California’s Privacy Pileup

New State Laws Meet Even Newer Federal Regulations

In California, teasing apart state and federal breach notification laws highlights the challenges organizations everywhere face in determining their responsibilities under ARRA’s new privacy regulations.

by Chris Dimick

Within healthcare organizations, the temptation for some staff can be great: what harm can come from a peek at a celebrity’s health information or a next door neighbor’s record? At one time this act might have gone unnoticed, unrecorded, and without penalty.

But new privacy protection laws included in the American Recovery and Reinvestment Act (ARRA) have created the first federal punishment for such snooping.

ARRA layers on new privacy protections and prosecution powers to discourage unauthorized access to patient information. Under ARRA, even a brief unauthorized look at a medical record can mean large monetary fines for individuals and facilities. Through a wide range of provisions, Congress used ARRA as an attempt to increase patient trust that the healthcare industry will protect their personal information.

ARRA’s privacy provisions represent a “major change in privacy law,” says Deven McGraw, JD, LLM, MPH, director of the Health Privacy Project at the Center for Democracy and Technology, based in Washington DC. McGraw also serves on the Health IT Policy Committee, which makes recommendations on ARRA to the Office of the National Coordinator for Health Information Technology.

“The biggest [change] since HIPAA was enacted,” she says, “and there hasn’t yet been a lot of guidance coming out of the regulators about how to comply with both [state and federal law] and what the rules really mean. So this creates a lot of uncertainty in the marketplace.”

Across the country, providers reviewing the new ARRA regulations face the task of adapting their privacy policies and procedures to meet both state and federal requirements. This task is amplified in California, where just months ago healthcare privacy policies were overhauled with strict new state laws.

Prominent in California’s laws are tough new requirements on reporting privacy breaches and notifying individuals that their health information may have been compromised. California’s laws had been in effect approximately six weeks when the first-ever federal requirements on data breach notification were announced.

California’s HIM professionals have their work cut out to ensure their facilities meet both state and federal laws on notification, an exercise that all states with notification laws face.

State, Federal Laws Collide

The data breach notification regulations are the first of the ARRA privacy provisions to take effect. The Department of Health and Human Services will oversee organizations that qualify as covered entities and business associates under HIPAA. The Federal Trade Commission will oversee everyone else, including vendors of personal health records. The law requires both HHS and the FTC to create and publish final interim regulations by August 16. The provisions become effective 30 days after publication.

Sorting out whether state or federal law is stricter and under what circumstances is the biggest challenge healthcare officials face, according to Cassi Birnbaum, RHIA, CPHQ, director of health information and privacy officer at Rady Children’s Hospital of San Diego.

As drafted, ARRA suggests that the federal regulations will not preempt state laws. “We have to go with the regulation that is the most stringent,” Birnbaum says. “Sometimes that is California’s law, sometimes it is ARRA.

“It is troubling that we have so many different requirements to worry about,” she says. “The standard in most instances is tougher in California, but then it is much more specifically spelled out in ARRA.”

California passed its healthcare data breach laws last year, with the regulations taking effect January 1 of this year. The state’s breach laws are easily the toughest in the country. Facilities must report any breach of any size to the California Department of Public Health, and individuals who take part in the unauthorized access of patient records can face steep fines (see page 46).

The laws were enacted after a series of high-profile privacy breaches led legislators to quickly pass reinforced privacy protections. Only months later, ARRA’s passage sent HIM departments like Birnbaum’s back to the table to evaluate their policies against a new set of regulations.

Preparing Policies That Cover All Laws

With final regulations due this month, no one is sure exactly how ARRA’s breach provisions will affect state law, says Gerry Hinkley, JD, a healthcare lawyer and partner with Davis Wright Tremaine LLP, based in San Francisco, CA. But enough of ARRA’s game-changing provisions are known that Hinkley’s firm has already been talking with clients about how to develop policies that comply with both state and federal law.

“We are approaching it as kind of an algorithm,” he says. “Answer these questions—does that take you down the road to breach notification in California? Answer a different set of questions—does that take you down the road to federal notification?” he says.

“We think you can develop a policy that would allow you to comply with both,” Hinkley says. “And you may not have an obligation under both,” he notes—it will depend on the nature of the particular incident.

State privacy and data breach laws vary greatly across the country, which means healthcare entities in each state must determine how ARRA differs from their individual state laws. They will have to do so quickly, because the federal provisions take effect 30 days after final regulations are published.

More Changes, More Online

ARRA introduces major change to more than breach notification. Privacy provisions in the law alter a number of HIPAA practices, affecting a range of HIM operations. For the full story, see the Journal of AHIMA Web site at http://journal.ahima.org.

Accounting for Disclosures

ARRA requires healthcare facilities using EHR systems to provide patients with a fuller accounting of disclosures, including disclosures for treatment purposes and other routine healthcare operations. This is a big change from the current HIPAA laws, which exempt treatment and business uses from disclosure.

