April 2009

These two laws have prompted health care providers to put more emphasis on data security and privacy controls. The reason is because they significantly increase penalties and fines on facilities failing to prevent unauthorized access, they impose fines if mandatory reporting requirements are not followed, and they allow individuals to sue.

The bills were prompted into law when reports of UCLA Medical Center employees were discovered prying into the medical records of celebrities, one being Maria Shriver, Schwarzenegger’s wife. We all know that when identity theft or exposed personal information hit the political sector, new laws start mounting. So in addition to “unlawful” access previously regulated, the new law takes steps to prevent “unauthorized” access to patient health data as well.

Just this week, California’s “Octomom” who gave birth to octuplets, had her medical records breached by employees at Kaiser Permanente Medical Center who had no medical reason to view them. Fifteen employees have been fired so far and others were given disciplinary action.

California Senate Bill 541 alters the Health and Safety Code creating a stricter standard than any currently in effect under state law or HIPAA because facilities are required to “prevent” unauthorized access. This means that medical facilities have an increased obligation under this law to know what information employees are accessing, which goes beyond merely taking basic precautions to try and stop inappropriate access.

This law requires health facilities, clinics, hospices, and home health agencies to prevent unlawful or unauthorized access to, use or disclosure of, or disclosure of, a patient’s medical information. Administrative penalties for privacy breaches can

Assembly Bill 211 provides a state Office of Health Information Integrity (OHII) that is responsible for enforcing the new statutes and imposing administrative fines on entities that fail to implement
specified safeguards to protect the privacy of a patient’s medical information. This applies to any person or provider involved in the violation, whether or not they are licensed. The OHII may also refer licensed individuals to their appropriate licensing boards for sanctions and penalties.

Although HIPAA security standards address use and disclosure, they do not address access to information. AB 211 adds to the Health and Safety Code requiring every provider of health care to establish and implement appropriate administrative, technical and physical safeguards to protect the privacy of a patients’ medical information. These providers, defined in California’s Confidentiality of Medical Information Act (the “CMIA”), include health care professionals licensed in California and businesses organized for the purposes of making patients’ medical information available to patients or providers, such as health care service plans. It also allows individuals to take legal action against covered entities and licensed health professionals for failing to adequately protect their medical data. Patients can claim up to $1,000 in damages, even if a data exposure caused no harm to them.

Many health care businesses in California are scrambling to ensure they meet the stringent new guidelines. NCX Group can help you achieve compliancy that may be lacking. We can conduct security audits that identify potential unauthorized access, assess your facility’s current policies and procedures, and help you prepare to take prompt action when violations of patient privacy are identified.

For more information about our services or for a free consultation on how our experts can help you secure your data at a price that will fit your budget, call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.