must Be Reported to the CDPH
The timeframe for reporting breaches to the CDPH and patients continues to be 15 business days. Under the regulations, the notice to the CDPH must include detailed information about the applicable facility, the patients affected, the medical information involved, the breach occurrence itself, other related breaches, and investigation efforts, and further requires that health care facilities continue to submit any supplemental information to the CDPH as it becomes available. Notably, the notice must include any “audit reports, witness statements, or other documents that the health care facility relied upon in determining that a breach occurred.”
The breach is not deemed reported to the CDPH unless the health care facility has made a good faith effort to report all required information. This means that a health care facility that fails to report all information required by the regulations in its notice to the CDPH could be deemed to have not “reported” the breach to the CDPH.
3. Clarifies Penalty Structure
Under Section 1280.15, the CDPH may assess an administrative penalty of up to $25,000 per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to $17,500 per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patient’s medical information. In addition, the CDPH may assess $100 for each day a health care facility fails to report a breach to the CDPH or the patient. The total penalty for a health care facility per reported event cannot exceed $250,000.
The regulations further clarify administrative penalties that the CDPH may assess for those health care facilities experiencing a beach, and further penalties for those that fail to comply with the regulation’s reporting requirements. The base penalty for breaches is $15,000 per violation; however, penalties may be increased or decreased by a maximum of $10,000 by the CDPH in accordance with several adjustment factors, not the exceed $25,000 per patient whose medical information was breached. These adjustment factors include: (i) the applicable facility’s compliance history; (ii) the extent to which the health care facility detected violations and took preventative action to immediately correct and prevent past violations from recurring; (iii) any applicable factors outside of the facility’s control, including fires, explosions, natural disasters, severe weather events, war, invasion, civil unrest, acts or threats of terrorism, and utility or infrastructure failure; and (iv) any other factors identified by the CDPH as applicable to the specific circumstances surrounding the breach.
In addition to this initial penalty, the CDPH may assess additional penalties for subsequent breach occurrences of a patient’s medical information relating to a reported event, in an amount equal to 70% of the initial penalty, not to exceed $17,500 per subsequent occurrence. A health care facility continues to be subject to the $100 per day penalty under Section 1280.15 for failure to timely report the breach.
Health care facilities subject to Section 1280.15 will need to carefully consult the new regulations when reporting breaches to the CDPH and the patient, but will likely find some relief in the newly revised definition of “breach” that more closely aligns with HIPAA.