When Anthony Guerra of Healthcare Informatics invited me to conduct this Health Law Privacy Blog, I must admit I had a few reservations. In my experience, there are few things sadder than a poorly maintained blog. Stumbling upon one while browsing the Internet is sort of like encountering someone muttering to himself in an empty room -- depressing. It is my goal to
spark some discussion on this blog by keeping it updated with new developments in health care privacy law, along with war stories and practical tips from the front lines of privacy compliance. And with that intro out of the way, onward into the blogosphere ....
California has often been a first mover with respect to many forms of privacy and security legislation, and its privacy laws are often more rigorous than those of other states. For example, California was the first state to pass a security breach notification law (S.B. 1386) that was later emulated by many states. Privacy officers of national companies often spend an inordinate amount of time tailoring their operations to California's highest common denominator for privacy compliance.
Earlier this month, California raised the bar yet again when Governor Schwarzenegger signed A.B. 1298, a new law that expands the definition of "personal information" under California's security breach notification law to include medical and health insurance information. Generally, California's law requires that when personal information is acquired by an unauthorized person, the affected individuals must be notified. A.B. 1298 will take effect on January 1, 2008.
Prior the enactment of A.B. 1298, a health care provider could experience a security breach, such as a theft of a laptop containing medical information, that would not trigger California's notification requirements because the data did not satisfy the definition of "personal information." "Personal information" previously consisted of name, plus Social Security number, driver's license number or account number with password. Don't be surprised if other states follow California's lead by expanding the definition of "personal information" under their security breach notification laws.
In upcoming posts, I will examine some other significant aspects of A.B. 1298, and report on some of the health care privacy topics that were discussed at last week's International Association of Privacy Professionals ("IAPP") Privacy Academy in my hometown of San Francisco.