Publications Health Law Perspectives Health Law Advisories Quality Healthcare Reports Managed Care Alerts Videos

Health Law Advisories

You Snoop, You Pay; The California Legislature Enacts Expanded Privacy Protections and Increases Penalties For Violations

October 23, 2008

Dear Friends and Clients:

On September 30, 2008, Governor Arnold Schwarzenegger signed into law two new health information privacy bills -- AB 211 and SB 541 -- that impose new obligations on health facilities and permit the Department of Public Health (DPH) to levy substantially increased administrative penalties. Health & Safety Code §§ 1280.1, 1280.3, 1280.15 and 130200 – 130205. These become effective on January 1, 2009.

These companion bills are, in part, a legislative response to recent high profile medical information privacy breaches by an employee of a prominent teaching hospital. A hospital employee was charged with illegally accessing confidential medical records 939 times, and snooping into the medical information of more than 6,000 individuals. The California Legislature has expanded the reach of privacy protections beyond improper “use” or “disclosure” to the prevention of “access” to medical information.

Among other things, these laws require hospitals, clinics, skilled nursing facilities, hospices and health plans to establish and implement administrative, technical and physical safeguards to protect the privacy of patients’ medical information. AB 211 establishes the California Office of Health Information Integrity (the OHII) within the California Health & Human Services Agency to “ensure the enforcement of state law mandating the confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information.”

The companion bill, SB 541, also impacts your facility in a number of important ways.

Immediate Jeopardy

The new law substantially increases the administrative penalties for a deficiency constituting an “immediate jeopardy” violation by a general acute care hospital, a psychiatric hospital or a specialty hospital. An immediate jeopardy violation means a situation in which a licensee’s noncompliance with the licensing regulations is likely to cause serious injury or death to a patient. Prior to the enactment of SB 541, hospitals could face administrative penalties that did not exceed $25,000 per violation. Effective January 1, 2009, this amount increases to $100,000 per violation, based on the following graduated scale:

• for the first violation, up to $50,000;
• for the second violation occurring within three years, up to $75,000; and
• for the third and subsequent violations occurring within three years, up to $100,000.

In addition, once regulations are adopted by the DPH, the maximum penalties at each level will increase by an additional $25,000 per violation. For deficiencies that do not rise to the level of “immediate jeopardy,” SB 541 increases the penalty from $17,500 to up to $25,000 per deficiency.

Violations of Patients’ Medical Information

Under SB 541, the DPH will now have authority to fine health facilities not only for unlawful use or disclosure of patient medical information, but for the failure to prevent “unauthorized access” to such information. The new provisions apply to all health facilities including hospitals, nursing facilities, chemical dependency and psychiatric health facilities, clinics, home health agencies and hospices.

Effective January 1, 2009, the DPH may assess, after investigation, an initial administrative penalty of up to $25,000 per patient whose medical information is accessed unlawfully or without authorization, used or disclosed. For each subsequent violation, the maximum sanction is $17,500.

Reporting Obligations and Penalties

A health care facility is now required to report any unlawful or unauthorized access, use or disclosure of a patient’s medical information to the DPH and the patient no later than 5 days after it has been detected. The failure to report such a violation subjects a facility to a penalty of $100 per day. The combined total of the SB 541 medical information penalties cannot exceed $250,000 for each reportable event.

AB 211 and SB 541 significantly expand patient privacy protections and create new burdens, financial, operational and administrative, on health care facilities. Providers must make some effort to reengineer compliance programs, assess and update medical information security systems, revise privacy and security policies and educate employees on the new laws.

If you have any questions about AB 211 or SB 541, please contact John Hellow in our Los Angeles office at (310) 551-8111; Mark Reagan, Steve Phillips or Michael Dubin in our San Francisco office at (415) 875-8500; or Cary Miller on our San Diego office at (619) 744-7300.

 

Very truly yours,

Hooper, Lundy & Bookman, Inc.

Return to Health Law Advisories