Calif. Extends Breach Notice DeadlineHealthcare Breaches Now Must Be Reported Within 15 Days
California Governor Edmund Brown Jr. recently signed into law a new measure that extends healthcare organizations' breach notification deadline to 15 business days.
Previously, medical facilities in the state had to notify breach victims and state officials within five business days of detecting a breach to comply with California Health & Safety Code 1280.15.
California law, even with the revision, is far stricter than federal requirements. Under the HIPAA breach notification rule, breaches affecting 500 or more individuals must be reported to victims as well as federal authorities within 60 days.
Under the state's broader breach notification law - S.B. 1386 - the state requires non-healthcare entities to notify victims and authorities of data breaches "in the most expedient time possible and without unreasonable delay."
Change Called 'Reasonable'
California's move to extend the breach notification deadline for healthcare organizations is reasonable, says Scot Ganow, an attorney at Faruki Ireland and Cox PLL who specializes in privacy and security law. "The reality is that data breaches can be very complicated and involve many layers of information, as well as many different parts of the healthcare organization trying to respond in a compliant manner," he says.
"Five days may seem like a lot of time, but it really isn't if you are trying to both respond in a timely fashion, but also do it responsibly as to not create undue panic, involve more people than necessary, and therefore incur costs that may not be necessary, especially if notice is not required at all," Ganow says.
New Law's Details
AB 1755, introduced by Assembly Member Jimmy Gomez, a Democrat, amends California Health & Safety Code 1280.15 to require any clinic, health facility, home health agency or hospice to report to affected patients and the State Department of Public Health any unlawful or unauthorized access to patients' medical information no later than 15 business days after the unlawful or unauthorized access, use or disclosure has been detected.
"AB 1755 will remove unnecessary costs to the healthcare system and state administration by improving notice requirements when patients have breaches of medical information," a statement on Gomez's website says.
The new law also gives the State Department of Public Health full discretion on whether to investigate a reported breach and assess a penalty. "These changes augment language that already allowed the regulator to take into consideration many factors in assessing liability for the organization, to include its current business practices, policies and procedures, and its history of breach, if any," says Ganow, the attorney.
The move to extend the breach notification deadline for healthcare organizations in California comes as the governor also signed into law AB 1710 on Sept. 30, which amended the state's broader data breach notification law (see: California Bolsters Breach Notification).
Two key provisions in AB 1710 include:
- Breached entities are now required to offer free identity theft prevention services to impacted individuals for one year if Social Security numbers or driver's license numbers were breached;
- Existing personal information data security obligations now apply to businesses that maintain personal information, such as cloud services providers, in addition to those who own or license the information.