A Senate bill gives the state more flexibility in penalizing privacy violations by a clinic, home health agency, hospice or other health facility, allowing it to authorize an initial penalty of up to $25,000 for a first violation, instead of a flat $25,000 in existing law, and up to $17,500 for subsequent violations, instead of a flat $17,500.
It also requires that the department consider a providers size, history of compliance and other mitigating circumstances, including the extent to which it detected the violation and took action to correct past actions and to prevent violations from reoccurring.
A companion bill in the California State Assembly created within the state health department the Office of Health Information Integrity, or CalOHII, to ensure the enforcement of state law mandating the confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information.
The law authorizes the new office to write rules and regulations pursuant to the new law and gives it flexibility in enforcement authority over new and existing medical privacy laws. It includes the right by the office to levy penalties in its own name against violators as well as recommend to city, county and district attorneys and the state attorney general that they bring civil action to enforce the law. The office also has the authority to refer cases involving alleged privacy violations by licensed healthcare providers to their appropriate state licensing agencies for additional enforcement action.
David Nelson, privacy officer for San Diego County, says state officials have just begun gathering information from affected entities in advance of their rule-making on the new laws, which he says he does not expect to be completed by Jan. 1. The county operates the San Diego County Psychiatric Hospital, San Diego, and San Diego County Edgemoor Hospital, a geriatric hospital in Santee. On balance, Nelson says, the new laws are good. They give CalOHII the authority to pursue privacy enforcement itself through administrative action. Previously, its predecessor, the California Office of HIPAA Implementation, had to rely on either the state attorney general or a district attorney to file suit against a privacy offender, which, Nelson says, may never have happened.
Ive been at this 13 years now and Ive never heard anyone file suit, Nelson says. There was no enforcement. Its never egregious enough. Why would the attorney general come in and file suit against anybody for a lousy $25,000? So the law, before this, really didnt have any teeth. Now, theyve got some. Now, CalOHII doesnt have to file suit; they can come out and do it administratively.
Under current state law, individuals have had a private right of action against companies that violate their healthcare privacy rights, Nelson says, but a new provision allows nominal damages of $1,000 to be sought against any person or entity who has negligently released confidential information or records concerning him or her. Under this provision, the plaintiff does not have to show that he or she suffered or was threatened with actual damages, only that negligence occurred. Nelson does say he worries whether providers will be besieged by small lawsuits under this provision.
This part is not clear, and I think well have a lot of attorneys out there trying to make a fast $300 or $400 for filing actions with this, Nelson says. Still, to recover even nominal damages, they have to prove were negligent. Thats the hard part.
The law also provides that CalOHII can make referrals to licensing boards for privacy violations it investigates.
Its already current law now, if a healthcare provider uses medical information in an unauthorized way, they could be disciplined by their licensing board, says Teresa Kline, a lobbyist for the California Medical Association. This just made the connection more clear.