This letter is being sent to notify you of legislative changes as a result of the chaptering of Senate Bill (SB) 337 (Alquist, Chapter 180, Statues of 2009), that took effect January 1, 2010, and SB 270 (Alquist, Chapter 501, Statues of 2010) effective immediately, which affects health care facilities and services licensed by the California Department of Public Health (CDPH) Licensing and Certification (L&C) program.
Existing law requires health care providers and facilities to prevent unlawful or unauthorized access to, use, or disclosure of, patients' medical information (breach) and requires health facilities to establish safeguards to protect the privacy of patients' medical information.
As a result of this chaptered legislation, current law now clarifies that specified health care providers must report a breach of medical information to the CDPH and the affected patient within five (5) business days. Failure to notify either the department or the patient of a breach within the required notification period will result in a $100 per day civil penalty.
In addition, current law now allows the patient notification to be delayed beyond five (5) business days at the request of law enforcement when they indicate that the patient notification will likely impede law enforcement investigation. Law enforcement may verbally request a delay of thirty (30) calendar days or up to sixty (60) calendar days when a request is made in writing. Law enforcement shall specify the date upon which the delay shall end not to exceed 30 or 60 days accordingly. The five (5) business day reporting requirement shall begin immediately following the conclusion of the delay
period invoked by law enforcement.
Note: While the reporting period is based on business days, the penalty for failure to report a breach will be assessed for each calendar day following the five (5) business day reporting period.
In addition, current law provides clarification that for enforcement purposes, it shall be presumed that the facility did not notify the affected patient if the notification was not documented. Therefore, all facilities must document all patient notifications following a breach and ensure that the documentation is available to surveyors during a breach investigation.
Finally, as amended, the law now stipulates that misdirected internal paper records, email, or fax transmissions to another health care worker within the same facility or health care system for the purpose of coordinating care or delivery of services does not constitute a breach and therefore does not need to be reported to the department.
The information in this All Facilities Letter is a brief summary of a portion of HSC Section 1280.15 and Division 109.5 commencing with Section 130250, 130251, 130316 and 130317. Health care providers are responsible for following all applicable laws and regulations. CDPH’s failure to notify facilities or providers of legislative changes does not relieve their responsibility for following all laws and for being aware of all legislative changes. Facilities should refer to the full text of the HSC Section 1280.15 and Division 109.5 Sections 130250, 130251, 130316 and 130317 to ensure compliance.
If you have any questions, please contact your respective L&C District Office.
Original Signed by Pamela Dickfoss for
Kathleen Billingsley, R.N.