New laws clamp down access to medical records

By Leila Narvid, JD

Payne & Fears LLP

San Francisco

Patient privacy rights is hardly a new issue, but it became an especially hot topic in 2008, as reports of unauthorized access to the confidential medical records of celebrities brought to light health care security shortfalls at several medical centers and hospitals.

In September 2008, UCLA Medical Center terminated several employees for unauthorized access to confidential medical records of pop star Britney Spears. Earlier that same year, the Palisades Medical Center in New Jersey suspended more than two dozen employees without pay for accessing actor George Clooney's medical records when he was admitted for a motorcycle injury. More recently, health care workers were fired for accessing the records of the California woman who gave birth to octuplets.

These security breaches haven't just caught the attention of the tabloids. Government regulators are reacting also. At the federal level, the American Recovery and Reinvestment Act of 2009 (ARRA) maintains and expands the current Health Insurance Portability and Accountability Act's (HIPAA) patient health information privacy and security protections. At the state level, California is leading the way with new laws to protect confidential patient information, and we can expect to see strict enforcement of these laws in 2009.

ARRA's changes to HIPAA

Previously, HIPAA applied only to the use and disclosure of individually identifiable health information (known as "protected health information") by health care providers, health plans, and health care clearinghouses (known collectively as "covered entities"). Vendors providing administrative services to covered entities were not directly subject to HIPAA's privacy and security provisions. Among the most far-reaching provisions of ARRA are those that apply several of HIPAA's security and privacy requirements to business associates. The definition of business associate is expanded to include organizations that provide data transmission of protected health information to covered entities and business associates and that require access on a routine basis to that protected health information (e.g., health information exchange organizations and regional health information organizations).

The ARRA provisions also include data restrictions, disclosure, and reporting requirements. Currently, covered entities may use and disclose only the "minimum necessary" protected health information for their business purposes but have considerable latitude to determine what the minimum necessary information is under the circumstances. Under ARRA, covered entities must first consider whether partially de-identified data, known as a "limited data set," could be used to accomplish their objectives and must limit their uses and disclosures to limited data sets if possible. A limited data set excludes basic identifying information, such as the individual's name, Social Security number, postal addresses, e-mail addresses, telephone numbers, and similar identifiers.

Restrictions for marketing purposes

Another change under ARRA is the ability of covered entities to use protected health information for marketing purposes without the individual's authorization. Specifically, communications with an individual about products or services that encourage the individual to purchase or use the product or service will be permitted without the individual's authorization only if the communication is made: a) to describe a product or service provided by or included in the plan of benefits of the covered entity making the communications; b) for treatment purposes; or c) for case management, care coordination, or to recommend alternative therapies, providers, or settings of care. In addition, the previously described communications will require patient authorization if the covered entity receives direct or indirect profit for making them.

There also is a change to the requirement for reporting security breaches. Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed. Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information. Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the U.S. Department of Health and Human Services and the media also is required.

Covered entities using electronic health records will have to supply individuals with an accounting of disclosures from those records made for treatment, payment, or health care operations purposes during the three years that preceded the request. This requirement will undoubtedly increase administrative burdens for covered entities, which currently are not required to account for such disclosures. This provision is subject to rule making, and the earliest date it will apply is Jan. 1, 2011.


As far as enforcement, ARRA gives power to state attorneys general to bring actions to obtain injunctive relief or damages on behalf of state residents who have been, or are threatened, or adversely affected by violations of HIPAA. Previously, HIPAA did not permit individuals to obtain monetary damages for HIPAA violations and enforcement was handled at the federal level. The financial penalties for violations of HIPAA also have been increased, and a percentage of the civil penalties collected will be distributed to individuals harmed by the violations.

Most provisions will be effective one year after the date of ARRA's enactment (Feb. 17, 2010). However, the security changes generally will be effective 30 days after appropriate regulations are published. The changes to the enforcement provisions are effective for violations occurring after Feb. 17, 2009.

California takes additional steps

In addition to the federal obligations, many states are strengthening their requirements for protection of medical data. California, which often leads other states to follow suit on legislative issues, recently took action in the aftermath of a series of data breaches affecting many Californians in the last few years. In September 2008, Gov. Arnold Schwarzenegger signed legislation to improve patient privacy laws and address leaks of confidential health information. The laws became effective on Jan. 1, 2009. The bills - Senate Bill 541 ("SB 541") and Assembly Bill 211 ("AB 211") - significantly increase state fines for security and privacy violations involving patient health information and set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data. "Unauthorized access" is defined as the "inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use" as permitted under California law.

SB 541 imposes a requirement that any patient whose medical information has been discussed improperly must be notified within five days. In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Another important aspect of AB 211 is that it provides an individual right for a patient to sue if his or her medical privacy has been breached, which is a legal mechanism that federal privacy law currently lacks. Specifically, the California law allows patients to sue a health care provider for either actual or nominal damages arising from any negligent disclosure or release of confidential patient information.

These statutes place more pressure on companies in California to comply with HIPAA, whose privacy and security provisions took effect in 2003 and 2005, respectively. In California, individuals now face fines and penalties for violating SB 541 and AB 211, for which they will be personally responsible, of up to $25,000. In addition, individuals also face criminal sanctions, as well as disciplinary action by licensing boards, for unauthorized access to or disclosure of medical information. Health care facilities will incur fines for failure to prevent or report unauthorized access to or disclosure of medical information.

Health care providers and health facilities in California should carefully review their existing security procedures to: 1) ensure that access to patient medical information is strictly controlled; 2) verify that they are capable of quickly detecting and reporting any security breaches to state officials; and 3) draft an incident response plan that should include immediate investigation of breaches and a notification plan for affected patients. In light of the fact that the new legislation creates a state office dedicated solely to enforcement and assessment of penalties, compliance is ever more critical. Another foreseeable consequence of the creation of the Office of Health Information Integrity is an increase in investigations being referred to professional licensing boards, such as the Medical Board of California, based on actual or potential privacy violations.

ARRA and California's new laws serve as a wake-up call for health care providers, contractors, and vendors who have access to or maintain confidential medical information. The penalty provisions for improperly accessing or disclosing confidential medical information apply to any individual or entity. Thus, many businesses that have avoided penalties because they do not directly provide patient care or services will no longer enjoy such protection under federal and state law.