Posted on January 10, 2008 by Ronald London

California Breach Disclosure Law Now Covers Medical Records

  • Email This
  • Print
  • Comments (1)
  • Share Link

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.
 

AB 1298 amends several existing privacy laws (Civil Code §§ 56.06, 1785.11.2, 1798.29, and 1798.82): 

  • It applies prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information for treatment or diagnosis. 
  • It permits a consumer reporting agency, regardless of the existence of a security freeze, to disclose public record information lawfully obtained from an open public record to the extent otherwise permitted by law. This provision stems from a recent court decision which threatens to eliminate the "freeze access" law in California without this change. These provisions do not prohibit the consumer reporting agency from electing to apply a valid security freeze to the entire contents of a credit report. 
  •  It adds “medical information” and “health insurance” information to the definition of “personal information” that, if acquired by an unauthorized person, would require notification of the security breach. 
    •  “Medical Information” is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” 
    •  “Health Insurance Information” is defined as “an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.” 
  •  AB 1298 adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the California breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered. 
  • It is important to note that these new provisions are not limited to health care providers, but may affect any employer or other entity with computerized employee benefits or other health data.
     
Tags: , , ,
Trackbacks (0) Links to blogs that reference this article Trackback URL
Comments (1) Read through and enter the discussion with the form at the end
Sheila - March 11, 2008 6:37 PM

Hi,

Last week my pharmacy mistakenly sold my prescription to another individual. The prescription has some "street value" and so far the individual is not responding to the pharmacy phone calls. I am concerned about the information that that individual now has about me from the prescription bottle. Am I being paranoid or might this information be used to effect me in a negative way?? (Identity theft? Insurance fraud? etc....)
I would appreciate any input.
Many thanks.

Post A Comment / Question Use this form to add a comment to this entry.







Remember personal info?
Send To A Friend Use this form to send this entry to a friend via email.