Wednesday, February 27, 2008

California Expands Its Data Breach Notification Law to Include Medical Information and Insurance Data

AB 1298 - a bill the Consumer Federation of California actively supported and was signed into law last year - is now in the process of being implemented. It appears - as is often with California - other states have taken notice of the law and are going to follow suit.

AIS details what exactly will change in California:

California's innovative data security breach notification law now also applies to medical information and health insurance data, thanks to a bill that expanded the regulation, which was signed by Gov. Arnold Schwarzenegger (R) in October and took effect Jan. 1. One expert says other states likely will consider this kind of expansion for their own laws.


The new law expansion, A.B. 1298, has three main parts, says Hirsch. First, security breach notification rules now apply to two new categories — medical information and health insurance information. Providers' previous breaches may not have triggered an obligation to disclose, even if data included medical information. "Prior to Jan. 1, the definition of 'personal information' was quite specific and somewhat narrow. Generally, if the breach didn't involve a Social Security number or an account number, there was no legal obligation to notify," explains Hirsch, who is a partner with Sonnenschein Nath & Rosenthal LLP.


A second aspect of A.B. 1298 expands the state's medical privacy law to apply to a broader range of technology companies that now are beginning to offer personal health records (PHRs), Hirsch says.

"Previously, [the state Confidentiality of Medical Information Act] covered any business that maintained medical information for the primary purpose of making it available for treatment. But as big companies such as Microsoft and Google started to express interest in PHR products, [legislators] realized that those companies are not primarily about PHRs and didn't want them to escape regulation. It's a fairly small change, but [one that's] needed to close a loophole. It also reflects the recent movement toward imposing privacy regulation on other types of health care technology ventures, such as regional health information organizations," Hirsch says.

Click here to read the article in its entirety.

No comments: