Good News: California Extends Its Medical Data Breach Notification Requirement From 5 to 15 Days
On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This is good news for these healthcare providers, who often found it difficult to investigate reasonably and respond to a potential breach within the five-day period. This law takes effect on Jan. 1, 2015.
Changes to California Health and Safety Code Section 1280.15
California’s clinics, health facilities, home health agencies, and hospices are required to prevent breaches of medical information, defined as any unlawful or unauthorized access to, use of, or disclosure of, patients’ medical information. Previously, under California Health and Safety Code Section 1280.15 (“Section 1280.15”), these entities were required to notify affected individuals and the California Department of Public Health within five business days. Pursuant to Assembly Bill 1755, which amends Section 1280.15, these healthcare providers are afforded significantly more time:
Previous Requirements |
Amended Requirements |
Reporting entities had five business days to report a breach to the California Department of Public Health, the affected patient, and/or the patient’s representative. |
Reporting entities have 15 business days to report a breach to the California Department of Public Health, the affected patient, and/or the patient’s representative. |
A report to a patient or the patient’s representative had to be made by U.S. mail to that person’s last known address. |
A report to a patient or the patient’s representative may be completed by alternative means, such as email, where this form of communication has been agreed to in writing. A report to a patient or the patient’s representative may also be sent to an alternative location that the patient or representative specified in writing. |
If reporting was delayed due to law enforcement, the report was still required to be submitted within five business days at the end of the delay period. |
If reporting is delayed due to law enforcement, the report is now required to be submitted within 15 days at the end of the delay period. |
“Medical Information”
Notably, the breach notification requirements of Section 1280.15 apply only to “medical information as defined in Civil Code Section 56.05(j).” The changes to Health and Safety Code Section 1280.15 do not affect any requirements with respect to breaches related to “personal information” under California’s Security Breach Notification Laws at Civil Code Sections 1798.29 (applying to California agencies) and 1798.82 (persons or businesses that conduct business in California).
A recent California Court of Appeal case, Eisenhower Medical Center v. Superior Court of Riverside County, clarified that the Civil Code Section 56.05(j) statutory phrase “medical information” does not refer to mere demographic information that is maintained by a healthcare entity, but rather must be “substantive information regarding a patient’s medical condition or history that is combined with individually identifiable information.” (Emphasis added.)
Next steps for providers that are subject to Section 1280.15 (i.e., clinics, health facilities, home health agencies, and hospices):
- You should amend applicable policies, procedures, and breach response plans by Jan. 1, 2015 to reflect these changes to the law.
- You should also train staff on the changes prior to Jan. 1, 2015.