New health-care privacy laws heighten need for HIPAA compliance in California
Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline
Computerworld - Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.
Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills — known as Senate Bill 541 and Assembly Bill 211 — also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.
In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday — the same day that he vetoed a data breach bill aimed at retailers — and are scheduled to take effect on Jan. 1.
The bills significantly raise the bar on security and privacy controls for health care businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. "The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue," MacKoul said.
And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.
"The state is using HIPAA as the floor, saying it has been so many years since HIPAA went into effect that you needed to have complied with it a long time ago," MacKoul said. As state statutes, SB 541 and AB 211 don't directly require health care organizations to comply with the HIPAA regulations — but in effect, that is what they will end up doing, he added.
The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the health care provider to adopt a stringent "corrective action plan" in response to what HHS described as potential HIPAA violations.
The so-called resolution agreement — the first of its kind to be signed under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the health care industry as a sign that HHS would step up its enforcement actions going forward.
In California, SB 541 (download PDF) was sponsored by the California Department of Public Health (CDPH) and is aimed at stemming the increasing number of breaches involving patient health data in the state, according to an analysis of the bill by consultants for the State Assembly's Committee on Health. Previously, there were no specific penalties or administrative actions available for the state to use against organizations that failed to prevent unauthorized access, use and disclosure of patient data, the analysis noted.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts