Good news – The California Department of Public Health (CDPH) has implemented final regulations governing medical information breach reporting. What does this mean in practice? Are there any nuances or new requirements not already addressed by Health and Safety Code 1280.15, COMIA (Civ. Code 56 et seq), or HIPAA?
In my view, the new regulations (at 22 CCR 79900 et seq) represent more of a harmonious merger of HIPAA and Section 1280.15, rather than the forging of a new frontier. They will allow California health care providers to comply with the suite of State and federal requirements more seamlessly than before. For example, performing a risk assessment following a suspected breach is now key for both State and federal reporting determinations.
The highlight of the new regs? An express exception for inadvertently misdirected communications sent to a HIPAA Covered Entity within the course of coordinating care or delivering services, which will not be treated as unauthorized access/use or disclosure. Neither HIPAA nor Section 1280.15 previously included such an exception.
One unfortunate wrinkle in the verbiage of the new regulations, however, concerns the definition of breach detection. As currently written, the new regulations can (confusingly) be read to impute an obligation on the part of a Covered Entity (CE) to have detected a breach on the date that the CE’s Business Associate (BA) knew or should have known of the breach, even if the BA did not notify the Covered Entity. Further clarification is needed from CDPH on this piont. Until this is ironed out, the most conservative approach would be for CEs to amend their Business Associate Agreements (BAAs) to require immediate notice of breach detection and ongoing surveillance by the BA to identify breaches more rapidly. At a minimum, CEs may wish to communicate that, given the uncertainty and potentially increased risk around breach detection and timely reporting due to the new regulations, BAs should continue to vigilantly monitor for breaches and provide prompt notification consistent with existing contractual obligations.