Often new legislative trends in privacy and security law are driven by a single incident that grabs headlines.Â And when a privacy incident directly touches lawmakers personally ... then expect a new privacy law.
For example, California's landmark security breach notification law came about in response to a high-profile breach involving a California state government database.Â Now, as I've discussed previously in this blog, there have been several much-publicized incidents involving hospital employees improperly accessing the medical records of public records and celebrities at Cedars-Sinai Medical Center and UCLA Medical Center.
Two new bills are making their way through the California legislature in response to these recent events, S.B. 541 and A.B. 211.Â The word around the hallways of Sacramento is that Governor Schwarzenegger has a strong personal interest in the passage of these measures because UCLA Medical Center employees improperly accessed his wife's medical records.
S.B. 541 creates a new administrative penalty for hospitals, home health agencies, hospices and licensed clinics that fail to "prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information."Â The penalty is $25,00 per patient, with a cap of $250,000 "per reported event."
Don't HIPAA and state medical privacy laws already prohibit this conduct?Â Yes, but not quite so specifically.Â Â As they say, you don't want to know how sausage and law gets made. Â It's not pretty and it's certainly not consistent, but this is how privacy law gets made in the U.S.