ARTICLE
20 February 2008

California Law Strengthens Privacy Protections For Health Care Information

FL
Foley & Lardner

Contributor

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
On January 1, 2008, a new law that extends California's "data breach" notification requirements to medical and health care insurance information took effect.
United States Food, Drugs, Healthcare, Life Sciences

On January 1, 2008, a new law that extends California's "data breach" notification requirements to medical and health care insurance information took effect. Intended to protect California residents from medical identity theft and unauthorized release of their medical records, the law also broadens the scope of California's existing medical privacy law to apply to all companies that maintain medical information.

Prior to enactment of the law, the state's landmark data-breach notification statute required persons, businesses, and agencies that do business in California to notify affected persons when a computer security breach may have compromised their personal or financial information. "Personal information" included a first name or first initial and last name, in combination with either an identifier (a Social Security number, driver's license number, or California Identification Card number) or certain financial account numbers if disclosed along with access codes or passwords. For a breach to have comprised personal or financial information, either the person's name or one of the identifiers had to be maintained electronically in unencrypted form.

The new law adds medical and health insurance information to the definition of personal information. Medical information is defined expansively as "any information regarding an individual's medical history, mental or physical condition, or diagnosis by a health care professional." Health insurance information includes an individual's health insurance number, subscriber identification number, or other unique identifier, or any information in an individual's application and claims history. Now, if a computer security breach results in the unauthorized disclosure of medical or health insurance information, the person, business, or agency that maintains the data must notify any affected California resident.

The law also extends the Confidentiality of Medical Information Act (CMIA) requirements to all businesses that maintain medical information. Before this law took effect, the CMIA prohibited corporations that maintained medical information for the primary purpose of making the information available to patients or providers for diagnosis or treatment from sharing, selling, or otherwise using the information for purposes unrelated to health care without the patient's prior authorization.

Now, CMIA applies to any business organized to maintain medical information and make it available to providers or individuals, whether or not that is the "primary purpose" of the organization. Notably, the law applies to companies that maintain such data to allow individuals to manage their own health care information (for example, by logging and tracking their daily blood sugar levels or blood pressure). The law subjects a broader range of businesses to the confidentiality standards required of health care providers as well as the penalties for improper use and disclosure of medical information under the CMIA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Food, Drugs, Healthcare, Life Sciences

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More