Restrictions of Certain Disclosures

ARRA gives patients the right to prevent the disclosure of health data to their health insurance plans if they paid for treatments out of their own pockets. EHR systems will have to adapt to accommodate such requests.

Electronic Copies

ARRA requires any provider using an EHR system to produce an electronic copy of a patient’s health record upon request. Under HIPAA, providers are required to give a copy of a patient’s record in the format requested, but only if documents are “readily producible” in that format. Many EHR systems in use are not up to that challenge.

Liability for Business Associates

ARRA has several provisions that extend HIPAA privacy, security, and administrative requirements to business associates. Covered entities must update their business associate agreements to incorporate these new provisions. Among the changes, ARRA requires business associates to respond to any privacy noncompliance on the part of the covered entities.

Multiple Notifications Possible

Under California law, patients must be notified if their electronic health records are breached by any unauthorized individual. A notice also must be sent if records are lost or stolen and are not encrypted with data protection technology.

A healthcare organization has five days from the discovery of the breach to notify affected patients and report the incident to the state, which can assess steep fines against both individuals and organizations up to $250,000.

As drafted, ARRA requires organizations to send breach notification “without reasonable delay” and within 60 days of discovery.

While California has the far stricter time requirement, ARRA includes greater requirements on the content of the notification. California law does not specify what information organizations must provide to patients, although state bill SB 20, still moving through the legislature in July, would establish a minimum, including the name of the organization reporting the breach.

ARRA requires that breach notifications contain a description of how the breach happened, the types of breached protected health information, a toll-free hotline number established by the healthcare organization to handle questions, and a description of what the organization is doing to investigate the breach and mitigate losses, among other information.

Between California’s deadline and ARRA’s detail, privacy officers and others already foresee having to send two notifications for incidents that qualify as breaches under both laws.

“You could have a situation where you’ve got five days under state law to let people know that their information was breached, but yet you don’t necessarily have all the information that would allow you to comply with the federal notice obligation,” says McGraw, who studied the impact of ARRA on healthcare privacy and security laws in California for the California HealthCare Foundation.

“It is a lot of detail, all of it arguably quite helpful information for people to have…,” McGraw says. “But getting all that together in five days might be a challenge. You might have to get in touch with people a second time to say, ‘Okay, well, here is more of the detail that we didn’t have within the five-day time limit that we needed to notify you in order to satisfy our state law.”

Sending out multiple notices could confuse patients, and it would require more work on the part of healthcare organizations, Birnbaum notes.

The Reports Roll in under California’s Tough New Laws

Reports of health record breaches have been pouring into the California Department of Public Health since January 1, and more than 100 investigations have been conducted, according to Kathleen Billingsley, RN, deputy director of the California Department of Public Health, Center for Health Care Quality (CDPH).

The new laws have positioned California as a “leader in medical privacy,” Billingsley says. Meanwhile healthcare providers have been scrambling to institute policies that adhere to the new—some say overly strict—requirements.

An Immediate Backlog

California legislators passed SB 541, giving CDPH power to investigate and fine organizations for data breaches. Companion legislation AB 211 created the California Office of Health Information Integrity (CalOHII) and gave the organization power to fine individuals for data breaches and refer them to professional licensing boards.

“The message we want to send is that it is no longer acceptable to view patients’ medical records or to disclose them without having authorization to see those records…” Billingsley says. “It is a major, major change in the healthcare industry.”

CDPH investigators had a backlog of investigations from the start. CDPH received 823 breach incident reports from January 1 to May 31, the latest available numbers at press time. Of those cases, 122 have received a full investigation, with 116 confirmed as breaches. There were 232 cases that had ongoing investigations, and 469 reported breaches were pending an investigation. While most of the incident reports come through self-reporting by providers, CDPH also fields patient complaints regarding breaches.

Health Privacy Breaches Received by CDPH January 1–May 31, 2009

  • Total number of incidents reported: 823
  • Completed investigations: 122
    • Confirmed breaches: 116
    • Unsubstantiated incidents: 6
  • Ongoing investigations: 232
  • Pending investigations: 469

CDPH officials were initially surprised by the high number of breach incidents they received, Billingsley says. They expect the number of breach notifications to increase over time as people become more familiar with what needs to be reported.

The types of reported breaches vary from unintentional breaches, such as faxing a patient’s chart to the wrong Dr. Jones, to unauthorized facility employees snooping in a patient’s record.

This latter type of breach occurred earlier this year at Los Angeles-based Kaiser Permanente Bellflower Hospital, when “Octomom” Nadya Suleman’s medical records were inappropriately accessed by 23 hospital employees. In May Kaiser Permanente received the first CDPH fine—the $250,000 maximum allowed under the new law.

