California Breach Disclosure Law Now Covers Medical Records

By Charlene Brownlee California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information. AB 1298 amends several existing privacy laws (Civil Code §§ 56.06, 1785.11.2, 1798.29, and 1798.82):

• It applies prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information for treatment or diagnosis.
• It permits a consumer reporting agency, regardless of the existence of a security freeze, to disclose public record information lawfully obtained from an open public record to the extent otherwise permitted by law. This provision stems from a recent court decision which threatens to eliminate the "freeze access" law in California without this change. These provisions do not prohibit the consumer reporting agency from electing to apply a valid security freeze to the entire contents of a credit report.
•  It adds “medical information” and “health insurance” information to the definition of “personal information” that, if acquired by an unauthorized person, would require notification of the security breach.
  •  “Medical Information” is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
  •  “Health Insurance Information” is defined as “an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.”
•  AB 1298 adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the California breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered.
• It is important to note that these new provisions are not limited to health care providers, but may affect any employer or other entity with computerized employee benefits or other health data.