California joins 4 states revamping their healthcare data breach reporting requirements


Five states are increasing data breach protections for residents. From new reporting deadlines to protecting businesses from lawsuits enacted by breached individuals, here's what cybersecurity leaders need to know:

The state issued new regulations July 1, effective immediately, that limit the circumstances when unauthorized access to medical information has to be reported to the California health department, JD Supra reported. If a fax was misdirected to a different physician's office or if a patient received the wrong discharge instructions, hospitals no longer need to report it. However, if a data breach on a healthcare organization does occur, it has 15 days to report if to the health department after the breach was detected.

The new rule will also grant the California health department access to an organization's records, internal assessments and documents if there is a breach. A hospital can be fined up to $25,000 for each patient whose medical information was unlawfully accessed, used or disclosed. It can be fined up to $17,500 per subsequent occurrence. The health department can also penalize a hospital $100 per day if it fails to report the breach to the health department or the patients affected. Hospitals can be fined up to $250,000.

The new law requires the attorney general's office to post data breach notices to a public website within 30 days of receiving notice of the breach. Companies are required to provide the office a notification within 60 days of discovering the breach if 250 or more Texans are involved, The National Law Review reported.

Reporting companies need to tell the attorney general if law enforcement is investigating the breach, a description of the breach, how many residents have been affected or notified and how it's responded to the breach, Business Insurance reported. The breach notification will be taken down if the company doesn't report another breach in one year. The law is effective Sept. 1.

The state's new law focuses on the cybersecurity practices of payers. Insurance consumers will gain protection for their personal, medical and financial information, the Department of Commerce and Insurance reported. Under the new law, payers must develop a cybersecurity program with a designated employee in charge of the program. Payers must identify threats that can result in unauthorized access, misuse or destruction of private information. Any breach must be investigated and if more than 250 Tennesseans are affected, the insurance commissioner must be notified. The law goes into effect July 1.

The new law allows companies to adopt cybersecurity practices that allow them to escape punitive damages if they are alleged to have failed to implement "reasonable cybersecurity controls," the Review reported. The law contains a list of industry-recognized cybersecurity frameworks that would qualify a business for an affirmative defense. HIPAA-regulated companies can rely on this law if their cybersecurity programs are up to date, the report said.

Companies must notify the attorney general's office of the breach within 60 days. If it will take longer to identify the state a resident is from, then a preliminary notice must be submitted within the deadline. Residents may be notified by electronic forms that encourage them to change their passwords, security questions or if login credentials are the same for another account. HIPAA-regulated companies must notify the attorney general at the same time that residents are notified and must provide 24 months of identity protection services if Social Security numbers were compromised. The law is effective Oct. 1.

Colorado's legislature passed the Colorado Privacy Act June 8. Colorado's governor has until July 8 to sign or veto the bill, otherwise, it will become law without his signature. The new law allows residents to opt out of the sale of their personal data. There will be a 60-day cure period for violations, but it's not set to be enacted until 2025. HIPAA-regulation organizations may be entitled to data-based exemptions. If signed, the law becomes effective July 1, 2023.

Copyright © 2021 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars