By Chris Miller, Assistant Editor, Facility Market

The California Department of Public Health (CDPH) recently issued new regulations that more narrowly limit the situations under which cases of unlawful or unsanctioned access to medical data must be reported, according to Health IT Security. These new rules give the CDPH more power to modify penalties for violations, while health facilities have 15 days to report breaches of medical information. The rules are similar to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) but transcend it in a couple ways. 

The new regulations require facilities to include a brief description of the breach, a description of the types of items involved in the breach and the steps affected individuals should take to safeguard themselves from potential harm. Previously, health systems did not have to provide specific information regarding breaches. 

The regulations also require organizations to report all information contained in the patient notices to CDPH, as well as the names of all affected patients, the names and contact information of those who executed the breach, and any audit reports, written statements, or other documents that the facility relied upon in determining that a breach occurred and more. 

Penalties for violations include up to $25,000 per patient whose medical information was unlawfully accessed, used, or disclosed, as well as up to $17,500 per subsequent occurrence, according to the National Law Review. The CDPH has the power to give a penalty of $100 for each day that the facility fails to report the breach to either CDPH or a patient. There is a more precise method of calculating administrative penalties. The rules institute a base penalty amount of $15,000 for initial violations, along with  an amount equal to 70 percent of the initial violation for subsequent breaches. 

The new rules were created in part to limit the number of reports to CDPH, but the requirements are more stringent on the amount of specific information a healthcare facility must send when a breach occurs. The CDPH will likely capitalize on the decrease in reports to examine organizations more thoroughly after a reported breach. Health systems in California and around the country should be aware of these changes to minimize potential penalties that could cost a facility tens of thousands of dollars. These new rules only apply to California systems, but awareness of changing regulations anywhere in the country benefits health care facilities.