Alert January 10, 2008

California Expands Its Data Breach Notification Law

The new year has once again ushered in significant changes in the regulation of data security in California. With Governor Schwarzenegger’s signing of Assembly Bill 1298 (“AB 1298”), effective January 1, 2008, state law requirements governing the privacy of confidential computerized information maintained by businesses and state agencies have been expanded to include medical and health information.

In light of recent reports about the growing problem of medical identity theft, this bill expands the definition of “personal information’’ by adding two new breach-triggering data elements of “medical information” and “health insurance information” to the law. The provisions apply broadly, are not to be limited to health care providers and thus may affect any employer or other entity with computerized employee benefits or other health data. Significantly, the removal of social security numbers from computerized files will not insulate entities from notification obligations in the event of a breach.

In addition to the important changes regarding the medical information, this bill also makes clarifying changes to California’s “security freeze law.”

Key Provisions of AB 1298

Expansion of the application of the Confidentiality of Medical Information Act  (CMIA). The bill expands the application of the CMIA to include any business organized for the purpose of maintaining medical information in order to make the information available to an individual or a provider of health care for purposes of managing health care information or for treatment or diagnosis, even if the business is not organized for the primary purpose of maintaining medical information for treatment or diagnosis.

Expansion of Data Breach Notification Law to Medical and Health Insurance Information. AB 1298 also expands the definition of “personal information,” as that term is used in California’s data breach notification laws, to include medical and health information. This security breach notification requirement applies to all entities, whether or not they are health care providers under the CMIA.

  • Medical Information, defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and
  • Health Insurance Information, defined as an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

Clarification to the State’s existing security freeze law. While the most significant components of the new measure apply to medical information, AB 1298 also makes important clarifications to the state’s existing provisions regarding security freezes. Specifically, the new measure clarified that the state’s existing security freeze law (which permits a person to place a hold or “freeze’’ on his or her credit report) does not apply to any information in the report that the credit reporting company agency lawfully obtained from public records.

Violations

AB 1298 subjects businesses to the civil and criminal penalties prescribed by the Confidentiality of Medical Information Act for improper uses and disclosures of medical information. Under the expanded definition of personal information under the data breach notification law, failure to notify individuals whose medical or health insurance information has been accessed in an unauthorized manner subjects the entity failing to notify to potential civil liability.

Implications

With the changes that went into effect as of January 1, 2008, California becomes one of only a few states to extend security breach notification requirements to medical information. If your company maintains information covered by the new requirements, there are important steps that should be taken as promptly as possible.

  • Conduct an Internal Audit. Identify what types of computerized medical information or health insurance information your company maintains, and consider the business reasons for collecting and maintaining this data. Limiting the collection and retention of protected data helps to reduce the risk and/or magnitude of a potential security breach.
  • Implement Proper Security Measures. Ensure that medical information and health insurance information are protected by the same data security measures applied to other personal information covered by the breach notification laws (such as Social Security numbers and credit card numbers).
  • Consider Encryption. The law, as modified by AB 1298, continues to provide an exemption or safe harbor for encrypted data if all components of personal information are encrypted. Encryption can provide significant protection to information and eliminate any notification obligations.
  • Train All Staff. Technical security measures will only go so far. Administrative and organizational security measures will also play a significant role in the security of information but these measures will only be effective if employees are adequately trained.
Update Breach Response Plan. Ensure that your company’s breach response plan is updated with respect to medical information and health insurance information. If a breach response plan has not been developed or implemented, now is an opportune time to do so.