Billing Beat

California Issues New Health Facility Breach Reporting Requirements

September 14, 2021

On July 1, 2021, the California Department of Public Health (“CDPH”) issued new regulations[1] (the “Regulations”) effective immediately that more narrowly limit the circumstances under which instances of unauthorized access to medical information have to be reported to CDPH. The new regulations also give CDPH more discretion to adjust penalties for violations. The Regulations complement Section 1280.15 of the Health and Safety Code (“Section 1280.15”) requiring state-licensed clinics, health facilities, home health agencies, and hospices to prevent any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information, and to report any unauthorized access, use or disclosure to the Department no later than fifteen (15) business days after the breach was detected.

In large part, the Regulations synchronize state requirements with those provided by the Health Insurance Portability and Accountability Act of 1996 and its related regulations[2] (collectively, “HIPAA”). However, the Regulations transcend HIPAA requirements in several ways, most notably by granting CDPH significant access to organizational records, documentation, and internal assessments in the event of a breach.

Source: https://www.jdsupra.com/legalnews/california-issues-new-health-facility-1987034/

Sign up for Billing Beat