California has Updated its Medical Data Breach Notification Regulations and Administrative Penalties

California has updated its data breach reporting requirements for healthcare facilities and has also increased the administrative penalties for breaches of sensitive patient data.

The California Department of Public Health says the updates, which took effect on July 1, 2021, require all healthcare facilities in the state of California to report medical information breaches to the California Department of Public Health within 15 days of the detection of a data breach. HIPAA requires data breaches to be reported to the HHS’ Office for Civil Rights within 30 days of the detection of a breach.

The report must be in writing needs to be signed by a representative of the healthcare facility, and must contain detailed information about the nature of the data breach. Essential elements that must be included are:

  • Name/address of health care facility where the breach occurred;
  • Date/time of breach;
  • Date/time of discovery of the breach;
  • Name of patient(s) affected;
  • Description of medical information breached
  • Nature and extent of the medical information involved (including types of individually identifiable information/likelihood of reidentification);
  • Description of events surrounding the breach;
  • Date of notification of affected patients, or expected data if notifications not yet sent;
  • Name(s)/contact information of the individual(s) who performed the breach (if known), witness(es) (if any), and the details of any unauthorized person(s) to whom the disclosure was made;
  • Contact information of the health care facility’s representative;
  • Description of corrective actions taken;
  • Details of any previous reported events that include the affected patient’s medical information during the past 6 years;
  • A copy of the notification letter sent to the affected patient(s);
  • Audit reports, witness statements, and other documents that the health care facility relied upon in determining a breach occurred.

If there are any delays issuing the notification or the required information to the California Department of Public Health, additional administrative penalties may be imposed.

When a breach has occurred which the California Department of Public Health determines warrants a financial penalty, the base penalty amount is $15,000 per violation up to a maximum total financial penalty of $250,000 per reported event. The amount of the penalty will be determined based on several factors, and may be adjusted for small and rural hospitals, primary care clinics, and skilled nursing facilities under certain circumstances, if a request is submitted to the California Department of Public Health.

“Facilities are responsible for following all applicable laws,” said California Department of Public Health, Acting Deputy Director Cassie Dunham in a letter to all Californian healthcare facilities. “CDPH’s failure to expressly notify facilities of statutory or regulatory requirements does not relieve facilities of their responsibility to follow all laws and regulations. Facilities should refer to the full text of all applicable sections of the HSC and Title 22 CCR.”