On January 1, 2008 a new California law took effect that expands the scope of the California security breach notification statute and subjects a wider range of health care-related companies to regulation under California’s medical privacy laws.
California enacted the first state security breach notification law in 2003. This law generally requires that any person or entity conducting business in California that owns or licenses computerized data that includes personal information must disclose any breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. “Personal information” has been defined as an individual’s first name or first initial, in combination with specified data elements, including a Social Security Number, driver’s license number or account number, credit card or debit card number combined with any required security code or password.
The new law, A.B. 1298, expands the above definition of “personal information.” It now includes “medical information” and “health insurance information.” “Medical information” is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” “Health insurance information” is defined as “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claim history, including any appeals records.”
A.B. 1298 was passed with the intent of combating medical identity theft. Under the prior version of the California Security Breach Notification Law, under circumstances in which sensitive health-related information had been leaked, the leak did not trigger an obligation by health care entities to notify individuals because the identifiers were not a Social Security number, driver’s license or financial information. However, since January 1, health care entities conducting business in California are now obligated to notify individuals in the event of a breach involving medical information or health insurance information, so long as the entity reasonably believes the information has been subject to unauthorized access.
A.B. 1298 also expands the reach of California’s medical privacy law, the Confidentiality of Medical nformation Act (“CMIA”) to a wider range of health care-related entities, particularly entities that offer web-based personal health record services to individuals. Under this law, covered entities are generally prohibited from disclosing medical information about a patient without the patient’s prior authorization, subject to certain exceptions. While the CMIA previously defined covered entities to include any business that maintains medical information for the “primary purpose” of making the information available for diagnosis or treatment, A.B. 1298 deletes the “primary purpose” standard, thereby expanding the CMIA to regulate “any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for the purposes of allowing the individual to manage his or her own information, or for the diagnosis or treatment of the individual.”
The impact of A.B. 1298 will be substantial, particularly with respect to the expansion of the terms of the Security Breach Notification Law. Entities that possess medical information or health insurance information and do business with California residents must be particularly vigilant about safeguarding this information to avoid triggering notification requirements, which, in turn, could lead to potentially devastating reputational effects. While the revisions made by A.B. 1298 that broaden the reach of the CMIA are targeted to entities which create web-based personal health records, any entity which chooses to submit health information on behalf of an individual to a personal health record company should be aware of its own obligations under the CMIA. To respond to these new developments in California law, an entity should review its privacy and security policies now and incorporate any necessary changes to them-before an incident occurs that could harm the entity and the individuals it serves.
We will continue to keep you informed as to any changes and/or updates to thelaw.
If you have any questions regarding this Healthcare Practice Bulletin please contact:
Linda A. Malek
(212) 554-7814
lmalek@mosessinger.com
Jill E. Anderson
(212) 554-7836
janderson@mosessinger.com
Jay D. Meisel
(212) 554-7823
jmeisel@mosessinger.com
Samuel J. Servello
(212) 554-7872
sservello@mosessinger.com
The Chrysler Building
405 Lexington Avenue
New York, NY 10174-1299
Tel: 212.554.7800 Fax: 212.554.7700 |
2200 Fletcher Avenue
Fort Lee, NJ 07024
Tel: 201.363.1210
Fax: 201.363.9210
Abraham Y. Skoff, Esq., Managing Attorney for New Jersey
|
|
Disclaimer
Viewing this email or contacting Moses & Singer LLP by e-mail does not create an attorney-client relationship.
ATTORNEY ADVERTISING
It is possible that under the laws, rules or regulations of certain jurisdictions, this email may be construed as an advertisement or solicitation.
To stop receiving future email bulletins from Moses & Singer LLP, please see the SafeUnsubscribe instructions below.