Intentional breach cases have been rare, Billingsley says. Most reported breaches to date have been the result of errors.

Two-part Investigations

Determining corrective action for a breach starts with a formal CDPH investigation. Once a facility discovers a privacy breach it has five days to notify the patient and the local CDPH licensing and certification office.

State investigators triage incoming notifications and patient complaints, investigating the most serious cases first. In most cases, investigators conduct an on-site investigation and issue a formal report to the facility. If a violation has occurred, organizations have 10 days to submit a correction plan that will prevent similar incidents.

Investigators determine fines based on multiple factors, including the facility’s history of breach law compliance, its actions upon discovery of the breach, and the steps it has taken to prevent or correct the breach.

After CDPH concludes its investigation, it may refer the case to CalOHII, which has the ability to fine the individuals involved and refer them to their professional licensing board for disciplinary action.

As of June 30, CDPH has referred approximately 125 cases to CalOHII, according to Alex Kam, CalOHII director. One of those cases is the Kaiser breach case, which Kam said is one of the first being reviewed by investigators. Originally called the Office of HIPAA Implementation, CalOHII took on its new name and added responsibilities under AB 211 legislation in August 2008.

CDPH refers cases to CalOHII if it determines that an individual contributed to or benefited from a privacy breach. Fines for individuals can reach up to $250,000, depending on the severity and extent of personal harm caused by the breach. In June, CalOHII was preparing to conduct its first official investigations and had not yet issued any individual fines.

Both CDPH and CalOHII created their enforcement programs from scratch. Nationally, HIPAA has rarely been enforced, so a true privacy breach enforcement model did not exist. Since the state laws went into effect in January, CalOHII has been busy formalizing its complaint, investigation, and referral processes. The active investigation of individuals suspected in data breach incidents was expected to begin in July, Kam says, though in the months prior CalOHII staff were examining cases and preparing formal investigations.

Sorting through the Triggers

California healthcare entities will report more breaches to the state than to the federal government, because the California requirements are triggered by a greater range of incidents.

California requires that breach notifications be sent for any unintentional or inadvertent disclosure, such as a patient record faxed to an incorrect number or discharge instructions handed to the wrong person. Other state breach laws are more lenient, but few appear to dovetail neatly with ARRA. Many states set notification thresholds based on the number of individuals affected and the cost to notify them. State laws also vary significantly in how organizations must attempt to reach affected individuals and how hard they must try.

National organizations and healthcare systems that operate in multiple jurisdictions will have the difficult task of figuring out which state and federal rules to apply during a breach, Hinkley says. However, it is not impossible to develop policies for multistate situations. “All those questions are answerable, it is just a matter of figuring it out,” he says. He is confident adequate guidance will come in the final regulations.

Organizations can also expect increasing help from technology, as vendors develop software that better tracks inappropriate access to patient records.

Technology can also help prevent breaches. McGraw recommends facilities implement encryption and record access tracking technology to protect patient data. “Technology can help these institutions better police those internal breaches or snooping incidents because of the ease of tracking people when they have to log on with a digital identity,” she says.

While McGraw notes the difficulties that breach notification poses for organizations, she says it is in the best interest of patients to gain as much information as possible about a breach so they can take steps to mitigate harm.

Getting Started in Advance

Organizations should do the best they can to interpret ARRA as it stands, accounting for any changes as final regulations are announced. Once final regulations have arrived, Birnbaum recommends HIM departments conduct the same pre-emption analysis process they followed after HIPAA was enacted. Study ARRA provisions and stack up each law—state and federal—to determine which is the most stringent and must be followed, Birnbaum says.

Individual organizations should work toward common interpretations and implementations when setting their policies, something the industry failed to do when implementing HIPAA, Hinkley says. That led to enormous disparity from one institution to another, and the discrepancy has become a significant barrier to health information exchange. “Let’s not do that again,” Hinkley says. “Let’s look for some better, broader guidance and try to be as uniform as we can in how this is interpreted.”

Organizations should get started now mitigating the state and federal laws, Birnbaum says.

“It is a challenge just figuring out which is the most stringent and which you need to follow,” Birnbaum says, “then retraining staff, rewriting policies, rewriting agreements. So there is certainly a lot of work that needs to be done.”

Getting started early is good for all of ARRA’s privacy provisions.

“My advice would be for entities to do the best they can to interpret what the law means and comply, because it is unclear how much additional guidance and interpretation will be available before next February when most of this goes into effect,” McGraw says. “I can understand why people are anxious about it. But I think this can be worked through.”

Chris Dimick (chris.dimick@ahima.org) is staff writer for the Journal of AHIMA.

Article citation:
Dimick, Chris. "California’s Privacy Pileup
: New State Laws Meet Even Newer Federal Regulations
 " Journal of AHIMA 80, no.8 (August 2009): 44-48.