|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story October 16, 2008 HIPAA Covered Entities in Calif. Could See Stiff Penalties for Privacy Breaches Under Two New States Laws, Which Could Be National Models Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions. By Neal Learner, Managing Editor, (nlearner@aispub.com) Hospitals and other covered entities in California may have to beef up their privacy and security compliance programs in light of recently enacted state legislation that slaps stiffer penalties on entities and employees who violate patient privacy. The legislation, approved in mid-September and signed by Gov. Arnold Schwarzenegger (R) on Sept. 29, follows privacy breaches of several high-profile celebrities, including singer Britney Spears and California First Lady Maria Shriver. Two laws, AB211 and SB541, include provisions that assess civil penalties of up to $250,000 on individuals or entities that improperly disclose private medical information. Among other things, AB211 requires every health care provider in the state to "establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information." It establishes the Office of Health Information Integrity to enforce the law and impose fines. Provisions in SB541 include a penalty of $100 per day — up to a maximum of $250,000 — on a health care facility that fails to report an unlawful or unauthorized breach of a patient's medical information. Some patient privacy attorneys assert that the California legislation addresses issues already covered under federal law. "There is an argument to be made that a law like this isn't absolutely necessary, because certainly HIPAA required reasonable safeguards of patient information or protected health information," says Reece Hirsch, a partner in Sonnenschein Nath & Rosenthal's San Francisco office. Still, the California legislation is significant in some respects, he tells RPP. It takes data-security concepts found in federal law and applies them at the state-law level, he says. "Perhaps most significantly, it also attaches a whole new regime of fines and penalties related to violations of those standards," Hirsch adds. "Some people might say the HIPAA privacy and security rule has not been very vigorously enforced thus far by HHS. This sort of provides a basis for state authorities to impose some fairly significant penalties when there is a perceived privacy or security breach." The legislation also grants the Office of Health Information Integrity jurisdiction to act as a privacy and security watchdog, he adds. "If this law is vigorously enforced, and we start seeing some of these fines imposed, I think it will bring some added rigor to the privacy and security compliance programs of a lot of health care providers in California," Hirsch says. But will it deter the kinds of privacy breaches that have recently dogged some California hospitals, including the UCLA health system? State public health authorities in July released findings that more than 60 employees at the UCLA Medical Center improperly accessed patient records, and at least one former employee sold celebrity medical records to news outlets. Jan Emerson, spokeswoman for the California Hospital Association, says it remains to be seen if the new legislation will prevent this sort of thing from happening. "To some degree, you can put all of the security systems in place, and if an individual chooses to do this because they're getting paid by a tabloid, they're going to make a choice," she tells RPP. "Hopefully the increased penalties, the increased attention on this issue will deter people from doing this. It shouldn't have happened. Nobody is going to justify what happened. But at the end of the day, individuals make choices." University of California (UC) spokesman Paul Schwartz said the university didn't take a formal position on either of the patient privacy laws. But he adds that UC is "committed to providing leadership in the area of patient privacy." "The kinds of breaches we have experienced recently are not unique to UC," Schwartz tells RPP. "Hospitals and other types of organizations throughout the country face the same issues and challenges. Still, we deeply regret the recent events at UCLA, and we are absolutely committed to correcting and improving our systems and practices in order to ensure that patient privacy is protected." The legislation itself doesn't really change the obligations that health care providers, hospitals or medical groups now have under a combination of HIPAA and the existing state medical privacy law, says Hirsch. "But I think it does reflect a degree of concern about laxity in privacy practices of hospitals and other health care providers," he adds. "It should be viewed as sending a message that it's a good time to revisit your internal controls on access to PHI [i.e., protected health information]." California Setting Another Precedent? Some also see the possibility that other states will follow California's legislation, particularly in its establishment of the Office of Health Information Integrity. "Certainly, other states are going to take note of this," says Robert L. Coffield, a health care attorney in the Charleston, W.Va., office of Flaherty, Sensabaugh & Bonasso, PLLC. "They actually have a new state entity created to oversee this; it's not just going to be a law on the books," he adds. Coffield says he is not aware of any other state with a similar oversight body. But Hirsch says he doesn't think the new legislation will gain the same kind of traction as California's earlier security breach notification law, which was subsequently enacted in states across the county. "This seems
to be responsive to a particular incident and not a real deficiency
in existing laws," he says, while acknowledging that employees
snooping on patient information is not something that is unique to California.
"But I do think existing law is probably sufficient in most cases
to address these sorts of concerns." |
| ||||||||
