California Updates Rules on Health Facility Data Breaches

New regulations require facilities to report more information following a breach

By Chris Miller, Assistant Editor, Facility Market


The California Department of Public Health (CDPH) recently issued new regulations that more narrowly limit the situations under which cases of unlawful or unsanctioned access to medical data must be reported, according to Health IT Security. These new rules give the CDPH more power to modify penalties for violations, while health facilities have 15 days to report breaches of medical information. The rules are similar to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) but transcend it in a couple ways. 

The new regulations require facilities to include a brief description of the breach, a description of the types of items involved in the breach and the steps affected individuals should take to safeguard themselves from potential harm. Previously, health systems did not have to provide specific information regarding breaches. 

The regulations also require organizations to report all information contained in the patient notices to CDPH, as well as the names of all affected patients, the names and contact information of those who executed the breach, and any audit reports, written statements, or other documents that the facility relied upon in determining that a breach occurred and more. 

Penalties for violations include up to $25,000 per patient whose medical information was unlawfully accessed, used, or disclosed, as well as up to $17,500 per subsequent occurrence, according to the National Law Review. The CDPH has the power to give a penalty of $100 for each day that the facility fails to report the breach to either CDPH or a patient. There is a more precise method of calculating administrative penalties. The rules institute a base penalty amount of $15,000 for initial violations, along with  an amount equal to 70 percent of the initial violation for subsequent breaches. 

The new rules were created in part to limit the number of reports to CDPH, but the requirements are more stringent on the amount of specific information a healthcare facility must send when a breach occurs. The CDPH will likely capitalize on the decrease in reports to examine organizations more thoroughly after a reported breach. Health systems in California and around the country should be aware of these changes to minimize potential penalties that could cost a facility tens of thousands of dollars. These new rules only apply to California systems, but awareness of changing regulations anywhere in the country benefits health care facilities.



August 6, 2021


Topic Area: Industry News


Recent Posts

17 Million Patient Records Stolen in PIH Health Ransomware Attack

A ransomware attack halted operations across three of PIH’s hospitals.


Holidays are Prime Times for Healthcare Cyberattacks

A study found that 86 percent of organizations that experienced ransomware attacks were targeted on a holiday or weekend.


Hartford Healthcare Forms Partnership to Open Health Equity Clinic

The new clinic will open in January 2025.


UCHealth Reveals Plans for Memorial Hospital North Expansion

Construction on the patient tower is slated for 2026 with a projected opening to patients in 2029.


What Are 'Hospi-tels'?

Hospitals and hotels are partnering to better cater to patients and families.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.