California Breach Regulations Applicable to Health Care Facilities Align “Breach” Definition with HIPAA, Expand Reporting Obligations, and Clarify Penalty Structure

Jennifer Hennessy, Chloe Talbert, and Jennifer Urban of Foley Lardner write: California clinics, health facilities, home health agencies, and licensed hospices required to report breaches to the California Department of Public Health (CDPH) under California’s Health and Safety Code Section 1280.15 (Section 1280.15) are now subject to a new set of regulations. Section 1280.15, which has been in effect for a number of years, requires certain licensed California health care facilities to “prevent unlawful or unauthorized access to, and use or disclosure” of medical information and report any unlawful or unauthorized access, use, or disclosure of a patient’s medical information to the CDPH and the patient no later than 15 business days after discovery. The new regulations implementing Section 1280.15 expand the exceptions to the breach notification reporting requirement, impose requirements for the type of information that must be submitted to the CDPH in the event of a breach, and clarify the penalties available in the event of a violation of the regulations. This alert outlines the major takeaways from these new regulations and how they may affect California health care facilities moving forward. Read more on JDSupra.DataBreaches.netRead More