Two California medical privacy laws became effective on January 1, 2009.  The laws, A.B. 211 and S.B. 541, create new obligations for health care providers and facilities in California to protect against unlawful or unauthorized access to patient medical information.  In contrast, other medical privacy regulations, including the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), focus only on the unauthorized use or disclosure of protected health information.

A.B. 211 requires any provider of health care to “establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information” and to “reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.”  “Unauthorized access” is defined as “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use” as permitted under California law.  A.B. 211 establishes a new state agency, the Office of Health Information Integrity, to enforce the law and impose fines that can range from $1,000 up to a maximum of $250,000 per violation.

S.B. 541 applies to “any clinic, health facility, home health agency, or hospice” and, much like A.B. 211, requires those facilities to “prevent unlawful or unauthorized access to, and use or disclosure of patient’s medical information.”  S.B. 541 also requires those facilities to report any unlawful or unauthorized access to patient medical information to the California Department of Public Health (“CDPH”) within five days after such unlawful or unauthorized access has been detected and empowers the CDPH to levy fines that range from $25,000 up to a maximum of $250,000 per violation.

Because of the new legal obligations and stiff penalties for noncompliance, health care providers and health facilities in California should carefully review their existing security procedures to (1) ensure that access to patient medical information is strictly controlled, and (2) verify that they are capable of quickly detecting and reporting any security breaches to state officials.