Skip Navigation LinksAFL-14-26

State of Cal Logo
EDMUND G. BROWN JR.
Governor

State of California—Health and Human Services Agency
California Department of Public Health


AFL 14-26
November 12, 2014


TO:
Acute Psychiatric Hospitals
Alternative Birth Centers
Chronic Dialysis Clinics
Congregate Living Health Facilities
Correctional Treatment Centers
General Acute Care Hospitals
Home Health Agencies
Hospices
Intermediate Care Facilities
Intermediate Care Facilities/Developmentally Disabled
Intermediate Care Facilities/Developmentally Disabled – Habilitative
Intermediate Care Facilities/Developmentally Disabled – Nursing
Primary Care Clinics
Rehabilitation Clinics
Skilled Nursing Facilities
Special Hospitals
Surgical Clinics

SUBJECT:
Updates to Reporting Requirements for Unauthorized Access or Disclosure of Patient Medical Information

AUTHORITY:     AB 1755 (Chapter 412, Statutes of 2014); Health and Safety Code (HSC) Section 1280.15


This All Facilities Letter (AFL) provides notice of the passage of AB 1755 (Chapter 412, Statutes of 2014), which amended section 1280.15 of the Health and Safety Code (HSC) and changed reporting and patient notification requirements for unlawful or unauthorized access to, or use or disclosure of, a patient's medical information by specified health care facilities.

Existing law requires health care providers and facilities to prevent unlawful or unauthorized access to, use, or disclosure of, patients' medical information (breach) and requires health facilities to establish safeguards to protect the privacy of patients' medical information.

Effective January 1, 2015, specified health care providers must report a breach of medical information to CDPH and the affected patient within 15 business days rather than 5 business days.

Facilities must provide written notification to affected patients or the affected patient's representative of the breach at the last known address. Pursuant to AB 1755 (Chapter 412, Statutes of 2014), facilities may also provide notification by an alternative means or at an alternative location as specified by the patient or the patient's representative in writing pursuant to the Code of Federal Regulations (CFR) Title 42, Section 164.522. Notification may only be made via email if the patient has previously agreed to electronic notification in writing.

All other medical information breach reporting requirements remain in effect. Facilities are responsible for following all applicable laws. CDPH's failure to expressly notify facilities of legislative changes does not relieve facilities of their responsibility for following all laws and regulations. Facilities should refer to the full text of AB 1755 and all applicable state and federal regulations to ensure compliance.

 

Sincerely,

Original signed by Jean Iacino

Jean Iacino
Interim Deputy Director

Page Last Updated :