Part one of a two-part series (Access part two):
Come next year, two new California healthcare privacy laws will take effect, establishing an office of privacy enforcement traffic controller in the state health department, while closing a loophole in existing law that allowed snooping into celebrities medical records without state penalty.
Both bills passed the state Legislature in late August by substantial margins and were signed into law by Gov. Arnold Schwarzenegger on Sept. 30. Both have a Jan. 1, 2009 effective date. Both were drafted in reaction to revelations earlier this year that the medical records of celebrities Farrah Fawcett, Britney Spears and Maria Shriver, the governors wife, had been improperly perused by employees at 595-bed Ronald Reagan UCLA Medical Center.
More flexibility, enforcement
A Senate bill gives the state more flexibility in penalizing privacy violations by a clinic, home health agency, hospice or other health facility, allowing it to authorize an initial penalty of up to $25,000 for a first violation, instead of a flat $25,000 in existing law, and up to $17,500 for subsequent violations, instead of a flat $17,500.
It also requires that the department consider a providers size, history of compliance and other mitigating circumstances, including the extent to which it detected the violation and took action to correct past actions and to prevent violations from reoccurring.
A companion bill in the California State Assembly created within the state health department the Office of Health Information Integrity, or CalOHII, to ensure the enforcement of state law mandating the confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information.
The law authorizes the new office to write rules and regulations pursuant to the new law and gives it flexibility in enforcement authority over new and existing medical privacy laws. It includes the right by the office to levy penalties in its own name against violators as well as recommend to city, county and district attorneys and the state attorney general that they bring civil action to enforce the law. The office also has the authority to refer cases involving alleged privacy violations by licensed healthcare providers to their appropriate state licensing agencies for additional enforcement action.
David Nelson, privacy officer for San Diego County, says state officials have just begun gathering information from affected entities in advance of their rulemaking on the new laws, which he says he does not expect to be completed by Jan. 1. The county operates the San Diego County Psychiatric Hospital and San Diego County Edgemoor Hospital, a geriatric hospital in Santee. On balance, Nelson says, the new laws are good. They give CalOHII the authority to pursue privacy enforcement itself through administrative action. Previously, its predecessor, the California Office of HIPAA Implementation, had to rely on either the state attorney general or a district attorney to file suit against a privacy offender, which, Nelson says, may never have happened.
Ive been at this 13 years now, and Ive never heard anyone file suit, Nelson says. There was no enforcement. Its never egregious enough. Why would the attorney general come in and file suit against anybody for a lousy $25,000? So the law, before this, really didnt have any teeth. Now, theyve got some. Now, CalOHII doesnt have to file suit; they can come out and do it administratively.
Under current state law, individuals have had a private right of action against companies that violate their healthcare privacy rights, Nelson says, but a new provision allows nominal damages of $1,000 to be sought against any person or entity who has negligently released confidential information or records concerning him or her. Under this provision, the plaintiff does not have to show that he or she suffered or was threatened with actual damages, only that negligence occurred. Nelson does say he worries whether providers will be besieged by small lawsuits under this provision.
This part is not clear, and I think well have a lot of attorneys out there trying to make a fast $300 or $400 for filing actions with this, Nelson says. Still, to recover even nominal damages, they have to prove were negligent. Thats the hard part.
The law also provides that CalOHII can make referrals to licensing boards for privacy violations it investigates.
Its already current law now, if a healthcare provider uses medical information in an unauthorized way, they could be disciplined by their licensing board, says Teresa Kline, a lobbyist for the California Medical Association. This just made the connection more clear.
Defining unauthorized access
The Assembly bill also defines unauthorized access as the inappropriate review or viewing of patient medical information without a direct need for medical diagnosis, treatment or other lawful use. That provision aims to close a loophole in the state privacy law that became glaringly apparent when the celebrity breach cases came to light earlier this year, according to Kline.
What was happening was that people were going in and snooping and just looking, Kline says. Since most werent using the information, that technically wasnt against the law, so they changed it to include unauthorized access.
Kline says the California Medical Association didnt take a stand on the Senate bill because it dealt with facilities, but it did have initial concerns about the Assembly legislation. After negotiations with the governor and legislative sponsors, the California physicians group ended up supporting it.
We do believe that the (Assembly) bill was an appropriate step to prevent unauthorized access and to continue to protect the confidentiality and privacy of medical information, Kline says. What we asked for was some reasonableness and flexibility. The new laws allow the enforcement agency to look at the size and capabilities of a providers office, Kline says, allowing the state to take into consideration that a small provider in Northern California might have fewer resources than a 100-physician practice in Los Angeles. Those were some things we were looking for.
This story initially appeared in this week's edition of Modern Healthcare magazine.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.