888-448-5451 [email protected]

NCX Newsletter Banner

If your Internet provider filters incoming e-mail, please add ncxgroup.com to your list of approved senders to make sure you receive NCX Group Security Updates.
When California Gov. Arnold Schwarzenegger signed AB 211 and SB 541 into law last year, it required all health care providers to establish and implement administrative, technical and physical safeguards to protect patient data as of January 1, 2009.

These two laws have prompted health care providers to put more emphasis on data security and privacy controls. The reason is because they significantly increase penalties and fines on facilities failing to prevent unauthorized access, they impose fines if mandatory reporting requirements are not followed, and they allow individuals to sue.

The bills were prompted into law when reports of UCLA Medical Center employees were discovered prying into the medical records of celebrities, one being Maria Shriver, Schwarzenegger’s wife. We all know that when identity theft or exposed personal information hit the political sector, new laws start mounting. So in addition to “unlawful” access previously regulated, the new law takes steps to prevent “unauthorized” access to patient health data as well.

Just this week, California’s “Octomom” who gave birth to octuplets, had her medical records breached by employees at Kaiser Permanente Medical Center who had no medical reason to view them. Fifteen employees have been fired so far and others were given disciplinary action.

California Senate Bill 541 alters the Health and Safety Code creating a stricter standard than any currently in effect under state law or HIPAA because facilities are required to “prevent” unauthorized access. This means that medical facilities have an increased obligation under this law to know what information employees are accessing, which goes beyond merely taking basic precautions to try and stop inappropriate access.

This law requires health facilities, clinics, hospices, and home health agencies to prevent unlawful or unauthorized access to, use or disclosure of, or disclosure of, a patient’s medical information. Administrative penalties for privacy breaches can

ISSUE: April 2009

Subscribe to
Security Update
Envelope Graphic
2009 Reported Data Breaches
Keep yourself updated on the latest security breach disclosures
Network Attack Map
NCX VisionSee What You’ve Been Missing
Learn more here >>
Picture of SOC
Looking forManaged Security Services?Call us at 888-448-5451 or contact us below

Follow NCX on Twitter at

To have an NCX Group Representative Contact You
Email us here

reach up to $25,000 per patient per privacy breach violation, and up to $17,500 for each subsequent accessing, use or disclosure of that information. The facility or agency is also bound to report a violation within five days of being discovered. Failure to do so can amount to a penalty of $100 per violation for each day late in reporting, up to a maximum of $250,000.

Assembly Bill 211 provides a state Office of Health Information Integrity (OHII) that is responsible for enforcing the new statutes and imposing administrative fines on entities that fail to implement
specified safeguards to protect the privacy of a patient’s medical information. This applies to any person or provider involved in the violation, whether or not they are licensed. The OHII may also refer licensed individuals to their appropriate licensing boards for sanctions and penalties.

Although HIPAA security standards address use and disclosure, they do not address access to information. AB 211 adds to the Health and Safety Code requiring every provider of health care to establish and implement appropriate administrative, technical and physical safeguards to protect the privacy of a patients’ medical information. These providers, defined in California’s Confidentiality of Medical Information Act (the “CMIA”), include health care professionals licensed in California and businesses organized for the purposes of making patients’ medical information available to patients or providers, such as health care service plans. It also allows individuals to take legal action against covered entities and licensed health professionals for failing to adequately protect their medical data. Patients can claim up to $1,000 in damages, even if a data exposure caused no harm to them.

Many health care businesses in California are scrambling to ensure they meet the stringent new guidelines. NCX Group can help you achieve compliancy that may be lacking. We can conduct security audits that identify potential unauthorized access, assess your facility’s current policies and procedures, and help you prepare to take prompt action when violations of patient privacy are identified.

For more information about our services or for a free consultation on how our experts can help you secure your data at a price that will fit your budget, call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
Copyright ©2009 NCX Group, Inc. All rights reserved.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If you do not wish to receive future NCX Group Security Updates, please email us here