This All Facilities Letter (AFL) provides notice of the passage of AB 1755 (Chapter 412, Statutes of 2014), which amended section 1280.15 of the Health and Safety Code (HSC) and changed reporting and patient notification requirements for unlawful or unauthorized access to, or use or disclosure of, a patient's medical information by specified health care facilities.

Existing law requires health care providers and facilities to prevent unlawful or unauthorized access to, use, or disclosure of, patients' medical information (breach) and requires health facilities to establish safeguards to protect the privacy of patients' medical information.

Effective January 1, 2015, specified health care providers must report a breach of medical information to CDPH and the affected patient within 15 business days rather than 5 business days.

Facilities must provide written notification to affected patients or the affected patient's representative of the breach at the last known address. Pursuant to AB 1755 (Chapter 412, Statutes of 2014), facilities may also provide notification by an alternative means or at an alternative location as specified by the patient or the patient's representative in writing pursuant to the Code of Federal Regulations (CFR) Title 42, Section 164.522. Notification may only be made via email if the patient has previously agreed to electronic notification in writing.

All other medical information breach reporting requirements remain in effect. Facilities are responsible for following all applicable laws. CDPH's failure to expressly notify facilities of legislative changes does not relieve facilities of their responsibility for following all laws and regulations. Facilities should refer to the full text of AB 1755 and all applicable state and federal regulations to ensure compliance.

Sincerely,

Original signed by Jean Iacino

Jean Iacino
Interim Deputy Director