You are here

California

Country:
Survey Answer:

Cal. Health & Safety Code § 1280.15 is the data breach notification statute unique to clinics and health facilities. The statute provides that any “clinic, facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745” shall prevent the unauthorized access to and disclosure of patients’ “medical information.”
Medical information is defined as: “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” Cal Civ. Code § 56.05.
• “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity. Cal Civ. Code § 56.05.
Any clinic or health facility subject to this data breach notification statute shall report any breach of the patients’ medical information to the California Department of Health Services no later than 15 days after the unlawful or unauthorized access, use, or disclosure of the medical information is detected by the clinic or health facility. Cal. Health & Safety Code § 1280.15(b)(1).
Any clinic or health facility subject to this data breach notification shall also report the data breach to any “affected patient or the patient’s representative” no later than 15 days after the unlawful or unauthorized access, use, or disclosure of the medical information is detected by the clinic or health facility. Cal. Health & Safety Code § 1280.15(b)(2). Such notification shall be made in writing to the patient or patient’s representative’s last known address. Notice by email may be made only if the patient has previously agreed in writing to electronic notice by email. Id.
The California Department of Health Services has authority under the statute to assess a penalty for a violation of Cal. Health & Saf. Code § 1280.15, of up to $25,000 per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to a $17,500 penalty for each subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patient’s medical information. Cal. Health & Saf. Code § 1280.15(a).
• In addition, clinics and health facilities that fail to report the data breach to the California Department of Health Services or the affected patients within 15 days of detecting the breach, may be assessed an additional penalty of $100 per day. Cal. Health & Saf. Code § 1280.15(d).
• The total penalty assessed for violations of subsections (a) and (d), however, may not exceed $250,000.

Provided By:
Fred Bellamy: Ryley Carlock & Applewhite