New health-care privacy laws heighten need for HIPAA compliance in California
Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline
Computerworld - Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.
Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills — known as Senate Bill 541 and Assembly Bill 211 — also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.
In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday — the same day that he vetoed a data breach bill aimed at retailers — and are scheduled to take effect on Jan. 1.
The bills significantly raise the bar on security and privacy controls for health care businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. "The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue," MacKoul said.
And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.
"The state is using HIPAA as the floor, saying it has been so many years since HIPAA went into effect that you needed to have complied with it a long time ago," MacKoul said. As state statutes, SB 541 and AB 211 don't directly require health care organizations to comply with the HIPAA regulations — but in effect, that is what they will end up doing, he added.
The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the health care provider to adopt a stringent "corrective action plan" in response to what HHS described as potential HIPAA violations.
The so-called resolution agreement — the first of its kind to be signed under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the health care industry as a sign that HHS would step up its enforcement actions going forward.
In California, SB 541 (download PDF) was sponsored by the California Department of Public Health (CDPH) and is aimed at stemming the increasing number of breaches involving patient health data in the state, according to an analysis of the bill by consultants for the State Assembly's Committee on Health. Previously, there were no specific penalties or administrative actions available for the state to use against organizations that failed to prevent unauthorized access, use and disclosure of patient data, the analysis noted.
- 5 Customers Deliver Virtual Desktops and Apps to Empower a Modern Workforce Learn how Citrix solutions helped 5 companies realize the full value of desktop virtualization through a project-by-project approach based on key business priorities.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- IDC MarketScape: Worldwide Client Virtualization Software 2013 Vendor Assessment IDC has placed Citrix in the 2013 IDC MarketScape Leaders Category once again noting that, "Citrix's position reflects the company's market leadership and...
- Infographic: Top Use Cases for Desktop Virtualization A wide range of business issues is driving IT toward desktop virtualization. One solution-Citrix XenDesktop with FlexCast technology-helps IT teams empower their entire...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!