To provide greater protection to the privacy of medical patient’s health information, California has passed two new companion bills, Senate Bill 541, and Assembly Bill 211. Both new pieces of legislation will take effect January 1, 2009, after being signed by Governor Schwarzenegger.

These bills are, in part, a reaction to several recent high profile medical data breaches. Most notable, and even mentioned in the legislative history of these bills, are the recent celebrity data breaches from the UCLA Medical Center. In fact, the assembly committee summary for Senate Bill 541 specifically mentions that “celebrities treated at UCLA Medical Center, including Britney Spears, Farrah Fawcett, and Maria Shriver had their medical records viewed or disclosed by numerous unauthorized employees.” Over 120 employees have been implicated in these and other breaches.

Senate Bill 541 creates new specific penalties for hospitals and other health care providers that fail to prevent unauthorized access, use and/or disclosure of private health information. The state Department of Health Services (DHS) may, after investigation of breaches, penalize health care providers $25,000 per patient, with a cap of $25,000 per reported incident. Further, an additional $17,500 fine may be assessed for subsequent occurrences of unauthorized access of a patient’s private health information.

In assessing fines, DHS is to take into consideration the facilities history of compliance and the extent to which the facility detected the privacy violations and took preventative action to immediately correct and prevent past violations from reoccurring. The DHS’s authority here is quite broad and based on the statutory language, the DHS will have significant discretion in assessing any fines. This situation supports the notion that Risk Managers add additional protocols and/or root causes analysis of any health breach violations.

If any breach of information occurs, this legislation requires that the health care provider report the breach to DHS within five days of the breach being detected. If the provider fails to do so, DHS may assess penalties of up to $100 per day until the incident is reported.

Assembly Bill 211 likewise provides some additional privacy safeguards for patient health information. This bill creates a new state office, the Office of Health Information Integrity. The purpose of this office is to ensure the enforcement of state confidentiality laws. It is further empowered to impose administrative penalties ranging from $1,000 to $250,000 against health providers.

The funds collected from both bills are slated to be used to support various quality improvement activities. This will be accomplished in part through some of the funds being diverted to the Licensing and Certification Program which is a part of DHS.

These two new pieces of legislation will greatly expand California’s efforts to protect private health information. While the goal of this legislation is to protect health information, this legislation will be added pressure on health care providers who are still working to ensure they are fully compliant with the federal privacy laws laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These two new pieces of California legislation will mandate heath providers in California to maintain even stricter privacy guidelines above and beyond HIPAA. This new legislation will likely cause initial headaches for providers, but at the end of the day, the goal of the legislation is not to punish health care providers, but instead, to better protect patient privacy.

This article appeared in the November 2008 edition of The San Diego Business Journal

Stephen T. Sigler is a shareholder and trial lawyer at Neil Dymott Hudson. He specializes in civil litigation with emphasis in general and professional liability. Mr. Sigler may be reached at (619)238-1712.