On January 1, 2008, a new law that extends California's "data breach" notification requirements to medical and health care insurance information took effect. Intended to protect California residents from medical identity theft and unauthorized release of their medical records, the law also broadens the scope of California's existing medical privacy law to apply to all companies that maintain medical information.
Prior to enactment of the law, the state's landmark data-breach notification statute required persons, businesses, and agencies that do business in California to notify affected persons when a computer security breach may have compromised their personal or financial information. "Personal information" included a first name or first initial and last name, in combination with either an identifier (a Social Security number, driver's license number, or California Identification Card number) or certain financial account numbers if disclosed along with access codes or passwords. For a breach to have comprised personal or financial information, either the person's name or one of the identifiers had to be maintained electronically in unencrypted form.
The new law adds medical and health insurance information to the definition of personal information. Medical information is defined expansively as "any information regarding an individual's medical history, mental or physical condition, or diagnosis by a health care professional." Health insurance information includes an individual's health insurance number, subscriber identification number, or other unique identifier, or any information in an individual's application and claims history. Now, if a computer security breach results in the unauthorized disclosure of medical or health insurance information, the person, business, or agency that maintains the data must notify any affected California resident.
The law also extends the Confidentiality of Medical Information Act (CMIA) requirements to all businesses that maintain medical information. Before this law took effect, the CMIA prohibited corporations that maintained medical information for the primary purpose of making the information available to patients or providers for diagnosis or treatment from sharing, selling, or otherwise using the information for purposes unrelated to health care without the patient's prior authorization.
Now, CMIA applies to any business organized to maintain medical information and make it available to providers or individuals, whether or not that is the "primary purpose" of the organization. Notably, the law applies to companies that maintain such data to allow individuals to manage their own health care information (for example, by logging and tracking their daily blood sugar levels or blood pressure). The law subjects a broader range of businesses to the confidentiality standards required of health care providers as well as the penalties for improper use and disclosure of medical information under the CMIA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
