Part two of a two-part series (Access part one here):
Californias two new healthcare privacy laws are a mixed bag to Jan Emerson, vice president of external affairs for the California Hospital Association.
The association favored the privacy bill passed earlier this year by the California State Assembly, but was neutral on the accompanying Senate version, both of which go into effect Jan. 1, 2009. The assembly version, gives the state the ability to actually go after individual employees who violate patient privacy, Emerson said, but the Senate bill also contained a CHA off-putting provision that substantially upped the penalties for other so-called immediate jeopardy deficiencies, from $25,000 per violation under current law to $50,000 for a first offense, $75,000 for a second and $100,000 for a third.
A hospital can do everything it can do, Emerson said, but if one rogue employee decides they want to go after information and sell it to the National Enquirer, an entire hospital should not be liable.
The 595-bed Ronald Reagan UCLA Medical Center, where a number of celebrity privacy breaches occurred that sparked the legislative responses, is one hospital that has this problem, Emerson said. Our laws have been stricter than the federal laws for many years. We fully support that. What happened at UCLA was wrong, but those are the actions of individuals.
The new laws dont change several current elements of California patient privacy statutes, which are more stringent than those in the key federal healthcare privacy law, the Health Insurance Portability and Accountability Act of 1996. One of those differences is that in California, individuals may sue a provider or other healthcare organization that violates his or her privacy rights. HIPAA prohibits such private-rights action.
Nelson said he also saw recently a legal presentation that leads him to believe personal health-record service vendors are impacted by the new laws. So, welcome to the block, kids, said David Nelson, privacy officer for San Diego County. But that interpretation, which also is broader than the scope of HIPAA, which is limited to so-called covered entitiesproviders, payers and claims clearinghousesis beneficial, he said.
It is inclusive, Nelson said. Its better than this mishmash with some in and some out. Its pretty clear, if you read it straight out. They didnt talk about being a covered entity. They said if you store or if you transmit healthcare information, youre covered.