Privacy Issues in the Community College Workplace

12. C ALIFORNIA P ATIENT P RIVACY P ROTECTIONS Due to an increase of employee snooping into celebrity medical files at UCLA, California laws are consistently evolving in an attempt to protect patient privacy. New laws require health care providers to safeguard patient data and to report unauthorized access within five days to the state and the individual. The state can levy penalties up to $25,000 per patient for privacy breaches. In 2008, the California Legislature passed Assembly Bill 211 (“AB 211”) by Assemblyman Dave Jones, D-Sacramento, and Senate Bill 541 (“SB 541”) by Sen. Elaine Alquist, D-Santa Clara. AB 211 added Section 130203 [renumbered in 2014 to Section 1280.18 per SB 857] to the Health and Safety Code and establishes the California Office of Health Information Integrity (CalOHII) to: (1) ensure the enforcement of state law mandating the confidentiality of medical information and; (2) impose administrative fines for the unauthorized access, use or disclosure of medical information. Every provider of health care must establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information. Every provider of health care must also reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. “Unauthorized access” is defined as the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the CMIA or by other statutes or regulations governing the lawful access, use, or disclosure of medical information. CalOHII shall also adopt, amend, or repeal such rules and regulations as may be reasonable and proper to carry out the purposes and intent of this division, and to enable the authority to exercise the powers and perform the duties conferred upon it by this division not inconsistent with any other provision of law. SB 541, a companion bill, applies the AB 211 standards to licensed health facilities. The bill adds Section 1280.15 to the Health and Safety Code, which directs that "[a licensed] clinic, health facility, home health agency, or hospice...shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information...consistent with Section 130203." Also, on August 19, 2009, pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, the U.S. Department of Health and Human Services (DHHS) issued “breach” notification regulations. 129 The regulations require health care providers and other covered entities under the Health Insurance Portability and Accountability Act (HIPAA) (see Section 3.J.3., infra .) to notify affected individuals following a breach of unsecured protected health information. If a breach occurs, covered entities must promptly notify affected individuals, the Secretary of DHSS, and in some cases, the media, of the breach. Minor breaches may be reported to the Secretary annually. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

Privacy Issues in the Community College Workplace ©2019 (c) Liebert Cassidy Whitmore 47