Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.
Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills — known as Senate Bill 541 and Assembly Bill 211 — also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.
In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday — the same day that he vetoed a data breach bill aimed at retailers — and are scheduled to take effect on Jan. 1.
The bills significantly raise the bar on security and privacy controls for health care businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. "The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue," MacKoul said.
And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.
"The state is using HIPAA as the floor, saying it has been so many years since HIPAA went into effect that you needed to have complied with it a long time ago," MacKoul said. As state statutes, SB 541 and AB 211 don't directly require health care organizations to comply with the HIPAA regulations — but in effect, that is what they will end up doing, he added.
The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the health care provider to adopt a stringent "corrective action plan" in response to what HHS described as potential HIPAA violations.
The so-called resolution agreement — the first of its kind to be signed under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the health care industry as a sign that HHS would step up its enforcement actions going forward.
In California, SB 541 (download PDF) was sponsored by the California Department of Public Health (CDPH) and is aimed at stemming the increasing number of breaches involving patient health data in the state, according to an analysis of the bill by consultants for the State Assembly's Committee on Health. Previously, there were no specific penalties or administrative actions available for the state to use against organizations that failed to prevent unauthorized access, use and disclosure of patient data, the analysis noted.